New Data Privacy Rules in Europe And Their Effect on U.S. Companies
There are dates in the modern history of human mankind — good or bad — billions of people on this planet do remember. Think about the first landing of American astronauts on the moon on July 20, 1969, the assassination of President John F. Kennedy in Dallas on November 22,1963 or more recently the tragic 9/11 event in 2001, same as the Y2K (Millennium) Bug hype on December 31, 2000.
May 25, 2018 does not quite play in the same top league of historic moments, but it marks the date, when the new EU General Data Protection Regulation (“GDPR”) came into force in the 28 EU Member States plus in the associated countries of the European Economic Area (“EEA”, comprising Iceland, Liechtenstein and Norway + Switzerland).
Foremost European consumers have been swamped by tons of e-mails and requests by companies and other entities to provide their explicit consent that these entities were permitted to continue to use the personal data of the respective consumers. Moreover, at B2B level companies who retained e.g. external data processing and cloud services went into complex new contractual arrangements with such external service partners struggling to be compliant with the brand new complex GDPR set of rules.
What is it all About — in a Nutshell
The GDPR deals with the protection of personal data (and will soon be complemented by another European set of laws covering the exchange of other data at B2B level relating to the internet of things, AI, automatization, robotics, etc.). EU regulations become immediately effective in the EU and EEA geographic zone without the need to transform such set of rules into national laws.
Consumer protection associations and many European politicians celebrated the coming into force of the GDPR as one of the biggest achievements of the Common Single Market ever, since it provides — at least in theory — a uniform standard of privacy protection for European consumers in most parts of Europe defining much stricter standards in this area than it had been the case before.
Contrary thereto, numerous industry & trade associations criticized heavily the new EU law, some calling n even monstrous with its 99 articles (the complete text of the Regulation can be found at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex:32016R0679).
Fact is that the contents of the GDPR remain in many respects vague and do not provide sufficient practical and precise guidance what is required to be compliant. The over-arching governing principle is that ANY use and storage of personal data of individuals by commercial operators (starting from name, age, addresses, gender, etc., up to e-mail and computer IP addresses, number plates of cars, etc., etc. require mandatorily the explicit consent provided by the person concerned. Under the new law it is no more sufficient now to request from a consumer to disagree to an intended use by e.g. checking a certain box on the website (so-called opt out mechanism), further, individuals are to be told by the intended user of such data for which purposes such data will be used, the scope of data, how long they will be stored, etc., etc. Consumers and institutions are empowered to request from each and any user of personal data to obtain specific itemized information, which personal data are stored about a person and can also request their deletion.
Undoubtedly the GDPR causes a much higher amount of administrative burden at company level and the question must be allowed, whether the Brussels authorities did not (once again….) overstretch their legislative powers to substantially increase the amount of red tape bureaucracy and hence make business live even harder, in particular for SMEs.
The EU Commission and Parliament was targeting Amazon, Google, Facebook & Co., but has actually hit the many small and medium-sized players. In particular those companies and brands, who are handling big numbers of personal data of consumers like the ones producing wearables and are collecting physical fitness up to personal health data, are mostly affected. These types of commercial players face quite frequently major difficulties to localize, document and structure their vast portfolio of data, to obtain a GDPR-compliant declaration of consent from all users and their customers and to meet the rigid deletion requirements of the new EU law. Individual data are in many cases wide-spread in a highly fragmented manner over numerous departments involving many staff members, external service providers and may cover the whole supply chain plus distribution of sporting goods including e.g. the production, suppliers, business intelligence, marketing, customer relationship management and so on. The task to localize these data alone is already very cumbersome and sometimes also quite costly, not to talk about their documentation and to have them readily available if individuals (including the employees in a European company) are knocking at the door to learn which data are stored about them. From a purely strict legal point of view, one would even need e.g. to obtain the explicit (and subsequently provable) consent from a person handing over a business card at a trade fair to store and process the individual data shown on such business card (!!). Needless to say that in real life this of course goes far too far.
The European media have been primarily focusing prior to May 25 and thereafter on the draconic fines, EU and national authorities are empowered to impose on any violators of the GDPR provisions. These fines amount to up to 4% of the annual global turnover or up to 20 Million EUR. Many journalists did however neglect the danger that such law could create a new ‘industry’ of cease & desist letter senders asking for damage compensation, lawyers’ fees, etc. by systematically crawling through websites of commercial operators to detect non-compliant elements on such pages. Until to date — i.e. in the month of August 2018 and approx. three months after the GDPR became effective, no big ‘hurricane’ has hit the industry to my best knowledge. Yet the concerns that something like that could happen had been so big that some companies decided to shut down their web sites to avoid being not exposed to such risks — a reaction, which is in my personal view certainly very much exaggerated. Further, it is much too early right now to send the all-clear message. The German government e.g. is right now contemplating to create a new set of law regulations to prevent a misuse of the GDPR rules by a ‘cease and desist’ industry’ as new cash cow to create additional revenues.
It is anyway fair say that the new EU law, which for the very first time can now be combined with a kind of collective class court action by consumers, NGOs, lawyers and other entities — unheard so far in Continental Europe — has undoubtedly from a risk management point of view increased the exposure of a company (which reach from a one man operation up to global players with billions of USD of annual turnover generated) to get caught by these new law provisions also in the sporting goods sector.
What have American Companies to do with the GDPR?
You may be mistaken to believe that Europe is quite far away from the U.S., that you may only be attending European trade fairs such as ISPO or FIBO and that your company is therefore not affected by such set of laws. This is definitely wrong, since any commercial operator, who is doing business with European companies, is showing products on websites aimed also at European customers, etc., etc., is caught by the GDPR and needs to be compliant with this Regulation.
You are therefore advised not to totally neglect such law requirements, but to be more cautious than in the past if you are handling personal data of European actual and potential customers, of European employees, service providers, etc. in order not run into any problems.
On the other hand. just stay calm and do not overreact — the globe is still turning even after this magic date May 25 and I personally believe there are more pressing issues around nowadays we are all dealing with and challenged than those raised by the GDPR law…….