Expert Analysis by Linda V. Priebe, JD, CIPP/E, Law360, New York (March 21, 2017, 11:52 AM EDT) – Reprinted with permission.
In a little more than 13 months, many U.S. communications companies, who think cross-border data protection rules don’t apply to them, will find out otherwise. It’s no secret that a new European Union and European Economic Area (EU/EEA) data protection regulation will go into effect May 25, 2018. What is not clearly understood is that now U.S. communications companies without any EU/EEA customers of their own, may find themselves subject to new general data protection regulation (GDPR) 2016/679 simply because their U.S. customers have customers in the EU/EEA.
What this means, is that under the new regulation, which replaces Data Protection Directive 95/36/EC, telecom companies and other digital communications providers’ customers’ EU/EEA customers will be entitled to EU data protection from U.S. telecom or digital companies under the GDPR 2016/679. Under the new GDPR, data processors may soon also be classified as data controllers or co-data controllers and be subject to all the concomitant regulatory compliance exposure. U.S. telecom/communications companies must also be prepared to be considered EU data controllers simply because they receive personal data from EU/EEA residents transferred to them from other companies, including their direct competitors.
The new GDPR’s extra-territorial jurisdiction is sending shock waves around the globe, drawing companies located outside the EU/EEA who handle personal data of EU/EEA residents, into the wider regulatory net cast by the EU/EEA data protection authorities.
Data Privacy and E-Privacy Regulation for Telecoms
In addition to the new GDPR, the EU Commission issued a new draft e-privacy regulation on Jan. 10, 2017, to replace the former e-privacy directive (aka the cookie law). The new e-privacy regulation will take effect on the same day as the new GDPR and will create even bigger EU/EEA compliance hurdles for U.S. telecom/digital communications companies whose U.S. business customers use their services/products to communicate with EU/EEA residents, especially when added on to pre-existing comprehensive GDPR compliance requirements.
The e-privacy regulation applies to all digital communications companies and upgrades the previous “cookie law” to a regulation directly applicable within EU/EEA member states without requiring the states to create new legislation enacting the regulation. Like the new GDPR, the e-privacy regulation applies to non-EU/EEA providers of digital communication services used to communicate with EU/EEA residents, regardless of whether the services provided are paid or free. The e-privacy regulation incorporates the astronomical penalties of the GDPR imposing fines that range from €10 million up to 4 percent of a company’s global turnover.
The new e-privacy regulation massively expands the types of digital communications products/services subject to the former e-privacy directive beyond traditional telecommunications companies to all digital communication providers including:
- Email and webmail;
- Voice over IP (VoIP);
- Text and instant messaging;
- Mobile applications;
- Over-the-top (OTT) communication systems like Facebook Messenger and What’s App;
- Internet service providers (ISPs);
- Internet of things (IoT) devices;
- Public Wi-Fi; as well as
- Metadata, cookies, direct marketing and online marketing, etc.
Far exceeding the reach of the new GDPR, the draft e-privacy regulation protects data of “legal persons” i.e., businesses and organizations, as well as, “natural persons” located in the EU/EEA. It also creates new data rights for businesses and individuals not included in the new GDPR such as the right to confidentiality of digital message content and metadata, and integrity of a user’s digital device.
Vigorous Debate Ensues
In the EU, the draft e-privacy regulation has been criticized by digital communications product/service providers who characterize it as unnecessary in light of the new GDPR’s strict, comprehensive and overlapping obligations. Critiqued as poorly drafted on too short a timeline to take effect simultaneously with the new GDPR on May 25, 2018, the e-privacy regulation is expected to be vigorously debated and likely amended to some extent. However, the current draft is a product of the EU Commission which views the new regulation as necessary to protect the data of all EU/EEA digital communications services/products users worldwide.
Criticized or Not Change is Coming
Many U.S. communications companies erroneously think the EU’s global expansion of its data privacy laws outside the EU/EEA doesn’t apply to them. They mistakenly think they are too small to attract the enforcement attention of the aggressive EU data protection authorities. They are wrong.
The new GDPR 2016/67 explicitly covers small, medium and even microenterprises stating: “The regulation is necessary to provide legal certainty and transparency for economic operators, including micro-, small- and medium-sized enterprises, and to provide natural persons in all member states with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors.” (emphasis added)
One Potential Exception
The only potential accommodation for small businesses globally is for record-keeping. And that exception is size-contingent.
Article 30 of the new regulation requires that data controllers, and data processors working on their behalf, regardless of where actual data processing takes place, keep records of all data processing activities and make them available to EU/EEA data protection authorities upon request. Records required to be kept include descriptions of all the:
- Purposes of the processing;
- Categories of data subjects;
- Categories of personal data;
- Categories of recipients to whom the personal data have been or will be disclosed;
- Transfers of personal data to third countries;
- Time limits for erasure of the different categories of data; and
- Technical and organizational data security measures.
The only potential exception is for businesses with fewer than 250 employees worldwide. Once a U.S. communications company hires that 250th employee — in the U.S. or elsewhere — all of the new GDPR’s stricter compliance requirements apply, including the comprehensive record-keeping requirements.
But even size may not qualify a company for that exception, if the:
- The data processing is likely to result in a risk to the rights and freedoms of EU/EEA residents;
- The data processing is not occasional; and
- The personal data reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of identifying an EU/EEA resident, health data, data concerning an EU/EEA resident’s sex life or sexual orientation, or personal data relating to criminal convictions and offenses.
EU/EEA-Wide Rules with State Supplements
The new GDPR is intended to create a single set of rules across the EU/EEA. However, it does permit EU/EEA member states to enact supplemental laws and regulations in some instances. A number of EU member states already have started that process, including Germany, the Netherlands, France and the U.K. And they are not waiting for the new GDPR’s May 28, 2018, effective date.
Last November (2016), 10 of Germany’s 16 regional data protection authorities (DPAs) launched a mass data privacy investigation of the data privacy compliance of 500 randomly selected businesses of various sizes it suspected of transferring EU residents’ personal data to cloud services located outside the EU, and particularly into the US.
The DPAs required the companies to complete a detailed questionnaire regarding transfers of personal customer and employee data to countries outside the EU. Companies were required to confirm whether they were transferring personal EU data outside the EU and if so what EU legal grounds they relied on to legally justify their international data transfers. The questionnaire covered email and other communication platforms, cloud storage, mobile applications, customer service ticketing systems, and risk management and compliance systems. This investigation is ongoing.
Huge Fines for Noncompliance
The new GDPR creates a number of daunting new data privacy rights and protections for EU/EEA residents (regardless of their citizenship) and threatens non compliers with huge fines and penalties. For data controllers and data processors who handle personal data of EU/EAA residents, including communications companies in the U.S, fines can range from €10 million to 4 percent of a company’s global turnover.
The new GDPR’s rights and obligations regarding data portability, data erasure (i.e., “right to be forgotten”), data subject consent, data anonymization, breach notification, transborder data transfers, appointment of data protection officers, single supervisory authority, etc., require more U.S. communications and technology companies, handling EU/EEA residents’ personal data, to make major changes in their operations.
Surprise, You’re an EU Data Processor/Controller
Many U.S. telecom/communications companies are surprised to find themselves considered EU data processors or even data controllers due to the business activities of their U.S. business customers. This can happen when a U.S. business customer uses the communications company’s products/services to collect, use and/or store personal data regarding EU/EEA customers or potential customers. That’s it. And it comes with added compliance responsibilities.
When, as is common, a U.S. business customer uses a U.S.-based email service to communicate with customers or potential customers in the EU/EEA, that service — the U.S. business customer who collects, uses and/or stores that personal data from EU/EEA residents — is considered a data controller under EU law .
U.S. communications companies who provide email or other communications products/services to U.S. business customers communicating with EU/EEA residents constitute EU data processors.
Add to that is the potential for U.S. telecom/communications companies to find themselves receiving portable EU/EEA personal data (even from competitors) as EU/EEA residents exercise their new data portability right (more about this follows) and, as a result, become considered an EU data controller themselves.
Who’s Responsible for Compliance?
Primary responsibility for EU data privacy compliance falls on data controllers, including U.S. businesses:
- Communicating with customers and/or potential customers in the EU/EEA; or
U.S. telecom/communications companies are considered data controllers (defined as persons or businesses) if they decide the purposes and means of processing EU/EEA resident personal data. Additionally, U.S. data controllers are also liable, under the new GDPR, for the compliance of any data processors they use to assist them in processing EU/EEA personal data — wherever the data processing occurs — inside or outside the EU/EEA or the U.S. Moreover, the new GDPR mandates that data controllers engage only data processors able to provide sufficient contractual guarantees and have the capacity to comply with the new GDPR when executing data processing activities on behalf of the data controller. The new GDPR also requires data processors to guarantee adequate cybersecurity.
Under the new GDPR, U.S. telecom/communications companies may be expected by their U.S. business customers communicating with EU/EEA customers/potential customers to agree to EU-approved “standard contract clauses” attesting to their compliance with EU data privacy law. Turnaround for compliance with the new GDPR is short, given the May 25, 2018, deadline. In anticipation of the new GDPR, a number of U.S. telecom/communications and technology companies began overhauling their data privacy and cybersecurity systems as early as 2015. Those who have not yet started the process (and there are many) must move quickly to guarantee compliance with the new GDPR for their U.S. business customers or risk losing those customers to compliance-ready competitors.
As part of their contractual processing duties, data processors also are obligated to assist data controllers with new GDPR compliance, including protecting the rights of EU/EEA residents who are the subjects of the data (data subjects). Moreover, data processors must also assist their data-controller customers in responding to requests from EU/EEA data subjects exercising their rights under the new GDPR.
What the New GDPR Covers
The new GDPR casts a wide net regarding the processing of EU/EEA personal data, even going so far as to include the mere storage of EU/EEA personal data such as email, and the transmission, collection, recording, organization, retrieval, alignment, combination, restriction, erasure, destruction and/or use of personal data.
Communications sent through email, mobile text, social network direct message, etc., from an EU/EEA resident to a business operating in the U.S. constitute international transfers of personal data from the EU/EEA to the U.S. Further, under the new GDPR, international transfers of EU/EEA resident personal data from the EU to the U.S. are illegal unless EU/EEA residents and their personal data are provided the same rights and protections provided under the new GDPR in the EU/EEA.
Guidelines have been provided. On Dec. 13, 2016, the EU Article 29 Working Party (an organization of EU/EEA data protection authorities referred to as “WP29”) issued its first draft guidance documents for implementation of the new GDPR. These include the new EU “Right to Data Portability,” which also applies to U.S. telecom/communications companies.
The article provides U.S. telecom/communications and technology companies brief highlights of the new GDPR’s new Right to Data Portability and the new EU draft e-privacy regulation below:
- Data portability is a brand new EU data privacy right created in the new GDPR. It is in addition to the data subjects’: Right to consent; Right to information about their data; Right to object; Right to access and correct their data; Right to restrict processing of their data; and Right to data erasure i.e. “right to be forgotten,” etc.
- The Portability Right includes two separate rights: For data subjects to get their data back; and To transfer their data to another service provider.
- These rights must be clearly explained to EU/EEA residents.
- Data processors, including U.S. telecom/communications companies serving U.S. businesses that communicate with EU/EEA residents, are expected to assist their U.S. data controller customers in complying with the EU data portability right;
- Under the data portability right a U.S. telecom/communications company could become the recipient of the data that a data subject has requested be transferred from another communications company, including the U.S. communications company’s competitors;
- Data processors, that receive portable data regarding EU/EEA residents from another organization are designated under the GDPR as EU data controllers of the data they receive;
- Data eligible for portability includes data provided by the individual and “observed” data generated by the data subject’s use of the communications service, products or device; and
- Data controllers (and potentially data processors assisting them) will likely need to develop or acquire new technology to make data subjects’ requests to transfer their data as simple as possible.
What the New E-Privacy Regulation Covers
The EU Commission also issued a draft of the new EU draft e-privacy regulation on Jan. 10, 2017. Below are some of the highlights:
- The draft e-privacy regulation extends data privacy obligations to all digital communication providers including email and webmail, text and instant messaging, mobile apps, ISPs, OTT communications services, Skype, IoT devices, VoIP, public Wi-Fi, etc.;
- It harmonizes the former EU “cookie law” with the new GDPR including adopting the same effective date of May 28, 2018, and incorporating the new GDPR’s enforcement mechanisms and stringent penalties ranging from €10 million up to 4 percent of a company’s global annual revenue;
- The draft protects data privacy rights of businesses (legal persons) and individual persons located in the EU/EEA regarding digital communications;
- All digital communications including content and metadata must be kept confidential except with the user’s prior consent;
- It supplements the new GDPR with guaranteed confidentiality of a user’s online behavior such as through cookies or other tracking technology except with user’s prior consent;
- Prior user consent is required to process the content of digital communications and/or metadata unless the data is anonymized or required for billing;
- It lifts the previous e-privacy directive consent requirement for cookies that merely count website visitors or improve visitor experience;
- Prior user consent is required for unsolicited digital commercial communications using any technology such as for product marketing; and
- Telemarketers must display their phone number or use a special prefix (to be determined) designating marketing calls.
Even when processing personal data solely in the U.S., more U.S. telecom/communications companies (including small, medium and even micro enterprises) will be expected to be EU-compliant data processors and assist their U.S. business customers, communicating with people and businesses in the EU/EEA, with compliance under the new EU GDPR and draft e-privacy regulation.
Despite the approaching higher level of data privacy compliance in the EU for all companies, including U.S. technology companies, some U.S. telecom/communications companies remain unaware that they may, indeed, be considered data processors and potentially even data controllers with all the compliance requirements that must be put in place. U.S. companies unable to quickly guarantee compliance with the new GDPR also risk losing business customers to other U.S. companies that have been overhauling their data and cybersecurity systems for a year or more in preparation for the new GDPR going into effect.
And to reiterate: U.S. telecom/communications companies must now be prepared to be considered EU data controllers themselves simply because they receive personal data from EU/EEA residents transferred to them by data subjects from other companies including their direct competitors. All U.S. digital communications companies handling the data of businesses and/or individuals located in the EU/EEA should also closely follow EU legal developments regarding finalization of the January 2017 draft EU e-privacy regulation and be prepared to comply with both the GDPR and e-privacy regulation by May 25, 2018.
U.S. businesses providing business to business technology products/services such as software as a service (SaaS) and cloud services should also be alert to their customers using their products/services to interact with business and/or individuals located in the EU/EEA and the potential for required compliance with the GDPR and/or e-privacy regulation soon.
—By Linda V. Priebe, Culhane Meadows Haughian & Walsh PLLC
Linda Priebe is a partner in the Washington, D.C., office of Culhane Meadows. She is a certified European Information Privacy Professional, whose practice focuses on U.S./EU data privacy, social media compliance, and government relations for U.S. and international businesses and organizations. She previously served as deputy general counsel to three U.S. presidential administrations, and as ethics official at the White House Office of Drug Policy (ONDCP). She was also counsel in a dozen cases before the U.S. Supreme Court, counsel to the Public Affairs and IT Offices at ONDCP, and ethics advisor in the White House Office of Counsel to the President.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
This Blog/Web Site is made available by Culhane Meadows PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.