Compliance with the EU's General Data Protection Regulation (GDPR) is required for online business in Europe. In addition to the GDPR, there are national variations allowed that complicate the GDPR’s mission to harmonise the flow of data across national borders. There are also now important examples of enforcement that show how national regulators are pursuing companies under the GDPR. We’ll start with a review of some of the key parameters of GDPR, discuss national variations and round up with examples of enforcement.
Key Provisions of the GDPR
The goal of the GDPR is to harmonise the protection of personal data and ensure the free flow of personal data, weighing the costs of protecting personal data with individuals’ rights to the protection of that data. The full text of the GDPR is available here.
To Whom and When Does the GDPR Apply?
The GDPR applies throughout the European Economic Area (EEA), which consists of the 27 member nations of the EU plus Iceland, Norway, and Liechtenstein. The GDPR applies to anyone who is physically present in the EEA. They do not need to be a citizen or resident of an EEA state. It also applies to the activities of a business or establishment in the EEA even if the processing occurs outside the EEA (See Recitals 22-25 of the preamble, pp. 4-5).
The GDPR applies to any entity that processes personal data of someone physically present in the EEA or offers products or services to people in the EEA, even if that entity is not in the EEA itself.
Here are some examples concerning the difficulties of determining when the GDPR applies:
- An American company sells something online to an American who is visiting Germany. The American has the product shipped to the B&B they are staying at in Germany. GDPR DOES apply, because the person is physically in the EEA taking delivery in the EEA.
- That same American visiting Germany places an order for delivery to his home in the US. The GDPR does NOT apply because the American company is not making the offer for sale generally in the EEA (they are selling to their American customer) and the product is not being provided within the EEA.
If your business is outside the EEA and you don't want to be caught up in GDPR requirements you should take steps to make sure you do not offer goods or services to entities within the EEA, even inadvertently. Accepting a “ship to” address within the EEA could subject you to all of the requirements in respect of that person.
What Data are Protected?
The GDPR applies to any personal information, which is defined very broadly:
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
(Recital 26 in the preamble, p. 5).
In other words, if you’ve made data “anonymous” it must be stripped of information that would let someone figure out who the person was. The GDPR does not apply to deceased persons, although there may be national regulations relating to the personal data of deceased persons.
In addition, there are more stringent protections required for certain special types of personal information, including:
- Racial or ethnic origin
- Physical or mental health
- Political opinions
- Sex life and sexual orientation
- Religious or philosophical beliefs
- Genetic and biometric data
- Trade union membership
The Seven Core Principles of the GDPR
At the heart of the GDPR are seven principles articulated in Article Five (page 35). Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- Accountability. Organisations are required to demonstrate that they are in compliance with the GDPR by having adequate documentation tracking what data are processed and for what purpose; they must have documented processes and procedures relating to data protection and responding to data breaches; they should have a Data Protection Officer. Organisations not only have to demonstrate compliance to regulators, they also have to be able to show compliance to individuals. Non-compliance can result in fines of €20 million, or 4% of total worldwide annual turnover, whichever is higher. Enforcement is delegated to the Supervisory Authorities of each state. Some states may exact penalties not only against companies or other organisations, but against individuals as well if they are personally responsible for non-compliance.
Complying with the GDPR
Since technology is constantly changing, the regulation does not specify how to protect personal data; it simply states that organisations are to apply “appropriate technical and organisational measures” (see Recital 78 in the preamble of the GDPR, p. 15).
Technical measures could include things such as implementing multi-factor authorisation (MFA) for access to personal data or being careful to use high levels of encryption for all personal data in the organisation’s data center.
Organisation measures could include things such as policies to collect no more personal information than necessary, to minimise processing of such information, to pseudonymise information when possible.
Other National Laws
The GDPR contains approximately 70 “opening clauses” which are subjects where EEA states are free to make additional rules, or to modify or make more specific certain requirements of the GDPR. In general, the GDPR is considered the “superior law” as it is an EU regulation; national laws are supposed to be in accordance with the GDPR, but there are cases where national law can impose a higher privacy requirement than the GDPR.
Accordingly, even though the GDPR was intended to make life easier for companies doing business in Europe by standardising data protection requirements, there is still a good deal of individual variation from country to country that businesses and other organisations must keep track of. A few examples follow.
France passed two laws to implement and extend the GDPR. France had an existing data privacy law, Law n° 78-17 of 6 January 1978 prior to GDPR; Law n° 2018-493 of 20 June 2018 “relating to personal data protection” brought the GDPR provisions into French law. To improve clarity the law was rewritten as Ordinance n° 2018-1125 of 12 December 2018, which took effect on June 1, 2019. France added an implementing decree in 2019. Together these laws are known as the “Revised French DPA".
The new rules strengthened the role of the French Data Protection Authority (CNIL) in supervising data protection. France has set a lower age for “digital majority” than the GDPR standard of 16; in France the age at which minors can give consent for their data to be processed is 15. The French DPA allows the use of biometric data for access to a facility, computer, or application. CNIL also has the authority to introduce additional rules related to sensitive data or data relating to criminal records or offenses.
The Bundesdatenschutzgesetz (BDSG), Germany’s national data privacy law, was updated in 2018 to bring it into compliance with the GDPR. An English translation of the BDSG can be found here.
The applicability of the BDSG is similar to GDPR: you are subject to BDSG if you offer goods or services for sale in Germany, regardless of whether your company or the data processing is in Germany.
The BDSG includes the following provisions among others:
- Processing data for purposes other than for which it was originally intended
- Data processing related to employment
- Data processing related to consumer credit checks and scores
- Limitations on the rights of data subjects
- A requirement to appoint a Data Privacy Officer (DPO) if there are at least 10 persons regularly involved in processing personal data
The Swedish Data Protection Act and the Data Protection Ordinance (DPA) extends the GDPR in areas where it is allowed, similar to how the BDSG in Germany does. The DPA regulates processing of social security numbers and data relating to criminal offenses. In addition, Sweden has passed specific acts that relate to particular sectors – healthcare, education, environment, enterprise, etc. Those offering goods or services online in Sweden should check whether their particular vertical is covered by specific data privacy laws beyond the GDPR and DPA.
Since adoption in 2018, there have been several large penalties imposed under the GDPR. Two of the largest three were fines against British Airways and Google. We’ll discuss those here because British Airways was fined for poor data security practices, while Google was fined for unclear data privacy policies.
In July 2019, The UK’s independent Information Consumer’s Office (ICO) issued a notice fining British Airways (BA) £183.39m (approximately €202m) under the GDPR after BA’s IT systems were hijacked by cybercriminals. In 2018, hackers were able to redirect customers to a false site that harvested the personal data of approximately 500,000 BA customers. British Airways was surprised and disappointed by the penalty from ICO – it claimed that it had been the victim of a “sophisticated, malicious criminal attack” on its website. The ICO said that BA’s poor security practices were to blame. The penalty was above and beyond the substantial costs BA had already incurred in responding to the breach, and the public relations disaster that obviously occurred. The fine was 1.5% of BA’s total sales in 2017; the GDPR allows for penalties of up to 4%.
Google didn’t have to get hacked to be hit with a substantial fine (€50 million) for failing to comply with the GDPR. The fine, handed down by France’s Commission Nationale de l’Informatique et des Libertés (CNIL), in January 2019 was for failing to provide users with transparent and understandable information related to the way Google uses their data. France’s top administrative court, the Conseil d’État (Council of State) not only upheld the fine, it confirmed that CNIL was correct in imposing the fine despite the fact that Google’s European operations are headquartered in Dublin.
The GDPR was intended to make life easier for businesses and other organisations operating in the EEA by standardising data privacy requirements throughout the region. It has certainly helped, because there is much that is common now. However, each country still has its own national data privacy laws which in some cases are local implementations of GDPR provisions, while in other cases superimpose additional, stricter, requirements for certain types of data. Organisations that collect the personal data of people physically in the EEA need to be aware of the different national laws to which they may be subject.
Finally, a note on how you can use this article. This article is not to be considered legal advice and is not a substitute for advice from qualified legal counsel. Material aspects of the discussions in this article may change at any time and without further notice.