LifeLock learned this lesson the hard way when
How do the privacy laws of other countries apply to US companies? Time will tell, as the new EU General Data Protection Regulation comes into force in May next year.
What will happen next May?
Beginning in May 2018, a significant change to individual privacy rights will come into effect. The EU GDPR replaces the European Data Protection Directive 95/46 / EC, also known as the "European Data Directive". It is designed to standardize European data privacy laws and guarantee the privacy rights of European citizens.
EU regulations are based on the idea that privacy is a fundamental right of the individual and not something that must be bought and sold by corporations.
Many US-based organizations have not heard of the GDPR or think it only applies to organizations based in the EU . The GDPR, however, applies to all organizations that offer goods or services to relevant EU persons or monitor their behavior, regardless of the location of the company.
If an organization offers goods or services to EU citizens or processes them, it will probably be subject to these regulations.
US companies have two main concerns: applicability and enforcement. It is clear that large multinational companies will have to comply, but what about small and medium-sized enterprises that do not know if their customers are EU residents?
Presumably, if the small or medium-sized enterprise does not actively participate
"offer goods or services, or monitor the behavior of those concerned in the EU", it will not need to comply with the GDPR.
The question, however, is whether the cost-benefit analysis shows that it is best to comply with potentially expensive GDPR in case, or accept the risk.
What about the cloud?
Cloud service providers, who can store data anywhere in the world, are not exempt from the GDPR application. It is therefore important for all companies to consider how the GDPR could affect them.
What about the execution? After applicability, the most frequently asked questions relate to the application of the law. How will the EU enforce the GDPR against US companies?
Again, for the multinationals present in the EU, enforcement actions can be taken against the assets of the company that are held there. However, the EU will not have the same enforcement mechanism for small and medium businesses that do not have a real presence in the region.
Under the current EU Data Directive, which the GDPR will replace, there has been little or no enforcement against the large multinational entities physically present in the EU. # 39; EU.
To address physical presence issues, the GDPR requires that organizations subject to regulation designate an EU-based representative to ensure compliance.
EU right of access
The right of access allows data subjects to determine whether a data controller has his personal data, why he has his data and what the data processor will do with his data. The scope of
"Personal data" is broader than what many organizations outside the EU can achieve. He understands
"… any information relating to a natural person or" data subject "that may be used to identify the person directly or indirectly."
This means that any organization that owns or processes part of this expansive list of personal identifiers must be willing to accept and process access requests.
In addition, after determining that a data controller has data on the subject, the subject has the right to request the storage life, the recipients of the data and the deletion of the data. This last option is usually called "the right to be forgotten".
The right of the EU to be forgotten
The right to forget allows individuals (or persons concerned) the right to request that their personal data be removed from a data controller and gives the data controller the obligation to delete this data. "without undue delay".
This right is not unlimited, however. The GDPR balances this right with the rights of expression, legal obligations and the public interest (eg public health). However, for many data processing companies, these exclusions will not apply.
Conclusion: better prepare
Failure to comply with the GDPR could be very costly.
While penalties are a hierarchical structure depending on the extent of the offense, organizations may be ordered to pay up to 4% of annual income or $ 20 million. for failing to protect the rights and data of the persons concerned.
Peter Vogel is a columnist for the ECT news network since 2010. He is mainly interested in technology and law. Vogel is a partner at Gardere Wynne Sewell and president of her Internet, eCommerce & Technology team. He tries lawsuits and negotiates contracts dealing with the computer and the Internet. Before practicing law, he received a master's degree in computer science and was a mainframe programmer. His blog covers computer and Internet topics. Email Peter.
Eric Levy has been a columnist for the ECT News Network since 2017. He focuses on compliance, privacy and data security. Levy is a senior lawyer at Gardere Wynne Sewell, where he assists clients with HIPAA, FERPA and Gramm-Leach-Bliley compliance, and with intrusion and data breach responses.
Eddie Block is a columnist for the ECT news network since 2017. His main activity is information security and data privacy. Block is a senior attorney at Gardere Wynne Sewell. Prior to practicing law, he spent 20 years as an information security professional in a variety of roles, from network security management to the security officer of the company. information for the state of Texas. His
The blog covers the security of information and data protection.