The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. In short, the GDPR will provide data subjects (i.e., anyone who resides in the EU) with new and enhanced rights over the way in which their personal data is collected, processed and transferred by data controllers and processors (i.e., anyone who possesses or manages data on EU residents). The GDPR demands significant data protection safeguards to be implemented by organizations, regardless of their size or their geographic location. You can read the full text of the GDPR here, as well as our recently published white paper and survey report on the subject here and here.
The goal of the GDPR is quite clear: to protect the privacy rights of EU residents and to ensure that they have a right to be forgotten by any organization that possesses data about them. However, there are some situations in which legal jurisdictions and whose rights should prevail are not yet clear. For example:
- US organizations have an obligation to apply a legal hold on relevant data if they have a reasonable expectation that a legal action may be forthcoming. But what happens if some of the data that a company is obligated to hold includes data on an EU resident that has asked for that data to be expunged?
- Broker-dealers and others under the jurisdiction of FINRA must retain various types of communications, such as communications between registered representatives and their clients. What if a client of that representative ends the relationship, but immediately wants his or her data to be deleted?
- Manufacturers routinely keep customer information in support of warranties that they offer on their products. If a customer in the EU asks that all of their data be forgotten, does that relieve the manufacturer from their obligations to honor the warranty?
- Will governments be permitted to retain data on visitors from the EU, such as the data provided on the embarkation forms that visitors are obligated to complete upon entry to a country, if those visitors ask that the data be deleted?
As with any new regulation there are always unanswered questions, unique situations that had not been contemplated when the regulation was written, and various unintended consequences — the GDPR is no different in that respect. What is different are the consequences of getting things wrong, which can include fines as high as €20 million ($23.7 million), or four percent of an organization’s annual revenue, whichever is higher. For a company with $1 billion in annual revenue, that would be a $40 million fine!
Will the EU impose such large fines shortly after the May 25, 2018 implementation of the GDPR? That’s an open question, but given the EU’s aggressive stance toward companies like Google and Facebook, my guess is that they will seek a test case to let everyone know that they mean business.