The GDPR (the General Data Protection Regulation) has started its application on May 25, 2018[i]and applies “extraterritorially. Privacy practitioners and EU regulators alike have highlighted the advantages of GDPR compliance for organizations, such as better data management, enhanced protection against cyber-risks, competitive advantages, etc. Many companies share the same positive view. Some others see the GDPR as a bugaboo because of the high sanctions it provides.[ii] Some companies wonder whether the GDPR will actually be enforced abroad and whether the payment of sanctions will actually be compelled.
While I don’t particularly like tackling the GDPR compliance by the enforcement side, I will say that yes, I believe the GDPR will be enforced in Europe and abroad. My opinion is certainly not isolated. From speeches at conferences and articles of experts, we derive the impression that a general consensus about this exists. The reason is twofold: 1) The DPAs will want to use examples from enforcement to obtain compliance; 2) Enforcement abroad is only natural since the European Union wanted the Regulation to be extraterritorial. “If breaches by … [non resident] entities are found to be unenforceable, this could bring into question the credibility of the EU regime.”[iii]
Against which organizations will the sanctions be issued? Difficult to say. Besides the usual suspects (the tech giants) the sensation is that there will be more. It is not difficult to guess that the more data of European citizens you process, the more you are likely to end up under the scrutiny of one of more European DPAs; if for no other reason, because the probability of a complaint is higher. And the bigger you are, the more your case will have resonance. But this of course is only speculation.
As the legislative history,[iv] the public declarations of the EU bodies,[v] and the whereas clauses of GDPR itself[vi]clearly show, the GDPR will need to apply extraterritorially to reach its goal.
The extraterritoriality pervades the entire Regulation and is not limited to the much-cited Article 3(2), which provides that the GDPR also applies to organizations without a EU establishment that offer goods or services to individuals in the EU or monitor their behavior.[vii]
How the payment of a sanction can actually be compelled from a nonresident organization is obviously unclear.[viii] As a matter of fact, absent cooperation with foreign authorities,[ix]obtaining payment from a nonresident entity, is challenging.
However, the impact of noncompliance is likely to be significant even if the sanctions could not easily be compelled.
First, exactly as data breaches have been proven to have a negative long-standing impact on businesses [x] independently from consumers being actually able to recover damages or regulators being able to impose sanctions, it would seem strange if a penalty of millions of Euros imposed on a business by a DPA would not have a negative impact too.
An analysis conducted on stock of companies that have suffered a data breach shows short and long-term serious consequences on the stock market share prices.[xi] Derivative actions, securities actions, and directors’ liability actions are natural consequences of a data breach. [xii] It is not hard to foresee that actions of that sort would follow a GDPR violation and related sanctions and that as a consequence the stock price and the value of a company will be impacted.
Second, the Regulation aims at establishing a sort of “compliance club” to which it is compulsory to participate if you want to make business with Europe. In fact, the GDPR applies to processing performed outside of the EU when “the processing of personal data [occurs] in the context of the activities of an establishment of a controller or a processor in the Union”. (emphasis added) Companies of groups having a European establishment may get attracted inside the magic circle of compliance if the groups commingle processes. Whereas clause (22) clarifies that to be considered as having an establishment, an arrangement of some sort between the Eu and the nonEU establishment is needed, but a particular legal form is not required.[xiii] Also, the GDPR applies to organizations not in the Union
where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
In addition, the GDPR is forced on non-EU based processors if they want to work for controllers[xiv]that are subject to GDPR compliance. Indeed, Article 28(1) provides:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. (emphasis added)
Because of the broad definition of “processor” [xv] and “processing”[xvi], it’s easy to see how any service provider (unless a co-controller) could be a “processor” under Article 28 (from cloud services to online platforms, from email services to online storage, from contract management system to payment systems, etc.). To work with an organization that is subject to the GDPR, a processor must be GDPR compliant. But the virtuous circle of compliance doesn’t stop here: if the processor wants to use subcontractors,[xvii]the latter need to be GDPR compliant too. Article 28(4).[xviii] The “domino effect” of Article 28 dramatically enlarges the spectrum of subjects of compliance and forces compliance down the supply chain. Noncompliance can really hurt your business. Probably more than any sanctions could do.
Indeed, market impact might be the most effective way in which the GDPR will be “enforced”.
Third, besides DPAs’ sanctioning power (GDPR Article 83), the Regulation provides for other remedies for noncompliance:
- Affected data subjects can lodge a complaint with a data protection authority (GDPR Article 77);
- Affected data subjects have the right to obtain “an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation” (GDPR Article 79);
- “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered” (Article 82). It is worth notice that the GDPR specifically provides for the possibility to bring actions seeking non-financial damages (“non-material”);[xix]
- While the GDPR does not make data violation a crime, criminal penalties shall be enacted by the EU member states and must be “effective, proportionate and dissuasive”.[xx]
For more information, Francesca Giannoni-Crystal.
[i]Technically the GDPR entered into force 2 years ago, twenty days after its publication. The enforceability, however, was established to start on May 25, 2018.
[ii]Article 83 provides that data protection authorities (DPAs) can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines for infringements of the Regulation. For some violations, the fines will be “up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher” while for other violations “up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”. GDPR Article 83(4), (5) and (6) provide a list of those violations.
[iii]New rules, wider reach: the extra- territorial scope of the GDPR, available at http://www.slaughterandmay.com/media/2535540/new-rules-wider-reach-the-extraterritorial-scope-of-the-gdpr.pdf
[iv]The Ordinary Legislative Process as it relates to Privacy and Data Protection legislation. The European Union Legislative Process, available at https://www.eugdpr.org/the-process.html
[v]In the European Commission’s Press release ofDecember 15, 2015, the EU Commission specifies: “European rules on European soil– companies based outside of Europe will have to apply the same rules when offering services in the EU.” Full text is available at http://europa.eu/rapid/press-release_IP-15-6321_en.htm?locale=en
[vi]“The protection of natural persons in relation to the processing of personal data is a fundamental right” (Whereas 1) “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.” (Whereas 2) “Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.” (Whereas 6). “Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced. “ (Whereas 7)
[vii]Some level of targeting would seem required but it is unclear how much targeting is necessary to be under the reach of the GDPR (I have coauthored a blog about the reach of Art. 3, Does the GDPR Apply to My Organization? The “Extraterritoriality” of the New European Data Protection Regulation).
[viii]Analysis: How data breaches affect stock market share prices, available athttps://www.comparitech.com/blog/information-security/data-breach-share-price/
Although the powers of DPAs to sanction data protection breaches have been considerably broadened – and the quantum of fines raised to 4% of annual global turnover – there remain significant doubts regarding the enforceability of the regime on businesses established outside the EU. If breaches by such entities are found to be unenforceable, this could bring into question the credibility of the EU regime. See New rules, wider reach: the extra- territorial scope of the GDPR, available at http://www.slaughterandmay.com/media/2535540/new-rules-wider-reach-the-extraterritorial-scope-of-the-gdpr.pdf at 4.
While some parallels may be drawn to enforcement by other regulators against overseas entities, this remains an area fraught with uncertainty. The GDPR requires an extremely limited nexus to the EU in order
to apply, increasing the practical difficulties of enforcement.
As a comparable, in the UK financial services sector, UK regulators may have limited enforcement powers where the nexus to the UK is weak (e.g. a breach is committed by a non-UK entity without a place of business in the UK). Even where those powers do exist we would generally expect the UK regulators to seek to co- ordinate with overseas regulators in taking any enforcement action.
For example, where an EEA financial services firm passports its services into the UK, the policy of the Financial Conduct Authority (“FCA”) when exercising its intervention power is to co-operate with the firm’s home state regulator as appropriate. Id. at 4.
[x]“A recent PwC survey found that 90 per cent of chief executive officers globally believe breaches of data privacy and ethics have a negative impact on stakeholder trust”, UK data privacy breach fines soar to over £3m in 2016,available at https://www.independent.co.uk/news/business/news/uk-data-privacy-breach-fines-2016-over-3-million-pwc-a7764846.html
[xii]Wendy’s Settles Data Breach-Related Derivative Lawsuit, available at https://www.dandodiary.com/2018/05/articles/director-and-officer-liability/wendys-settles-data-breach-related-derivative-lawsuit/EARLY CYBERSECURITY DERIVATIVE ACTIONS MISS TARGET, available at https://gowlingwlg.com/fr/insights-resources/articles/2016/early-cybersecurity-derivative-actions-miss-target
[xiii]Whereas (22) “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
[xiv]“Controller” under GDPR Article 4(7) “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …”
[xv]Under GDPR Article 4(8) “processor” is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
[xvi]Under GDPR Article 4(2) “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
[xvii]GDPR Article 28(2) “The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”
[xviii]GDPR Article 28(4) “Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial e processor shall remain fully liable to the controller for the performance of that other processor’s obligations.”
[xix]It is worth of notice that European courts have allowed actions for data protection violation also where no financial damage was alleged. See U.K. Court of Appeal decision Vidal-Hall -v- Google (Case No: A2/2014/0403).Talking about the action under Article 23 of the 46/1995 Directive, the Court of Appeal noticed “Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage)”. Now GDPR Article 82 specifically provides for non-material damages. See also Whereas clauses (75), (83), and (85).
[xx] GDPR Article 84:
- Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive. 2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.