HARMON CURRAN NONPROFIT LAW BLOG
The EU’s Expansive New Data Privacy Law
When the European Union’s new data privacy law goes into effect on May 25, 2018, some United States-based nonprofits may be surprised to find themselves within its scope. With the General Data Protection Regulation (GDPR), the European Union (EU) is significantly expanding the reach of its data protection regime to cover many organizations not located in EU member countries. While, for organizations already complying with the GDPR’s 1995 predecessor, the GDPR represents a relatively modest set of changes and clarifications, for many American companies and non-profit organizations not previously facing EU regulation, the new law will impose a number of new obligations, backed by robust enforcement mechanisms.
GDPR’s Expanded Scope
The GDPR represents a culmination of the EU’s efforts to protect the data privacy rights of persons in EU member states. Accordingly, the GDPR applies not only to those organizations physically located in or processing data within one or more EU member states, but also to many with no physical presence in the EU that are engaged in the processing of personal data of EU data subjects. Specifically, the GDPR applies to any data processing in relation to “the offering of goods or services” to persons in the EU (“irrespective of whether any payment is required”) or to “the monitoring of their behavior.”
The GDPR defines data processing so broadly as to include almost any interaction with “personal data” of an identifiable natural person in the EU, including the data’s collection, storage, and use. In other words, so long as an organization offers goods or services to, or monitors the behavior of, persons in the EU, the GDPR covers virtually any activity involving personal data of such EU persons. And since the “offering of goods or services” includes services provided free of charge, the data processing activities of many non-profit organizations with European clients, customers, supporters, volunteers, or donors located in the EU will be covered by the GDPR.
For example, an organization with chapters in EU member states would be covered by the GDPR to the extent the organization collects and otherwise processes data relating to its employees, volunteers, supporters, or donors in the EU. However, an organization will not fall within the scope of the GDPR merely because its website is accessible to, and occasionally used by, European users, if the organization’s activities are not in any way geared toward EU member states.
Key Obligations and Requirements
An organization’s obligations under the GDPR depends upon several factors, including, for example: the type(s) of personal data being processed; the legal basis for the data processing; the frequency and scale of the data processing; and the size of the organization. Below is a general overview of the GDPR’s key requirements as they are likely to apply to US-based nonprofit organizations.
- Disclosures to the Data Subject – Data subjects in the EU are entitled to receive certain information each time personal data is obtained from them, including but not limited to the identity of the data controller, the purpose and legal basis of the data processing, anticipated transfers of the data to other entities (such as affiliated organizations) and/or to non-EU countries, and certain rights of the data subject.
- Data Transfers to the United States – The GDPR restricts transfers of personal data of EU data subjects to non-EU countries. Generally, transfers are permitted only to countries that, in the view of EU regulators, ensure an “adequate level of protection” for personal data, and the EU does not consider US law to adequately protect personal data. The US Department of Commerce reached a “Privacy Shield” agreement with the EU, whereby companies under the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) can self-certify compliance with certain principles and thereby satisfy the EU as to the adequacy of protections for data transfers to those companies. However, most US nonprofits are not subject to the investigatory and enforcement powers of the FTC or DOT regulation, so most nonprofits cannot directly rely on the US-EU Privacy Shield. Instead, to transfer personal data to the United States in compliance with the GDPR, nonprofits must adopt certain safeguards or, if those safeguards are not available, obtain the explicit consent of each data subject to the transfer.
- Third Party Contracts – The GDPR identifies a series of stipulations that must be included in contracts between data controllers and processors for data sets including personal data of EU data subjects.
- Data Security – Organizations covered by the GDPR must implement sufficient data security measures to ensure that, “by default,” data processing is limited (in amount of data, period of storage, and number of persons with access to the data) to the extent necessary for the purpose of the processing. The GDPR suggests the use, in appropriate cases, of certain technological measures, such as pseudonymizing, encryption, and data minimization, but does not require any single security measure in all circumstances. The GDPR also imposes notification requirements in the event of a breach of personal data.
- Designated Representative / Data Protection Officer – With limited exceptions, organizations that are not located in the EU but are nevertheless subject to the GDPR must designate a representative in one of the Member States in which the data subjects whose personal data are processed are located. Organizations larger in size or engaged in more extensive processing may also need to appoint a Data Protection Officer to serve as an expert in data protection law and practices and assist the organization in complying with the GDPR.
- No “Grandfather” Clause – Importantly, the GDPR does not “grandfather in” personal data obtained before it goes into effect. To continue processing personal data of EU persons after May 25, 2018, organizations must take the steps necessary to bring those data sets into compliance with the GDPR’s requirements. In most cases, this will require gaining the informed consent of EU data subjects, with appropriate disclosures.
- Penalties & Enforcement – Non-compliance with the GDPR’s requirements can, at least theoretically, result in fines of up to 20 million Euros, though the maximum fines are available only for the most egregious of violations. Individuals who suffer damage as a result of infringement of the GDPR also have a private right of action against the infringing party.
It is important to recognize that, because the GDPR has yet to take effect, there is very little formal guidance, and no actual enforcement history, available to clarify the meaning of many of its provisions or how and to what extent they will be enforced against US nonprofits. It is also important to recognize that, for many US nonprofits, most if not all of their new obligations under the GDPR can be addressed with appropriate disclosures and consent procedures. Our firm is available to assist clients with questions about the law as they prepare for its May 25, 2018 effective date.
This publication is designed to provide accurate and authoritative information about the subject matter covered. It is not distributed with the intent to render legal, accounting, or other professional advice. The services of a competent professional should be sought if legal advice or other expert assistance is required.