by Susan Kristoph
with Dan Hubbard
& Roberto Rossi Mar 29, 2018
-- TECH COMPLIANCE --
MAY 25, 2018: ARE YOU READY FOR GDPR? YOU SHOULD BE!
"The GDPR is a set of foreign regulations, promulgated pursuant to foreign laws, that seeks to regulate U.S.-based businesses by directing them to do things not required under U.S. law, and by directing them not to do things permissible under U.S. law; and, the GDPR very likely applies to your U.S.-based business."
There are over 20,000 on-line news articles, blog posts, and marketing pitches about the European Union’s General Data Protection Regulation (“GDPR”) that takes effect on May 25, 2018, written between December 2107 and today. I’ve read, or been given notes by others on, a bit over 1000 of them.
We’ve been preparing some of our clients for GDPR for a couple years now, but recently we’ve engaged in direct conversation with the Information Commissioner’s Office (“ICO”) (the UK’s point Agency on privacy and information, in general), numerous members of U.S. Congress and U.S. State’s Legislatures, industry “experts” on EU privacy legislation and civil/criminal actions, Trunomi – the EU’s key tech partner for GDPR, and of course finance experts and several credit companies.
The reason we’ve been having these conversations is because as the May 25, 2018, deadline draws nearer, confusion in the U.S. over the scope and applicability of GDPR to U.S.-based businesses grows, and so too do the finer points of what constitutes compliance/non-compliance, precisely how GDPR impacts U.S.-based business, and just how much money a U.S.-based business should be expected to invest to “comply” with a foreign law.
The confusion, together with the fact that most businesses tend to wait on compliance investments, is what has led to those 20K+ articles, blogs, etc. And sadly, for the most part, they all read: ‘GDPR applies to your U.S. business, you should prepare’, or words to that affect. That’s just not enough info!
Here’s the full-truth components that are missing:
1) The GDPR is a set of foreign regulations, promulgated pursuant to foreign laws, that seeks in-part to regulate U.S.-based businesses by directing them to do things not required under U.S. law, and by directing them not to do things permissible under U.S. law; and,
2) The GDPR may apply to your U.S.-based business, but it may very well not, even if the EU says so, and more to the point, it may not matter whether it does or not -- you might have no choice but to comply.
If you own or run a business with a European footprint, you already know GDPR applies to you, and so this blog mostly doesn’t. But if you own or run a U.S.-based business, ANY BUSINESS, you need to keep reading.
So, what is GDPR?
1) It’s a set of EU regulations designed to protect the privacy of EU citizens and passport holders.
2) It directs the practices of businesses that deal with EU customers regarding the collection, transmitting, storage, and use of information about EU citizens, whether or not any financial transaction has occurred;
3) And as written, it is intended to apply to any business, anywhere (including the U.S.), that does anything in #2 above.
The full text of GDPR can be read on it’s official website here: www.eugdpr.org.
But for the purposes of ease of readability, we’ll be referencing/citing a commercial resource for the GDPR here: www.gdpr-info.eu/. NOTE: this is a website for a business, not an EU governmental org.
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union [EU] or not [like in the U.S.].
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union [like a U.S.-based business], but in a place where Member State law applies by virtue of public international law.”
Let’s quickly discuss what a few of those terms mean so we can process through the meat of this blog easier.
“‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical [a/k/a “medical”; as in PHI pursuant to HIPAA], physiological, genetic, mental, economic, cultural or social identity of that natural person.” “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.” “In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.”
That is a very specific definition set. It’s a great deal more specific than how we define what we call personally identifiable information (“PII”) in the U.S., and/or how PII can be used.
Essentially, ‘personal data’ means just about anything about the ‘data subject (EU National or Passport Holder)’, but especially concerns any two or more data points. It includes Facebook and other social media profile data, and not just the ‘data subject’, but also their friends, if you can see their data. ‘Personal data’ includes email content and email data from a ‘data subject’ to your business. ‘Personal data’ may include submission content from a form on your business website. And, ‘personal data’ certainly includes all information resulting from a financial transaction, before and after the fact.
“‘[C]ontroller’ [similar to ‘recipient’] means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
For most businesses, they are the ‘controller’. If you have a website with a form, you are the controller. If you sell something online, you are the controller. If you have a blog that collects certain user data, you are the controller. If you discuss things with anyone on your business’s social media feed, you are the controller. If you receive an email, you are the controller. And, if you receive a phone call, or just receive a message, and take down information like a name and call-return number (or that information is collected and stored by an auto-attendant), you are a controller. And, if your website is equipped on the back-end with an analytics tool like Google Analytics, you are a controller.
“‘[P]rocessor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Facebook and other social media platform operators are processors. Your website host is a processor. The owners of third-party platforms integrated into your web platform are processers (in some cases) (these are your merchant processor, etc).
‘Offering of goods or services’, is a bit more complicated, but for U.S. based businesses, it includes:
Having a website URL that targets EU Nationals or passport holders. This would include any website with an EU Nation domain TLD, like .fr or .uk., or a subdomain like France/website.com.
“[O]ffering goods or services to such data subjects irrespective of whether connected to a payment.”
This means they don’t have to be actual customers. They can simply follow your blog. The key word is not necessarily ‘offering’ as we might define it, because many industry experts expect this to later be defined by Courts or tribunals as “it was available to, and they used it”.
“[WHERE] it is apparent that the controller or processor envisages (is it likely or even possible?) offering services to data subjects in one or more Member States in the Union.”
If you are in travel, hospitality, foreign investments, or manufacturing of goods consumed in the EU, they mean YOU. If your business advertises anywhere that EU Nationals might reasonably seek info, they mean YOU. If your business shows ANY historical contact with EU Nationals, they mean YOU.
“[T]he use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language.”
If your website gives multiple language options, they mean YOU. If your merchant permits processing of multiple currencies, they mean YOU.
“[T]he mentioning of customers or users who are in the Union”.
If your website, or any website by your direction, lists an EU customer testimonial, they mean YOU.
But here’s the really frustrating part! None of that matter’s!
It doesn’t matter if you have no website and nothing exists on the web about your company.
Remember what I wrote above -- we’ve read a ton on GDPR, and then we spoke to over three dozen people ‘in the know’ regarding GDPR.
We did so with the intentional ‘prove us wrong’ attitude that GDPR couldn’t apply to many U.S.-based businesses. We demanded who, what, when, where, why, and how many statistics and scenarios to convince us. And we wanted to know exactly how the EU planned to enforce the GDPR’s provisions on U.S.-based businesses; where are the teeth?
So, this is what we’ve come up with, and I am sad to write that we’re confident.
If you are insured, you’ll be expected to comply;
If you accept credit cards, you’ll be expected to comply;
If you manufacture anything in the supply chain for a product sold in the EU, you’ll be expected to comply;
If you do or have manufactured anything, no matter where it was sold/purchased, and it ends up in the EU, and it’s covered under a sales/service warranty that you recognize internationally, you’ll be expected to comply;
If you lease business/commercial space (store, warehouse, etc.), you’ll be expected to comply; and,
If you provide any health services, you’ll be expected to comply.
And, we’re equally confident that’s not an exhaustive list.
This issue comes down to the international footprint of large corporations that are worried about risk, theirs. And for the most part it’s insurance, banking, and telecom.
These large corporation’s have no choice but to comply with the GDPR. They have a European footprint – an actual physical presence in the EU – and as such, they are ‘recipients’, ‘processors’, ‘controllers’, or all three every day.
And while how those large corporations do business in the U.S., and how they interact with U.S.-based businesses doesn’t necessarily need to be governed by an EU framework, it’s a big darn framework that they’re investing billions to comply with, and it just makes fiscal sense to use it broadly.
Of course, there’s also the fact that we’re a global community, and between 8 and 10 million EU Nationals and passport holders come to the U.S. each year. This is the part that popped into our heads and made us really think and ask deep questions, and it’s the part we’re told made Visa, Mastercard, and Amex – together with a few banks -- commit internally to forcing all businesses to comply with the GDPR, although not necessarily by May 25, 2018.
Let’s say you’re a U.S.-based business, ANYWHERE, and you sell ANYTHING, to a visiting EU National. And once they’re back in the EU, they decide to dispute the credit card charge (This would apply even if it were a case of identity theft). While their activity, and any resulting data, while in the U.S. is not covered under the GDPR, the dispute initiated from within the EU is. The credit card company is ‘collecting’ and ‘processing’ the EU National’s data covered under the GDPR with respect to the dispute. As part of the dispute process, either covered under the merchant agreement between you and them, or between them and your merchant services company and then you, they must provide you data that is covered under the GDPR. At that point, they have the obligation to ensure you are GDPR compliant so that you may receive the data connected to the dispute. I.e. you must be GDPR compliant to accept ‘their’ credit card for payments because you may be involved in a later dispute over charges.
Similar examples can be made with premises or product liability insurance, telecommunications (web enabled such as VOIP), industry groups (associations), manufacturing, etc.
We call it the ‘six degrees of GDPR’; I love Kevin Bacon.
But one more example, we’re told, is the crux of decisioning by leaders in banking, finance, and telecom for the push to make every U.S.-based business comply with GDPR. But you will have to keep reading to get to it!
Ok, so when can an estimated 97% of U.S.-based businesses expect to be told to comply? No one really knows. Implementation will certainly be risk-based. And this is a bit of irony; the very use of data the GDPR is designed to prevent is what those large companies will use to prioritize the compliance push. You see, they collect lots of data on all of us, and they’ll use that data to mitigate risk where it exists.
Visa, for instance, knows what industries process a high volume of credit card purchases from EU Nationals in the U.S., and that’s where they’re starting. Hotels, car rental companies, venues like theme parks, restaurants, and all of those in tiered geographical areas visited the most by EU nationals.
And that credit card data, together with social media data, etc, will be used elsewhere in banking, insurance, and telecom to develop similar use-profiled data sets to aid in implementation elsewhere.
But we can’t give any sort of reliable timeline for your business. The GDPR is something that stands to impact nearly the entirety of global commerce, and the full scale of its ramifications are just now being addressed by the very experts and law makers that have full purview.
So, what about the teeth?
The GDPR mentions “international law” being used to force compliance, although it is only used in three sections; Art III (above), Art IV (definitions, but without a specificity to U.S.-based businesses), and also Recital #25, reading:
“Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union….”
“Is this where I am supposed to believe GDPR gets its 'teeth' that can bite my U.S.-based business?”
As is turns out, no!
It was quite difficult to get anyone to talk to us about this, or at least dive deep into it with us. No U.S. or EU lawmaker would even broach the subject, and while they suggested they’ve spent a great deal of time thinking on it, no one in the financial or insurance industry cared to opine. And, our own Counsel, and a few of our law school grad managers couldn’t shed enough light on precisely which “international laws” might make sense of GDPR enforcement as relates to U.S.-based businesses.
Finally, however, we stumbled across a clerk. This clerk works very closely in the world of the GDPR, and shared with us what might should have been obvious on its face – egg on ours I suppose. This is what this person shared:
“Why would it need to be specified, what international laws are envisioned as vehicles to force compliance? If international banks are impacted and must comply, if only Visa [credit card] is impacted and must comply, if only social media giant Facebook is impacted and must comply, then of course they make everyone comply. There never needed to be the “’teeth’” you’re looking for as would apply to every global business, just those who have the most exposure or could be fined the most monies. You would use the expression the s&%t is heading down the mountain [rolls downhill].
Yes, we would!
So, let’s add another component to put that in to perspective. Earlier above I mentioned definitions in Art IV. There is a pretty BIG issue therein, and it’s at the center of what the ‘clerk’ was getting at – ‘personal data breach’. Data breach is widely-accepted as the causation of the largest fines under DGPR.
“‘[P]ersonal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
That definition is not how we wrap-up things in the U.S. We generally look at it in terms of "events (industry term)", "security incident (industry term, DHS, SSA, and HHS", "privacy incident (DHS)", and finally “[data] breach (U.S. Code and SCOTUS)".
While some of the GDPR's definition is consistent with "breach", most is not, and it it's a pretty darn expensive prospect. Take "unauthorized" and "accidental access"; that occurs every day across the Country, and I can come up with dozens of real-world examples, and so can you. This would include:
Of course your run of the mill hacks – more common with each passing day – and careless behavior also apply.
And this is where those large banks, insurance companies, and telecom giants are most concerned – a breach can come from anywhere, at any time. And the information risk is broad, and may in any given situation involve EU Nationals.
The risk is too great not to blanket the entire environment they have exposure in, and that includes any business that accepts a credit card, anywhere. It includes any business that is insured, anywhere. It includes any business that uses social media, anywhere. And, it includes any business that is connected to the world wide web, anywhere.
The entire matter of GDPR and U.S.-based businesses will evolve. There will be lawsuits, some of our Congressional representatives will rail against GDPR, while other’s will support it. But then, that’s the nature of just about all legislative issues that face business.
So what can/should you do?
Read the entire GDPR text. Assess your risk. Ask questions of your merchant account rep, your insurance company, your lessor, and your bank, AND demand written responses. And, we know you might not want to accept this, but you might also want to speak with your Counsel (attorney).
Also, if you do have a web presence, make certain that your webmaster, web company, etc., understands that your are concerned and provides you with written assurances of risk assessment, and compliance with GDPR, as necessary.
As a final thought, our learned Clerk tells us this:
“There must be an early test; an example to be made. That will happen. Some time now students of law at university in the EU are learning how to defend and prosecute the GDPR using possible scenarios, and countrymen are being told how to complain on U.S. companies. There is also a bit of nationalist bravado maybe, call it what you want. But EU regulators speak openly about showing the world that they must respect EU privacy laws, and the EU. It will maybe get very not attractive, quickly, after 25 May.”
In two upcoming blog posts, we’ll consider the possibility that U.S.-based business’s first Amendment protections might be threatened by E.U. influences upon some of the same large multi-national corporations that will enable the GDPR’s influence, and whether the GDPR extends the same courtesies to U.S. citizens by EU businesses.