the eu's general data protection regulation (gdpr)...the eu's general data protection...
TRANSCRIPT
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com
The EU's General Data Protection Regulation (GDPR)
Why should I care? What is it? And how does it affect me?
Laura Berton and Gemma Chubb
Tuesday 6th October 2018
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 1
The EU's General Data Protection Regulation (GDPR)
Summary
1. Enforcement Actions, Regulatory Priorities and the Current State
2. GDPR - Back to Basics
3. Business Impact and How to Use it to Your Advantage
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 2
1 - Enforcement Actions, Regulatory Priorities and the Current State
Increased Enforcement Powers under GDPR
Enforcement Overview
Previously, fines vary by Member State, and are comparatively low (ICO maximum fine is 500k GBP).
The GDPR significantly increases the maximum fine to €20 million, or 4% of annual worldwide turnover, whichever is greater.
National data protection supervisory authorities are also expected to coordinate supervisory and enforcement powers across the Member States, likely to lead to a more pronounced enforcement impact and risk for businesses.
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 3
1 - Enforcement Actions, Regulatory Priorities and the Current State
Actions by Privacy Advocates
Nyob.eu La Quadrature du Net Privacy International
• On May 25, 2018, nyob.eu submitted a complaint against Facebook, Instagram, WhatsApp and Google alleging “forced consent.”
• Source: nyob, GDPR: nyob.eu
filed for complaints over “forced consent” against Google, Instagram, WhatsApp and Facebook (May 25, 2018).
• Privacy complaint submitted against Google (Gmail, YouTube, and Search), Apple, Facebook, Amazon, and LinkedIn.
• Source: La Quadrature Du Net,
Dépôt des plaintes collectives contre les GAFAM! (May 28, 2018).
• Using SAR rights, sends letter to Acxiom, Criterio, and Quantacst to understand how companies are handling personal data under GDPR.
• Source: Privacy International, Privacy International launches campaign to investigate range of data companies that facilitate mass data exploitation Press Release (May 25, 2018).
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 4
1 - Enforcement Actions, Regulatory Priorities and the Current State
Number of Complaints Received by Supervisory Authorities in the First 40 Days
400 426
113
385 176
756
145 102
Czeck
Republic
(26 Days)
France
(24 Days)
Greece
(34 Days)
Ireland
(32 Days)
Netherlands
(14 Days)
Poland
(37 Days)
Romania
(14 Days)
Slovenia
(25 Days)
Source: IAPP’s The Privacy Advisor, Cataloging GDPR complaints since May 25 (June 25, 2018)
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 5
1 - Enforcement Actions, Regulatory Priorities and the Current State
UK Data Protection Complains More Than Doubled: Number of Complaints Received Between 25 May and 3 July
2417 6281
2017 2018
Source: EMW Law LLP, Data Breach Complaints to ICO More than Double on Year-on-Year After GDPR (August 28, 2018)
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 6
1 - Enforcement Actions, Regulatory Priorities and the Current State
Regulatory Actions for Pre-GDPR Violations
Facebook with Cambridge Analytica (ICO)
• “Due to the timing of certain incidents in this investigation, civil monetary penalties have to be issued under the previous legislation, the Data Protection Act 1998. The maximum financial penalty in civil cases under former laws is £500,000."
• Source: ICO, Findings, recommendations, and actions from ICO investigation into
data analytics in political campaigns (July 10, 2018).
Thedoor Gilissen Bankiers (AP)
• Bank fined €48,000 for failing to timely respond to customer’s request to access data (SAR request).
• Source: Autoriteit Persoonsgegevens, TGB pays penalty payment after not
meeting the request for perusal (August 9, 2018).
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 7
2 - GDPR - Back to Basics
General Data Protection Regulation
The Basics The EU Commission presented its proposal in January 2012 as a replacement of the current Data Protection Directive 95/46.
The GDPR came into force on May 25, 2018.
It is a regulation and not a directive: its provisions are directly applicable in all Member States after this date even if there is no implementation law.
While the objective is to harmonize date protection laws, Member States retain the ability to introduce derogations in certain situations.
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 8
2 - GDPR - Back to Basics
Extra territoriality - Who does it apply to?
A non-EU Business Must Comply with GDPR if:
1. Has an establishment in the EU, where personal
data is processed in the context of the activities
of the establishment, regardless of whether the
data is actually processed in the EU;
OR
2. Does not have an establishment in the EU, but
activities are related to the offer goods or
services to or monitor the behavior of individuals
in the EU.
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 9
2 - GDPR - Back to Basics
Key Definitions (Art. 4)
“Personal Data” “Processing”
• “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
• “Any operation or set of operations which is
performed on personal data or on sets of
personal data, whether or not by automated
means, such as collection, recording,
organisation, structuring, storage, adaptation
or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or
otherwise making available, alignment or
combination, restriction, erasure or
destruction.”
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 10
2 - GDPR - Back to Basics
What is Personal Data?
e.g. Household / family members (i.e.
third parties), friends, colleagues
e.g. HR records - information on
disabilities/absence/maternity &
paternity leave etc.
e.g. support or sales e-mails, texts, phone
numbers, recorded calls, letters (content &
traffic data)
e.g. Payment and purchase history and
other analytics captured in Poynt HQ
e.g. Purchases made, store
location
e.g. Name / address, email address, bank
account details
Just because you can’t identify an individual by name, it does not mean that it’s not personal data – anything generated about an individual and linked
to a device ID/user name is personal data
e.g. Consumed media (music,
games, apps), including social
media
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 11
2 - GDPR - Back to Basics
Key players
Data Processor Processes “on behalf” of controller
Data Controller Determines “purpose and means”
Data Subjects Subjects of the personal data
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 12
2 - GDPR - Back to Basics
Key Data Protection Principles (Art. 5)
• Principles from previous law:
– Lawful, fair and transparent (tell people how you will use their data)
– Purpose limitation (only use data for specified purposes)
– Data minimisation (only collect the data you need for specific purposes)
– Accuracy (keep data accurate and up to date)
– Storage limitation (only keep data for as long as you need it for the specified purpose)
– Integrity and confidentiality (keep it secure)
• New principles of accountability, privacy by design & privacy by default
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 13
2 - GDPR - Back to Basics
What should you do now? Useful GDPR Checklist
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 14
3 - Business Impact of GDPR
Response to GDPR: Blocking Access
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 15
3 - Business Impact of GDPR
Response to GDPR: EU Subscription
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 16
3 - Business Impact of GDPR
Response to GDPR: European Experience
Source: Express.co.uk, How the EU is blocking your access to legitimate internet new sites (August 13, 2018).
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 17
3 - Business Impact of GDPR
Response to GDPR: European Experience
USA Today when accessed from the EU USA Today when accessed from outside the EU
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 18
3 - Business Impact of GDPR
Facebook: GDPR and Cambridge Analytica Fallout
Source: MarketWatch, Facebook stocks drop roughly 20%, loses $120 billion in value after warning that revenue growth will take a hit (July 26, 2018).
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 19
3 - Business Impact of GDPR
Impact on business
B2B
Being selected, i.e. competitive advantage
Smoothing deal friction/accelerated closing
Trust
B2C
Trust impacting Brand /PR
Increased customer satisfaction
General health
New uses of data, improving data mapping and data classification
Better and rationalised processes inc. better security
Know your customers and partners
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 20
3 - Business Impact of GDPR
The Ripple Effect - Global Impact of GDPR
• On June 28, 2018, California passes California Consumer Privacy Act of 2018 (CCPA), effective January 2020.
• On August 6, 2018, refinements proposed to the CCPA by the California legislature.
• On August 24, 2018, CCPA further amended • Brazilian General Data Protection Law (LGPD),
effective February 2020. • India’s Personal Data Protection Bill, 2018 submitted
for consideration to the Ministry of Electronics and Information Technology.
• On July 17, 2018, Japan and EU successfully conclude negotiations on reciprocal finding of an adequate level of data protection.
Belgium | China | France | Germany | Italy | Luxembourg | Netherlands | Spain | UK | US (Silicon Valley) | fieldfisher.com 21
The EU's General Data Protection Regulation (GDPR) - What is it, how does it affect me?
Speakers
Laura Berton Partner M: + 1 650 276 6039 E: laura.berton @fieldfisher.com
Laura is an European IP &Tech transactions lawyer based full-time in Silicon Valley. Over the past 15 years she has represented a wide array of companies in complex business transactions, innovative technology licensing and other technology-related contracts such as outsourcing, Cloud, SaaS, software development, digital media, e-commerce and data protection. She also often works with GCs helping them navigate their move into new jurisdictions, smoothing the expansion process and adaptation to local legal practices. She has extensive experience of coordinating and managing foreign counsel and advising on multi-jurisdiction IP and technology projects.
A European lawyer based in Fieldfisher's Silicon Valley office, Gemma practises across both data protection and general employment law. Gemma works closely with international household-name companies based in the US, advising on their global privacy strategies, management of data subject rights requests, data breaches, international data transfers, privacy notices, handling regulator queries and investigations. Gemma has significant experience in both contentious and non-contentious advice employment advice. She advises U.S. headquartered companies on all aspects of employment law from day-to-day queries, the practical implications of TUPE, performance management issues, discrimination cases, and large scale redundancy and dismissal processes.