By Natalia Holliday, Editor-in-Chief
The digital age brought the digitization of just about every aspect of our lives into data points, to be analyzed and used by businesses, researchers, and the government to further their respective causes. Our “digital fingerprints” allow entities to predict our behaviors en masse and target us online in ways to optimize beneficial outcomes to those entities. Certainly, this data can be used for respectable purposes – to improve customer relationships, optimize customer experiences, and create extraordinary convenience – but with this new online platform comes incredible vulnerability and opportunity for abuse.
Between 2005 and 2018, the United States saw 9,700 data breaches resulting in the exposure of 1,537,040,000 records.[1] Among the different types of data breach incidents that exist,[2] identity theft is the most common worldwide.[3] These breaches are sometimes monumental in scale. For instance, every single Yahoo account that existed in August of 2013 – all 3 billion of them – fell victim to a breach of names, email addresses, and passwords.[4] In 2011, an “‘illegal and unauthorized’” person stole the names, home and email addresses, birth dates, passwords and usernames of 77 million Sony PlayStation Network users,[5] prompting Sony to pull the PlayStation Network offline for nearly one month.[6] The Facebook/Cambridge Analytica data harvesting scandal showed the world how this extraordinary commodity can even affect the roots of America’s democracy.[7]
In the wake of seemingly endless stories about misuse and breaches of data, the European Union drafted what would become the General Data Protection Regulation (“GDPR”). The GDPR is a comprehensive regulation designed to “harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy, [and] reshape the way organizations across the region approach data privacy.”[8] For organizations controlling and processing personally identifiable information (PII) of so-called “data subjects” (“an identified or identifiable natural person”[9]), the GDPR imposes strict rules on such processing.[10]
As a default, processing the personal data of a natural person is illegal unless a legal basis applies.[11] The seven legal bases are: consent, contract, legal obligations, vital interests of the data subject, public interest, and legitimate interests as stated in a related article of the GDPR.[12]
Additionally, the regulation emphasizes certain “principles of data processing” that are meant to guide organizations in proper data processing under the GDPR. The “lawfulness, fairness and transparency” principle dictates that “any information and communication relating to the processing [of personal] data be easily accessible and easy to understand, and that clear and plain language be used.”[13] The “data minimization” and “purpose limitation” principles work together to limit what data is actually processed as well as the purposes of the processing.[14] Other principles include accuracy, storage limitation, integrity and confidentiality, and accountability.[15]
One of the most profound provisions of the regulation is the applicable territorial scope. The GDPR is said to give control back to EU residents[16] by protecting “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”[17] To give this “control” to EU residents, the regulation attaches to the processing of an EU resident’s personal data, no matter the location of the resident, the processing company, or the processing itself.[18]
To illustrate, say an EU resident decides to visit sunny Pensacola, Florida for vacation. She finds a great rate at the Courtyard by Marriott, a company headquartered in Bethesda, Maryland.[19] She books the deal online and enjoys a delightful vacation. Any data Marriott collects in relation to the transaction with the EU resident is subject to the GDPR’s rules, despite the fact that Marriott is headquartered in the United States. Why? Because the GDPR protects EU residents, regardless of location.[20]
When you consider what a company must do to comply with the GDPR, as well as the penalties for failing to comply, the consequences of this extraterritorial scope hit like a tsunami. Among the many obligations of companies under the regulation, some of the major ones include:
- conducting an “information audit” to determine the source of all personal data held and whether it was shared with another;
- implementing a comprehensive data protection management program, which would require an overhaul of internal processes and procedures relating to data management;
- designating a data protection officer and a controller (who is responsible for compliance);
- modifying procedures for obtaining consent to process personal data;
- creating systems to provide copies of processed personal data to the data subject and to erase personal data or restrict their processing; and
- carrying out a “data protection impact assessment” before going forward with “processing that is likely to result in a high risk to the rights and freedoms of [a] natural person.”[21]
Additionally, an organization must implement special safeguards and procedures when it comes to processing the data of children.[22]
The above list is not exhaustive, and the protocols an organization must put into place largely depends upon the organization itself.[23] However, the penalties for failure to comply with the GDPR rules are staggering, enough to terrify a company into maximum compliance.
The fine for “lower level” violations can go up to €10 million or 2% of the company’s global annual revenue measured by the prior financial year, whichever is higher.[24] An “upper level” violation can land an organization with a €20 million fine or 4% of the previous year’s global annual revenue, whichever is higher.[25] France slammed Google with a €50 million fine for failing to comply with the GDPR (by providing inadequate information to consumers about data use and consent policies), which converts to about $57 million.[26] This is a relatively small fine on the GDPR’s penalty scale – Google’s 2018 revenues reached $136.22 billion.[27] A 4% fine would’ve cost the monster company nearly $5.5 billion.
With the global reach of the GDPR, one must wonder just how much this regulation will influence the law of non-EU jurisdictions. Prior to the GDPR’s May 2018 effective date, the United States Federal Communications Commission (“FCC”) attempted a privacy rule to protect consumer data.[28] Similar to the GDPR, the FCC rule gave consumer’s control over their personal data and provided a framework for requirements such as consent, transparency, and “common-sense data breach notification requirements.”[29] However, Congress and President Trump signed a resolution to nullify the rule in 2017.[30]
The FCC rule setback aside, notable leaders in the tech industry, including Apple CEO Tim Cook, have vocalized support for an American version of the GDPR.[31] Similar principles of data minimization, the right to know what data is processed and for what purpose, the right to access and delete processed data, and the right to data security would apply.[32]
Consumer trust in companies and the government to protect personal data is sunk, but consumers expect both the government and companies to do more.[33] So although the 2016 FCC rule went down with the Trump administration, it may be the case that the GDPR becomes a model for non-EU jurisdictions to further the cybersecurity interests of their constituents. One might argue that since non-EU companies are already working on compliance, it would be an easy transition. Maybe you’ve already noticed the upswing in consent boxes on websites requesting permission to collect data or, like many, received those “Our privacy policy has changed” emails from various organizations and companies with online operations. Indeed, perhaps it’s the case that all it took was the GDPR to set the world’s businesses on the right track toward respect for consumer data. As the global effects of the GDPR play out, we’ll see whether non-EU legal systems are compelled to make a similar move.
Sources
[1] Statista, Cyber crime: number of breaches and records exposed 2005-2008, Statista.com, https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/ (last visited April 10, 2019).
[2] Statista, Share of global data breaches H1 2018, by type, Statista.com, https://www.statista.com/statistics/329593/frequency-share-incident-classifiaction-patterns/ (last visited April 10, 2019).
[3] Id.
[4] Selena Larson, Every single Yahoo account was hacked – 3 billion in all, CNN Bus. (Oct. 4, 2017, 6:36 AM EDT), https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html.
[5] Liana B. Baker and Jim Finkle, Sony PlayStation suffers massive data breach, Reuters (April 26, 2011, 8:56 PM),
https://www.reuters.com/article/us-sony-stoldendata/sony-playstation-suffers-massive-data-breach-idUSTRE73P6WB20110427; Tom Phillips, Five years ago today, Sony admitted the great PSN hack, Eurogamer (April 26, 2016), https://www.eurogamer.net/articles/2016-04-26-sony-admitted-the-great-psn-hack-five-years-ago-today.
[6] John Gaudiosi, Why Sony didn’t learn from its 2011 hack, Fortune (Dec. 24, 2014), http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/.
[7] Carole Cadwalladr and Emma Graham-Harrison, Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach, The Guardian (March 17, 2018, 6:03 PM EDT), https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election.
[8] Trunomi and Commvault, EU GDPR – Information Portal, EUGDPR.org https://eugdpr.org/ (last visited April 10, 2019).
[9] GDPR, Ch. 1, Art. 4(1).
[10] Kris Lahiri, What Is General Data Protection Regulation?, Forbes (Feb. 14, 2018, 1:21 PM), https://www.forbes.com/sites/quora/2018/02/14/what-is-general-data-protection-regulation/#3b97dbd862dd.
[11] GDPR Consent, Intersoft Consulting, https://gdpr-info.eu/issues/consent/ (last visited April 10, 2019).
[13] Recital 39: Principles of data processing, Intersoft Consulting, https://gdpr-info.eu/recitals/no-39/ (last visited April 10, 2019).
[14] GDPR, Ch. 2, Art. 5.
[17] GDPR, Ch. 1 Art. 1(2).
[18] GDPR, Ch. 1 Art. 3.
[19] Corporate Overview, Marriott, https://marriott.gcs-web.com/corporate-overview (last visited April 10, 2019).
[20] GDPR, supra note 19.
[21] The Overview of 15 GDPR Compliance Obligations for a Company Processing Personal Data, Data & IT Law, https://www.dataitlaw.com/overview-15-gdpr-compliance-obligations/ (last visited April 10, 2019).
[23] Id.
[24] Fines and Penalties, GDPREU.org, https://www.gdpreu.org/compliance/fines-and-penalties/ (last visited April 10, 2019).
[26] Emily Price, France Fines Google $57 Million for GDPR Violations, Fortune (Jan. 21, 2019), http://fortune.com/2019/01/21/france-fines-google-57-million-for-gdpr-violations/.
[27] Statista, Google: revenue worldwide 2002-2018, Statista.com https://www.statista.com/statistics/266206/googles-annual-global-revenue/ (last visited April 10, 2019).
[28] Fed. Commc’n Comm’n, FCC Adopts Broadband Consumer Privacy Rules, FCC.gov, https://www.fcc.gov/document/fcc-adopts-broadband-consumer-privacy-rules (last visited April 10, 2019).
[29] Id.
[30] Glenn G. Lammi, The Nullification of FCC’s Broadband Privacy Rules: What It Really Means for Consumers, Forbes (April 12, 2017, 3:18 PM), https://www.forbes.com/sites/wlf/2017/04/12/the-nullification-of-fccs-broadband-privacy-rules-what-it-really-means-for-consumers/#6343959179ba.
[31] Tim Cook, You Deserve Privacy Online. Here’s How You Could Actually Get It, Time (Jan. 16, 2019) http://time.com/collection-post/5502591/tim-cook-data-privacy/; Emily Price, Time Cook Thinks Consumers Should Have More Control Over Their Data, Fortune (Jan. 17, 2019),
http://www.fortune.com/2019/01/17/tim-cook-thinks-consumers-should-have-more-control-over-their-data/.
[33] PricewaterhouseCoopers, How consumers see cybersecurity and privacy risks and what to do about it, PwC.com, https://www.pwc.com/us/en/services/consulting/library/consumer-intelligence-series/cybersecurity-protect-me.html (last visited April 10, 2019).