It has been several months now since the European Union’s General Data Protection Regulation (GDPR) became effective on May 25, 2018, and, while the relative calm after the storm evoked feelings similar to the Y2K scare, recent news of the first GDPR enforcement action has made it clear that GDPR isn’t going away. The action puts European politics on center stage, combining both the unprecedented privacy law and the Brexit controversy.
As a reminder, the GDPR is a regulation that harmonizes data protection laws across all EU member states and establishes strict requirements for the collection, processing, and storage of personal data, as well as significant individual privacy rights, including the right to erasure or so-called “right to be forgotten.” Article 3 clearly establishes that the territorial scope of the GDPR reaches organizations outside the EU that offer goods or services to individuals present in the EU. Still, in the run-up to the GDPR, many were left wondering how it would be applied extra-territorially. That question has now begun to be answered.
The UK’s privacy watchdog, the Information Commissioner’s Office (ICO), quietly issued an enforcement notice in July to AggregateIQ Data Services Ltd, a Canadian company that used personal data to send targeted ads to prospective voters on behalf of several pro-Brexit organizations. Although the personal data was collected and used in Brexit campaigning well before the GDPR’s May 2018 effective date, the ICO’s notice cites violations of three of the seven GDPR principles that arise from the company’s mere possession of the personal data – (1) lawfulness, fairness and transparency; (2) purpose limitation; and (3) data minimisation. The full enforcement notice can be viewed on the ICO’s website at https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdf.
The fact that the first action targeted an organization outside the EU should put on notice all U.S. organizations collecting EU data. The GDPR, on its face, applies broadly to the processing of personal data by every organization outside the EU that offers goods or services to, or monitors the behavior of, EU-located individuals. Despite the GDPR’s broad language, it is unlikely that European authorities will target organizations whose EU activities are trivial, and, as a practical matter (but not legal), organizations must balance the costs of compliance with the risks of non-compliance. If your organization has taken the “wait and see” approach until now, or has doubts about whether the GDPR applies to it, below is an outline of questions to be used as a guide for determining whether you should be concerned about the GDPR. Positive answers indicate that your organization’s GDPR exposure should be explored further.
QUESTIONS TO GUIDE YOU
- Does your organization have any of the following in the EU:
- Physical operations?
- Corporate affiliates?
- Does your organization offer goods or services to individuals located in the EU (whether for free or for a charge)?
- Does your organization monitor the behavior of individuals located in the EU?
- Does your organization have German, French, Spanish, or other EU-based language versions of its website(s)?
- Does your organization’s website(s) allow EU-located users to create an account?
- Does your organization send emails or text messages to individuals located in the EU?
- Does your organization offer transactions in Euros or other European denominated currency?
- Does your organization have an EU domain, such as .fr, .ie, .uk or .eu?
- Does your organization’s website(s) collect any of the following from individuals located in the EU:
- Identification number?
- Location data?
- IP addresses?
- Cookie identifiers?
- Does your organization’s website(s) utilize digital tracking or profiling of visitors?
- Does your organization possess information about EU located persons collected at any time?
- Does your organization post information regarding EU politics, including direct messages?