In general, internet commerce transpires on the national and international levels. Naturally, data protection is an important concern for private and public agencies. The European Union’s remaining members are currently in the process of another process to protect data with the “General Data Protection Regulation” (GDPR) set to take effect next year. This differs from the previous Privacy Shield in some respects, as it is broader, and expands beyond the European Union and deals with any individual that may have a shred of a connection to the European Union. So, what is GDPR? What does it require? Also, what are the consequences for non-compliance?
What is the GDPR?
The GDPR grants the following as rights to a data subject (i.e., a user): breach notification; right to access a copy of personal data free of charge in electronic format; right to be forgotten; data portability, allowing transmission to another provider; privacy by design for systems; and data protection officers in cases where constant monitoring of data subjects on a large scale may occur, or for special categories of data regarding criminal convictions.
All of these rights would be granted only to European Union members and to natural persons. However, the duty to ensure all rights are granted is not limited to companies based within the European Union. Instead, it extends and applies to any individual that may conduct business with any person within the European Union. Essentially, this would extend liability to any individual or entity that does business with a person within the European Union.
What are the consequences for non-compliance?
In consideration of the fact that it can be easy for a business to have an EU-based customer without knowledge, it would be important to know the consequences for non-compliance. Unfortunately, it is rather stiff, stating that it is “4% of annual global turnover” up to 20 million Euros. At this time, for the United States, it translates to 4% of annual global revenue up to almost 24 million Dollars.
The new regulation provides real teeth, as any US-based entity that processes the data of EU-based residents could suffer a massive fine if there is non-compliance with the rules. As such, compliance would be important as retaining personal information (e.g., names, addresses, emails, credit card accounts, social media accounts) or denying the ability to download a set of data that the entity has on the person is probably not worth the resulting fine. Also, on a side note, cloud service providers are not exempt.
Now, comparing this new rule to the Privacy Shield, where there was a set of individuals and organizations within the Federal government to help compliance, this has not been set up for the GDPR as of yet.
Thankfully, there is time between now and next year’s enforcement date. Therefore, entities can review policies, and the Federal government may offer offices and associated entities can begin to create compliance guidelines as they did with the Privacy Shield.
At our law firm, we assist clients with legal issues related to business, consumers, internet and e-commerce transactions. Please contact us to set up an initial consultation.