GDPR: Privacy Rights that Transcend Borders
Who is subject to the GDPR? So, what constitutes "offering goods or services" or "monitoring behavior" so as to come within the ambit of the GDPR? Recitals 23 and 24 of the GDPR are instructive...
Non-EU organizations will need to consider a number of factors, each of which will be used to determine if they are, indeed, offering goods or services to EU citizens, and thus subject to the GDPR.
The GDPR and European Court of Justice's (ECJ) prior decisions are instructive. For example, under the GDPR, are they making an "apparent" and "intentional" offer of goods or services to EU citizens? Companies that offer goods or services in the language and currency of a member state, that enable EU residents to place orders in that language and currency and companies that actively market to European citizens are likely to come within the ambit of the GDPR. Previous ECJ case law is also a useful indicator of the ECJ's previous consideration of these issues (see Weltimmo s. r. o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, C-230/14, 1 Oct. 2015) and the GDPR makes it clear that simply having a website which is accessible to European citizens is not sufficient. See Recitals 23 ("[T]he mere accessibility of [a company's] website in the Union...is insufficient to ascertain such intention[.]").
Monitoring EU citizens' online behavior, e.g., using persistent cookies to track internet usage, profile or otherwise collect data about a user, particularly if done with the intent to analyze or predict a user's preferences or behavior will be seen as monitoring EU citizens' behavior and, thus, fall within scope of the GDPR. See Recitals 24.
So what are organizations doing to prepare themselves for the global reach of GDPR? While a 2017 PwC survey indicated over half or US multinational corporations planned to make the GDPR their top data protection priority and 77% planned to spend $1 million or more on GDPR, more recent surveys indicate that not enough has been done as the deadline approaches.
According to a December 2017 report produced by Paul Hastings, organizations are probably not prepared. According to the report, over half of companies across the UK and US are not readying themselves for GDPR; only 43% have an internal task force and only 33% have hired outside consultants to do gap analysis. More recent reports indicate organizations are faring no better with fewer than two months until GDPR goes live.
In scope? What do you need to do?
Let's say your organization determines that it, in fact, either offers goods and services to or monitors the online behavior of EU citizens. What next? According to the GDPR, organizations falling within its scope must designate a representative who "shall be established in one of those Member States where the data subjects are and whose personal data are processed in relation to the offering of goods or services to them or whose behavior is monitored. Art. 27; Art. 4 ("data subject" means "identifiable natural person" with whom the organization interacts). The representative must be addressed in, e.g., resident in, one of the Member States whose residents the organization interacts with. Art. 27. Organizations need to be aware of the fact that, under GDPR, the representative may also be subject to enforcement proceedings in the event of non-compliance by the data controller or processor. Art. 27. In this way, the GDPR is trying to ensure that the power afforded to the supervisory authorities can be exercised even against companies that are- geographically at least - outside the EU jurisdiction
Visit us here: www.beazley.com