GDPR Rounds Its First Month: Takeaways From the GDPR's First 30 Days

Almost a month has now passed since the General Data Protection Regulation (GDPR) entered into force. Apocalyptic predictions of huge global fines and regulatory action against businesses located outside the European Union have not materialized as yet, although the world of data privacy is in some state of confusion.

The past few weeks have seen the GDPR escape the confines of technology and data privacy specialists and land on the agenda of corporate boards and in the inboxes of practically every individual with an email address. Mainstream news media have carried numerous reports and broadcasts on the GDPR and its significant impact on businesses. Email notices regarding re-consenting and privacy policy updates have brought the GDPR into practically every household. The GDPR is a radical overhaul of European data privacy laws which also has significant extra territorial reach. However, many of the principles of the GDPR are not new and simply build on the previous 1995 Data Protection Directive. Also, critically, while the GDPR (as its title suggests) is an omnibus sector-neutral piece of legislation, it needs to be understood in the broader context of other EU data privacy laws and the national laws of the 28 EU member states which implement those laws and the GDPR. A few broad themes have emerged over the last few weeks.

Re-Consenting

The run up to May 25 saw a flurry of emails to customers and business contacts asking recipients to re-consent or opt-in to marketing communications or otherwise be deleted from marketing lists. Understandably, many companies questioned whether this is something they should be doing as well.

The GDPR raises the standard of “consent” and provides (like the previous Directive) an absolute right to opt-out of marketing communications. However, this is only one part of the picture since the rules on direct marketing are primarily governed by the EU e-Privacy Directive (as implemented by each EU member state) and not the GDPR. The necessity of re-consenting will generally depend on:

• Whether your organization has already obtained a valid consent and can demonstrate this. Business to consumer email marketing must (subject to the “soft opt-in” exception outlined below) be carried out on the basis of opt-in consent. Under the GDPR, the consent must be a freely given, specific, informed and unambiguous indication of an individual’s wishes, signified by a statement or clear affirmative action. Businesses must be able to demonstrate such consent to a regulator. If your organization relies on opt-in consent for its email marketing and either (a) that consent does not reach the GDPR-standard, or (b) you cannot demonstrate you have obtained this consent, this would require a re-consenting exercise to be undertaken. However, existing consents otherwise remain valid and there is no need to reobtain consents unless (a) or (b) apply.
• Whether your organization relies on the “soft opt-in” exception: the “soft opt-in” exception to the general rule requiring opt-in consent for email marketing applies, broadly speaking, where an individual’s details have been obtained in the course of a negotiation/sale, the marketing relates to similar goods and services, and the individual is provided with an opt-out in every email communication. The soft opt-in is unaffected by the GDPR. It remains a valid basis on which to conduct email marketing. If you are relying on the soft opt-in exception for your email marketing activities, and (crucially) you can demonstrate it applies, you would not need to re-consent. The problem which many organizations have faced (apart from the force of the herd) is that they cannot always show through their internal records that they have the necessary consents. Systems may not necessarily track the nature or type of consent from the records documenting a sale or negotiation of a sale of products and services through to marketing databases.
• Whether your organization is engaged in business-to-consumer or business-to-business marketing: the rules on business-to-business marketing vary by jurisdiction, since the underlying e-Privacy Directive has been implemented slightly differently in the 28 EU member states. In the U.K. (and many, but not all, EU countries), business-to-business email marketing can generally be conducted on an “opt-out” basis. In other words, consent is not necessary but the option to opt-out of future communications must be provided in the email communication itself. If your organization is only engaged in this type of marketing, there is no legal requirement to re-consent.

Given the general confusion, many organizations felt that a blanket re-consenting email was the safest approach. This meant, however, that those customers and contacts who did not respond could no longer be contacted, leading in some cases to drastic reductions in active, marketable database contacts. Some organizations, somewhat bizarrely, sought to recover the situation by stating that the re-consenting emails had been sent in error, having realized that the re-consent campaign may have been unnecessary or may have had a significant impact on future marketing plans.

Territorial Scope and Geo-Blocking

Another common theme of the last few weeks is the way in which many organizations in the U.S. have seemingly overreacted by geo-blocking their websites to ensure that they are out of scope of the GDPR. While many prominent media organizations took this course of action, this led to a flurry of companies following suit or seeking urgent advice on whether they should do so. For some organizations based outside of the EU, this may have been the only option upon realizing, late in the day, that they may have been within the scope of the GDPR and were insufficiently prepared.

Unfortunately, there remains a significant degree of uncertainty regarding the precise territorial scope of the GDPR. This has led to sweeping generalizations in much reporting and commentary, which often suggests that any contact with the personal data of an EU resident will bring an organization within scope. This simply is not the case. The GDPR applies to companies established in the EU, and also to companies which offer goods or services to EU residents or monitor their behavior. Neither concept is particularly well-defined. Critically, the mere fact that an organization collects EU personal data through a globally accessible website does not mean that the GDPR automatically applies. Generally, there needs to be some form of targeting of EU residents through, for example, the use of local languages or local currencies. Some organizations may, due to their operational structures, data collection mechanisms, and processing operations, need to adopt geo-blocking to ensure they remain out of scope. For many organizations, this is not necessary or advisable. It is simply not necessary to block EU residents from accessing a U.S.-based website and submitting personal data through that website. Such actions by EU residents would not, in themselves, bring a U.S. website within scope.

Similarly, there is much confusion about the scope of the requirement for monitoring the behavior of EU residents and whether use of relatively common tracking techniques, including many cookies, bring a non-EU organization within scope. This requires a technical assessment of the techniques used, an analysis of the personal data involved and an appraisal of the risks involved in continuing to use such analytics tools.

Privacy Activists

The last five years have also seen increased challenges to data privacy practices by privacy activists — notably the legal challenges to the Safe Harbor regime, which led to its replacement by the Privacy Shield, and the ongoing legal challenges to data transfer under EU Model Clauses.

A not-for-profit organization, None of Your Business, immediately filed four complaints relating to the GDPR when the GDPR came into force. The claims are against Facebook, Instagram, WhatsApp and Google’s Android and suggest the breaches justify that the maximum penalty (four percent of global turnover) be applied to each company. The claims relate to the way in which consent is obtained from users and whether this meets the standard required by the GDPR on the basis that the privacy practices of these organizations allegedly require users to agree to privacy policies or completely lose access to services they use. Interestingly, the complaints have not been filed in Ireland (where many tech companies in Europe are based) but in Austria, Germany, Belgium and France, because the GDPR permits complaints to be made to data protection authorities other than to the one in which the relevant company is headquartered.

The challenges could lead to useful regulatory and judicial guidance on the meaning of “consent” and the requirements for valid consent in practice. While the initial targets of privacy activists are fairly predictable, it is likely that other less prominent companies will, in due course, be subjected to further scrutiny and challenge. Regulators may not necessarily seek maximum fines at the outset and will have to prioritize their finite resources when investigating and taking enforcement action. However, direct claims by data subjects and not-for-profit privacy organizations may act as a catalyst and are likely to mean, in practice, that businesses cannot be complacent as to the prospects of some form of challenge to their privacy practices.

Late to the Show? Becoming GDPR-Compliant Post May 25

While the implementation date of 25 May 2018 has passed, a significant number of organizations are still in the process of completing their GDPR compliance projects. The prospects of enforcement action are less likely for organizations which have clear and comprehensive GDPR compliance plans in place and can demonstrate to regulators that they are working in good faith to implement those plans.

The GDPR does not provide a grace period post 25 May 2018 – it has been published in final form since April 2016. Nevertheless, a number of regulators (including the U.K. Information Commissioner) have indicated that having a comprehensive plan with a clear deadline for implementation is likely to reduce (but not completely avoid) the prospect of enforcement action in the event of any compliance issues over the next three to six months. This is particularly so in the case of small and medium-sized businesses. Large, multinational and data-intensive business which are yet to complete their GDPR compliance programs should aim to complete these as soon as possible, given that the potential risks to data subjects from non-compliance are greater. While many organizations rushed to revise their public facing privacy policies before the end of May, GDPR compliance often requires more fundamental changes to internal processes and systems. Although much internal and external papering is required, it is not a simple matter of implementing pro-forma policies. Compliance requires a good understanding of the fundamentals of data collection, handling and security within an organization. These are business fundamentals which (regardless of GDPR and regardless of location) are worth getting right.