Last updated on January 8, 2023
The new EU privacy rules are not just for EU businesses.
For example, let’s say someone hears about your product and wants to sign up for a trial. When you check their info, you notice they are based in the EU. You’re now within the scope of the new EU privacy rules.
Your business does not “do” personal data, just data. But someone, unrelated to you, has the commercial/technical capability to use it, cross-reference it with open data, and thus identify EU living individuals. That means you’re in scope of the new EU privacy rules.
If challenged, you may need to prove that no data was collected about EU persons, and that if it was, it was afforded EU-grade privacy. Do you know if you have EU data and where it is? Even to prove a negative, you’re in scope.
European Union law-makers have reached agreement in December 2015 on a new Regulation designed to govern the flow and stewardship of personally identifiable data 1) across the EU Member States and, 2) between the Union and other countries. Businesses will have two years to comply with this new privacy regime established by the General Data Protection Regulation (GDPR).
The GDPR’s extraterritorial reach is the widest we have seen so far.
For you to be subject to the GDPR It is sufficient that:
- data be about individuals that find themselves in the EU and
- that you handle it in the context of offering goods or services to them or tracking/monitoring them
Why?
Because it regulates any form of processing [1] of digital data concerning EU individuals.
To fall within the meaning of ‘processing’ according to the GDPR it is not necessary that you are the one collecting, storing or destroying the data.
In other words you do not need to be involved in any marketing or back-office activities. It is sufficient that you retrieve, consult, organize, structure, align, combine, disseminate, disclose by transmission or soft-delete data about EU individuals. The GDPR impacts every professional profile that handles/uses data.
Even if your company is not registered in Europe; even if you have no subsidiaries, branches, satellite offices or data centres in Europe; even if you have not outsourced any of your digital operations to contractors or suppliers in Europe; even if there is no digital equipment – not even a single thumb drive with your company data – that lies on EU soil; even if you have no clients or leads in Europe, even then, the new EU Data Protection Regulation applies to you.
To trigger application of the GDPR you do not need to be handling the data yourself. Your data does not need to be stored in the EU. Your data does not need to be handled on your behalf by someone based in the EU. It sufficient for your data to be about EU individuals.
Moreover, these individuals do not need to be paying clients of yours. The fact that your processing activities ‘take place in the context of offering goods or services’ to EU individuals is enough [2]. The mere fact you are monitoring, ie tracking [3] their behaviour is enough.
Individuals do not need to be EU citizens or EU residents. Mere location of the person in the EU imposes on businesses/organizations handling this data all of the EU data protection obligations [4]. Anyone, whilst on EU soil, will be awarded EU-grade privacy as soon as the GDPR comes into force.
Take-Away #1: Wherever in the world you are doing business, if you offer or are planning to offer a digital service, free or otherwise, be it a web app or a native app, a platform or an interactive website and if its design makes it usable by anyone within the EU, you’ll have to comply with the GDPR before 2018.
Your business options: (1) design features in the product to allow individuals located in EU simple access with no visitor tracking, no profiling and no offer of goods or services and disable any activity that allows more than simple access; (2) switch users that request more than simple access and that are based in the EU to EU-grade privacy; (3) offer EU-grade privacy by default to all your users.
The GDPR’s definition of personal data is more encompassing than ordinary language (or other privacy regimes)
The GDPR defines “personal data” as:
“any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.
In plain English [5]:
“any information” = any information concerning a person, whether a matter-of-fact description or an opinion about them, whether true and proven or incorrect and speculative; be it about their personal and family life or about any other activity they undertake; whether contained in a structured ordering system or collected and stored in a non-systematic fashion; whether biometric or relational; in whatever format it is captured and stored: audio, video, paper, in binary code, alphabetical or numerical;
“relating to” = the connection between the information and the individual may be intuitive and straightforward or it might only be established thanks to additional data and context. You may be collecting data with no immediate intention of drawing any connection between it and any individuals; yet, if your data is “likely to be used with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual”, then the information is personal data and the GDPR applies.
You may be collecting data that does not link up to individuals, that is not even likely to be used by you with that purpose in the future, yet, if its use is likely to have an impact on a certain person’s rights and interests, it is personal data and the GDPR applies;
“identified or identifiable – directly or indirectly” = to single out an individual within a group of others we rely on identifiers (hair colour, a first name), or a combination of identifiers, like first name, family name, date and place of birth. The regulation goes further and expressly sets out to apply even to the so called unique combinations and to the practice of collating information from disparate sources to target personalized services to users. In other words, even if an individual is not identifiable on the basis of data you hold, if additional data, sourced elsewhere allows identification, the data you hold becomes de facto personal data [6].
This makes working with pseudonymised data a risk to be assessed: cross referenced to other data sources, pseudonymized data may still permit re-identification of individuals. It is granted that the possibility of identification must be “reasonably likely”, and not purely hypothetical.
Take-Away #2: Whatever definition of personal data exists in your workplace, whatever your employees intuitively understand personal data to be, the GDPR comes with its own expansive and probably counter-intuitive definition of what makes data personal.
This will require adjusting to. If, in the circumstances of the case, a connection between the person and the information can be drawn, you are handling “personal data” and you must observe EU data protection principles in handling it. Your safest business option: only use data that has been anonymized so that no connection can be retrieved with a natural person.
The GDPR is not a piece of protectionist EU law, but a piece in a larger puzzle
It has often been suggested, not least by the incumbent USA President, Barak Obama [7], that the current fervour shown by EU institutions in defending their people’s right to privacy is nothing other than an attempt to boost European IT enterprises and data centres at the expense of the US IT sector: by imposing impossibly high thresholds to data handling, by giving individuals enforceable rights to data portability and data erasure, by restricting data flows out of the EU, Europe is trying to make up for lost time.
The European market is dominated by a few large US corporates: by throwing a spanner in the works of their vast data operations, so the argument goes, incumbent players are sufficiently disrupted to give time to home-grown industries to rear their head.
While true that the goals of favouring fair competition, a level playing field and preventing the growth or large monopolies are part of the DNA of the European Union, and the penalties have indeed mostly targeted USA players, the decision and law-making processes within EU institutions are too complex, layered and consultative for any outcome to be directly influenced by a specific lobby or interest group.
To paraphrase De Gaulle, Europe’s politics is not decided on the trading floor. In more ways than one, the European law-making process is more insulated from the business community than is the case in other representative democracies and, while strongly driven by principles, it can be weak on implementation detail for the receiving party.
The best way to grasp the drivers of the EU’s energetic privacy activism is to read it as a three-stage, long term strategy by the EU, designed around personal data as a new asset class, aimed at creating a well-functioning, regulated market for data with clear ownership and contractual rights and, ultimately, devising some sort of levy or taxation appropriate to this new resource.
Seen thus, we are in the middle of a three-part message sent out by the EU to businesses in the rest of the world. I’ll paraphrase and cut to the chase.
Part one: Stop whatever collection of data you are carrying out about people based in the EU, and check you are compliant with the current Data Protection Directive NOW.
Even if a political agreement between countries authorising the principle of data transfers were to be in place, ultimately we reserve the right to analyse case-by-case if a specific business practice meets our legal standards for privacy. (The highest EU court made this point very clear in invalidating a 15 year old EU-USA agreement.
Part two: Start treating personal data as if it were on loan.
Just because personal data was collected by your business, it is not yours to do what you see fit. You need permission to collect it, you may be asked to back off at any time and must handle it according to EU data protection principles (more on these in the next article). In other words, with the GDPR now agreed, the EU is telling businesses round the world they have two years to get their house in order and pay attention to their own data practices. If they don’t, the maximum fine is 4% of the business’ annual worldwide turnover.
Part three: Digital data is a new market and we are regulating it. Start accounting for your data as if it were dollars. Expect us to tax you on it at some point.
The third and last part of the message has not yet seen much attention from the press but a consultation has just closed on how to regulate and, presumably, tax online digital platforms that benefit from vast amounts of flows of digital data [8].
While no business can possibly second-guess what this future regulation will mandate, a simple analogy helps: while every CEO knows exactly how the money flows round their business, the board is always presented with statements about the financial position at a given point in time, and business unit managers are asked to account for every dollar coming in and going out, no equivalent map of data flows round the business is mandated. The long term outlook is for boards to be as fluent in reading digital data ledgers as they are income statements.
In seeking legal advice on how to be compliant with the GDPR, businesses will be offered a range of solutions.
Some will be short term (we’ll cross that bridge when we get there: the GDPR is not yet enforceable). Others will be tactical (you can outfox the consumer by inserting weasel words into privacy notices, or by drafting consent forms in such a way that makes a yes more likely than a no, or by sidestepping the issue of consent altogether and relying on the notion of legitimate interest as a basis for processing personal data). Yet others will be strategic and look to the long term evolution of privacy trends. As a business it is your prerogative to select the legal advice that best mirrors your ethical posture and your trust business model.
Take-Away #3: The GDPR has escalated the issue of personal data to the board. How you do what you do with personal data is no longer merely a back-office compliance issue or even a storage provider problem. It is as critical as deciding a business model. Unless you sit on the board, shaping the company’s data business model may well be above your pay grade. Do not delay in escalating it to the board. Map your data flows and present the results to the CEO. Ensure the board understands the scale of the fines. Use the EU GDPR principles as a blueprint for any product design, sales and marketing activity as if they were addressed to EU users: one day they might.
Even if you think it is not your call because as a contractor or subcontractor you do not collect the data and you only handle it according to clients’ specific instructions, the EU still places on you the obligation to give that data EU-level protection.
Businesses ought to start wondering now: if we were to be taxed on it, would we be able to account for all the data we hold? Map where data comes in and where it leaves the business? Would we be able to quantify the value to the business of collecting it and holding on to it?
This won’t be easy. Two years is not long.
Chiara Rustici is a London-based independent EU privacy analyst.
Formerly a tutor in Jurisprudence and in International Law at the University of Edinburgh, teaching fellow in Philosophy of Law at the University of Genoa, CNR (Italian National Research Centre) research fellow for 2000-2001, recipient of multiple postgraduate research grants, she is a published author of legal reasoning articles and the Italian translator of Frederick Schauer’s Playing by the Rules.
In 2007 she moved from Academia to The City, where she led several businesses from start-up to profitable growth. In the employ of Euromoney Institutional Investor Plc. and Steel Business Briefing Ltd. she gained invaluable insights in the way commodities and markets work. As both a policy buff and a keen entrepreneur, she is passionate about translating current and forthcoming regulation into concrete and workable business objectives, as well as feeding back into policy-makers the strengths and limitations of market drivers. She can be reached via her LinkedIn profile.
Footnotes
[1] The GDPR offers a detailed definition of ‘processing’ in Art 4(3): “‘processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”;
[2] See GDPR preamble (20) for a clarification of an ‘intention to offer goods or services’: “[…] Whereas the mere accessibility of the controller’s or an intermediary’s website in the Union or of an email address and of other contact details or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to such data subjects in the Union”
[3] For an explanation of what the GDPR considers to be ‘monitoring’ activity, see preamble (21): “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviours and attitudes”
[4] The privacy protection available to EU individuals at the time of writing is still regulated by Directive 95/46/EC: a piece of legislation that different EU member states have interpreted and implemented differently. Guidance on how to correctly interpret its application to non-EU businesses cab be found here. To use the UK as a specific example, in order to understand if businesses outside the EU offering goods and services to UK individuals are impacted by the current data protection regime, please do refer to the Information Commissioner’s Office published guidance.
[5] Preamble (23) of the GDPR clearly rules out pseudonymised data in favour of anonymised data: “Data which has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered as information on an identifiable natural person. To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by any other person to identify the individual directly or indirectly. To ascertain whether means are reasonable likely to be used to identify the individual, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration both available technology at the time of the processing and technological development. The principles of data protection should therefore not apply to anonymous information, that is information which does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is not or no longer identifiable.”
This is not an entirely new concept introduced by the GDPR but is the received interpretation of what constitutes personal data according to the Directive 95/46/EC already in force. To prevent each EU member state interpreting EU legislation differently, the Data Protection Supervisors of each of the 27 EU member states (known as Art 29 Working Party) have been drafting guidelines collaboratively to assist corporates and consumers in understanding and applying the rules in typical business situations.
In 2007 the Art 29 WP published its Opinion 4/2007 on the concept of personal data. Although this publication pre-dates the GDPR and refers to its predecessor, the Data Protection Directive 95/46/EC, and although the Art 29 WP opinions are persuasive but not binding, since the definition of “personal data” is exactly the same, this Opinion remains the most authoritative interpretation and source of examples both for the meaning of personal data in the current privacy regime and in the forthcoming GDPR one. The breakdown in the above paragraph is lifted almost verbatim from their Opinion.
“natural person” = referring to individuals as natural persons serves more purposes: it avoids making data protection rights conditional on citizenship or residence; it echoes the Universal Declaration of Human Rights, suggesting that privacy is one of the fundamental ones; it specifically keeps “legal persons” or deceased individuals out of the reach of the regulation.
[6] In the words of Art 29 WP’s Opinion 4/2007, even if, at first blush, “the extent of the identifiers available does not allow anyone to single out a particular person, that person might still be ‘identifiable’ because that information combined with other pieces of information (whether the latter is retained by the data controller or not) will allow the individual to be distinguished from others.”
[7] See his interview with Kara Swisher of Re/Code. For a commonly held view in the US business community see a more recent HBR blog The Business Implications of the EU-U.S. “Privacy Shield”.
[8] https://ec.europa.eu/digital-agenda/en/news/public-consultation-regulatory-environment-platforms-online-intermediaries-data-and-cloud
[…] your colleagues who do most of the data collection don’t appreciate it’s who the data is about, not where the data lives that matters for the GDPR, you may end up spending a lot of your cyber security budget to defend […]