William G. Scarborough
William G. Scarborough is vice president and general counsel at the Project Management Institute, Inc., in Newtown Square, Pennsylvania.
Associations that interact with residents of the European Union have a new set of rules and regulations to meet when handling those individuals' personal data. Here's a view of how the legal landscape has shifted and what associations should be doing now to comply.
Data protection laws in the European Union forbid personal data of EU residents from being transferred to or processed in parts of the world that do not provide "adequate" privacy protection, as defined by EU laws. Until recently, an agreement between the U.S. and EU, called the Safe Harbor, allowed U.S. organizations to self-certify that they had taken the necessary steps to be compatible with EU law and to transfer and maintain such data from the EU. Under this agreement, organizations could avoid seeking permission for each new type of transfer.
Then along came Edward Snowden, who, in 2013, revealed details about a surveillance scheme called Prism operated by the National Security Agency, alleging that NSA had gained access to data about Europeans and other foreign citizens stored by the U.S. tech giants. Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on. The watchdog declined, saying the transfers were covered by the Safe Harbor. When Schrems contested that decision, the matter was referred to the European Court of Justice, which in October 2015 ruled the Safe Harbor to be inadequate.
For associations engaging with members and other stakeholders in Europe, these events have caused significant questions about how a U.S. organization can legally transfer and maintain data regarding European citizens on its servers in the United States without risking potential sanctions and fines from EU regulators or the 28 different data protection authorities in the EU member countries, including the UK for the time being.
In July 2016, the EU and U.S. agreed to a new pact to replace the Safe Harbor and maintain a feasible way for organizations to transfer data across the Atlantic. This new framework is known as the Privacy Shield. Key points of the agreement are:
Critics have questioned the adequacy of the new Privacy Shield and whether it is any more thorough in protecting data than the discredited Safe Harbor framework. Recently, EU regulators announced that they will not challenge the Privacy Shield until its first annual review, which is due next summer.
Organizations need to analyze their current data privacy processes now and determine what they need to do to be compliant by May 2018.
After the year is up, the relevant data protection agencies will either approve the Privacy Shield framework as it currently exists, suggest changes, or file legal objections. Given the criticism expressed to date of the new draft agreement, it seems unlikely that blanket approval will be achieved. This means that organizations will need to begin planning to comply with the Privacy Shield but at the same time retain the flexibility needed to adapt to any changes that may come from further review.
Confusion about exactly what rules U.S. organizations will need to follow to process and transfer data regarding European residents does not stop there. Since the mid-1990s, the EU has been operating under a Data Protection Directive. EU directives do not apply automatically to the member states and must be incorporated into the laws of each state. This resulted in a patchwork of similar, but not identical (and sometimes inconsistent), privacy requirements in EU member countries. Moreover, given the technological changes that have occurred over the last 20 years that affect how people use data, the directive did not address all current data protection issues.
At the same time that the Safe Harbor was being challenged and the Privacy Shield was being developed, the European Parliament was completing a four-year process of curing the shortcomings of the EU directive. As of May 24, 2016, the directive was replaced by the General Data Protection Regulations. (Enforcement of the GDPR will not begin until May 25, 2018, after a two-year grace period.) The purpose of the GDPR is to harmonize data protection laws throughout the EU, to update them to deal with current data protection issues, and to apply the new rules broadly to organizations outside the EU.
The GDPR regulations are broad and apply to a wide variety of organizations, and penalties for noncompliance can be significant. Unlike the Privacy Shield, the GDPR is not limited to addressing transfers of data between entities in the EU and other countries. Rather, it applies to all organizations that process and control data they obtain from doing business with EU residents, even if they are not physically operating in the EU.
For example, Association X is located in the U.S., and its website and servers are all located in the U.S. Association X is selling books and memberships, which are available to European residents to purchase with a credit card on the association's website. Association X would be subject to the GDPR.
The sanctions for failing to comply can be significant. The GDPR allows data protection authorities to issue fines for serious infringements up to 20 million Euros or 4 percent of the organization's worldwide turnover (an accounting term that typically means gross sales minus any discounts and sales taxes), whichever is greater.
The GDPR imposes a number of new requirements on organizations processing data of EU residents. It establishes Data Protection Principles that provide the conditions on which an organization is permitted to process personal data; if those principles are not satisfied, the data processing will be rendered unlawful. Among the principles stated in the GDPR are the following:
Data owner consent. The GDPR calls for consent to be given by a clear, affirmative act that is freely given, specific, informed, and unambiguous, such as by a written statement, including by electronic means, or an oral statement. "Opt-out" buttons on a website would not meet this requirement. However, consent could be given by checking a box that has not been pre-checked or making a statement or taking an action that clearly indicates consent. With respect to direct marketing activities, the GDPR explicitly gives data owners "the right to object at any time to processing of personal data concerning him or her for such marketing."
Expanded rights. The GDPR provides data owner with several new and expanded rights. They have a right to obtain information about the processing of their personal data in a timely manner and generally free of charge. They have an expanded right to object to certain processing of their personal data and the right to correct inaccurate personal data. Data owners also have the right to have their personal data transferred to other parties in a structured, commonly used, and machine-readable format. They also have the right to have their data erased or forgotten under certain conditions.
Privacy notices. In addition to common disclosures—such as the identity of the data controller, the purposes of the data processing, and the categories of data recipients—the GDPR requires disclosures that may be new to some. These include the retention period of the data; contact details for the data protection officer; the right to lodge a complaint with a supervisory authority; and information regarding possible data transfers to other countries or international organizations. Finally, the organization is required to give notice to the data owner and the data protection authority of any data breach. Notice to the protection authority must be given within 72 hours.
Cross-border data transfers. Like the old directive, the GDPR permits cross-border data transfers from the EU to countries outside the European Union, provided that the European Commission has deemed the other country an "adequate jurisdiction." The Privacy Shield may meet the requirements for the U.S. to be considered an adequate jurisdiction. However, the requirements for adequacy in the GDPR are broader than under the directive, so a final determination must await future scrutiny of the Privacy Shield.
Given the current changes in the data transfer rules in the EU, organizations must begin to analyze their ability to comply with both the new GDPR and the Privacy Shield. Although the GDPR does not become effective for almost two years, organizations need to analyze their current data privacy processes now and determine what they need to do to be compliant by May 2018. At a minimum, organizations should begin auditing their existing privacy policies and processes against the requirements of the GPDR and the Privacy Shield to determine what gaps exist.