App developers, the business community, and privacy advocates alike have been achatter about the General Data Protection Regulation (GDPR). As the European Union’s newest privacy regulation, the GDPR is set to go into effect on May 25, 2018. Many businesses are curious about the impact this new regulation may have on their ability to engage with European customers, and just how different it will be from existing privacy regulations. ACT | The App Association’s interactive GDPR Guide offers a thorough overview of what is necessary to comply with the new rules, and how the GDPR compares to privacy rules already in place.
Many businesses speculate that if their company is in compliance with U.S. privacy regulations, or have minimal customers and clients in the EU, they do not need to worry about the GDPR. That is simply not true. Unless you absolutely never deal with the personal information of an EU subject, the GDPR applies to you. It does not matter whether your business is physically located in the EU, or if you abide by the privacy regulations of your sovereign nation. The rules of the GDPR apply if your company manages, transfers, or stores any personal information of an EU subject.
You can learn more about the requirements to comply with this new regulation, but here’s a look at how it holds up to the United States’ existing privacy regulations.
EU-U.S. Privacy Shield
Many U.S. businesses are certified under the EU-U.S. Privacy Shield to adhere to privacy regulations when conducting business in the European Union. The Privacy Shield was approved by the European Commission and the U.S. Department of Commerce in July 2016 to help companies comply with EU data protection requirements when transferring personal data from the European Union to the United States. The joint program allows American companies to voluntarily self-certify and participate if they import personally identifiable information (PII) from EU persons and sets the rules by which they should abide.
How the GDPR compares
Though both programs relate to the handling of European citizens’ PII, it can be dangerous, not to mention very expensive, to assume Privacy Shield certification equates to GDPR compliance. In fact, the GDPR has a maximum penalty of 4 percent of a company’s annual global revenue or €20 million –whichever is higher – for violating any provision of the regulation.
Though the Privacy Shield is intended to facilitate cross-border data transfers from the EU to the United States, the GDPR has an extraterritorial provision that goes beyond the Privacy Shield and extends to EU data subjects living outside the EU. In fact, the EU Article 29 Working party (WP29) – the advisory group focused on data protection compliance – advised that Privacy Shield guidelines did not adequately comply with the GDPR. The group points to the GDPR guidelines about the right to data portability or “additional obligations on data controllers, including the need to carry out data protection impact assessments and to comply with the principles of privacy by design and privacy by default,” which were concepts not yet conceived when the Privacy Shield was implemented.
While the two European regulations have similar intent, the GDPR goes beyond the Privacy Shield in its application and scope. We strongly advise against assuming Privacy Shield certification equates to GDPR compliance.
U.S. Breach Laws
For businesses based and operating stateside, the United States does not have a federal breach notification – or a uniform definition of a breach, for that matter. Individual states define the parameters of a breach, which can include the “unlawful disclosure or retrieval of Social Security numbers, government issued ID numbers, bank account numbers, or other financial material,” and can impose differing notification deadlines of varying lengths.
How the GDPR compares
By contrast, the GDPR defines a personal data breach as the unlawful retrieval or disclosure of “any information relating to an identified or identifiable natural person,” and includes any information that can identify a person online. Unlike the state-specific breach notifications in the United States, the GDPR imposes a uniform breach notification deadline for all member countries.
In addition, while most American states impose a “without any unreasonable delay” standard for breach notifications—which can range between 30 and 60 days after the breach discovery—GDPR-compliance requires companies to report a breach to a superior authority within “72 hours after they become aware” and without “undue delay.” There are distinct requirements for breach notifications based on whether you are a processor or controller (you can find out where you stand here), which creates confusion about when the 72-hour notification clock begins.
There is one area of convergence in this comparison – neither U.S. law nor the GDPR have defined the format by which a company should notify a supervisory authority.
Children’s Online Privacy Protection Act (COPPA)
How the GDPR compares
Unlike COPPA, the GDPR’s age of consent is 16. Some EU member states, however, have the discretion to lower the threshold as long as it is not below 13 years old. While this gives member states flexibility, it also creates confusion about compliance. With a divergence around age of consent, companies and data processors will need to understand and comply with several different consent requirements for every data subject they deal with.
GDPR encourages the controller of data to take reasonable efforts to seek parental verification, in line with COPPA, but it does not provide exhaustive guidance regarding parental consent or the issue of parental access.
Even though the GDPR does not have a specific article regarding children’s online privacy like COPPA, that does not mean the new regulations will be more lax in this regard. The opt-in model of the GDPR was proposed to ensure all EU citizens, irrespective of their age, are protected by the stringent data privacy laws.
Health Insurance Portability and Accountability Act (HIPAA)
How the GDPR compares
In many ways, the GDPR’s “data concerning health (DCH)” is similar to HIPAA’s PII because it refers to “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal informational about his or her health status.”
While HIPAA’s covered entities refer to healthcare providers and payers that electronically transmit PII for healthcare services, the GDPR applies to all entities that collect related health information, irrespective of where they are located. In this context, the healthcare-related privacy protections put forth by the GDPR extend beyond the healthcare-specific scope of HIPPA and carry great importance for U.S. businesses handling EU citizens’ data.
These are just a few of the examples that describe the GDPR’s relationship with existing U.S. privacy laws. At their cores, most U.S. privacy laws are sector-specific and pertain to the use and protection of personal information in certain instances. By contrast, the GDPR is an overarching regulation that seeks to monitor the access and use of all EU data subjects’ information at all times. If you are a business that collects any EU data subject’s PII, regardless of whether it is health-related or pertains to a child under 16, you fall under the umbrella of the GDPR’s influence. These nuanced differences are important to understand and comply with before the regulation goes into effect on May 25th, and you can learn more about regulation requirements, key terms, and comparisons in our interactive GDPR guide. As always, the App Association team will keep you in the loop with new analysis, insight, and information as we approach this regulation’s implementation.
Adarsh Mahesh contributed to this blog.