At 27 days and counting, if you have European customers or clients, it’s time to take a look at your Privacy Policy.

On May 25, 2018, the Global Data Protection Regulations handed down by the European Parliament as Regulation EU 2016/679, will go into effect. By now, your inbox has been flooded with notices from the Big Data Companies (Amazon, Twitter, Pinterest), announcing that they have new privacy policies and that you MUST READ THEM. If you’re in the US and you are a normal, individual customer of these companies, you can delete all those notices immediately. If you’re in the EU, you can delete them too, because there’s nothing in the GDPR that says you have to read them. But it’s definitely the company’s job to make sure that it’s EU-based customers know what these policies say, so the emails are likely to keep coming.
Most of you have heard by now that it’s not just the Big Data Companies that have to worry about this. The GDPR affects every commercial and government enterprise that has business with EU-based individuals, whether it’s for pay or not. So I’ve spent the last week or so reading Regulation EU 2016/79, so that I may bring you the following Things You Must Do.
***THESE GUIDELINES ARE NOT SUFFICIENT IF YOU ARE COLLECTING INFORMATION ABOUT HEALTH, MONEY, OR KIDS. MORE ON THAT LATER****

© Ossi Lehtonen
ID 6906780 | Dreamstime Stock Photos

A couple of introductory principles of the GDPR that govern everything else it says.

1. “Natural Persons should have control of their own data.”
2.  There is a weighing to be done of an individual’s privacy against the public interest or the interest of third parties, but the scales are tipped in favor of data protection.
3. The GDPR divides data proprietors into “controllers” (the entity or person that determines the purpose and means of the processing of personal data) and “processors” (the entity or person that actually acts upon personal data, through collection, storing, using, or disclosing). You are a controller if your website targets EU customers by offering prices in Euros, is provided in languages prominent in EU countries, or talks specifically about shipping goods to Europe. You are a processor if you are, for example, a website hosting company, order fulfillment center, or payment processor for controllers.  Controllers may also be processors. Controllers are ultimately responsible to the relevant “supervisory authority” in the EU for the actions of its data processors.

Data Protection Agreements

The EU does not currently trust the United States’ privacy regime. There are some specific political reasons for this, but honestly, post-Cambridge Analytica and Facebook, post-Equifax, who can really blame them?  For this reason, controllers based in the EU, like online shops based in Paris for French cheese, for example, are not allowed to transfer data to  U.S.-based processors or controllers without having a special Data Protection Agreement in place. So if you host websites for European clients who have European customers, you need a Data Protection Agreement with your client. Fortunately, the European Commission have drafted these agreements for us, and we have been told not to change them! (We could add obligations to them if we want to, but our clients usually balk at that idea). There’s two for U.S. controllers to make things more confusing, but there’s only one for processors. The Addendum at the end requires a lot of information about why you’re going to process the information, your security measures, etc., but the good news is that all that information is going to be in your Privacy Policy anyway, so it will mostly be a cut-and-paste operation into your Data Protection Agreement.

A word here about the Privacy Shield. There has been a mechanism in place since 2015 between the EU and the US to allow for the transfer of data between companies in the two regions. It is possible to self-certify under the Privacy Shield on an annual basis to take advantage of the benefits that entails, which you can read more about here. The Privacy Shield is a good complement to the GDPR, but it is neither a necessary nor a sufficient condition to compliance with the GDPR. 

Privacy Policies

Your Privacy Policy is the other most important part of this. (Hence, all the emails you’ve been getting this week). Fortunately, if you have a good U.S. Privacy Policy, there aren’t a lot of changes that are going to have to be made. U.S. law is pretty threadbare when it comes to personal information that isn’t about health, money, or kids, but companies have been brought up in front of the FCC for omitting information or misleading customers about how they:

• Collect,
• Store,
• Use, and
• Disclose

Customer’s information. Likewise, the GDPR requires data controllers and processors to clearly communicate to “data subjects” in the EU how their personal data is:

• Collected,
• Recorded,
• Organized,
• Structured,
• Stored,
• Adapted or altered,
• Retrieved,
• Consulted,
• Used,
• Disclosed or made available,
• Aligned or combined, or
• Erased or destroyed.

You can see the EU’s list is a little longer, but at the end of the day, most robust Privacy Policies in the U.S. should cover this anyway. So where are the differences?

1. Be Specific. The GDPR requires more specificity about all of the actions in that list than we often see in the U.S.

• We have to name names now (who’s holding their data).
• We have to give more details about data security, which can and should include one or more of the following technical measures:
  • Minimising processing to that which is absolutely necessary;
  • Psuedonymising data;
  • Enabling the Data Subject to monitor the use of his or her data;
  • If you are a processor, allowing controllers to create or improve your security measures;
  • Complete transparency; and/or
  • Encrypting data.

  Depending on a particular processor’s available technical measures, certain of these measures are going to sound more attractive than others, but the point is, implement as many as you can.

  2. Impose Time Limits. Do not keep information for longer than you must, and tell the Data Subjects how long that time is. (10 days after order fulfillment for a single order before the next data purge is probably sufficient. 6 months is probably not).
  3. Correct inaccurate information, or delete information entirely (unless you have a legal basis for keeping it), within “one month” of consent. (Notice this does not say 30 days. It says “One month.”) Also, include this in your Privacy Policy.
  4. Tell them who your third party vendors (“Subprocessors”) are. This could be a one-sheet that lists that your website is hosted on GoDaddy and your email is handled through Gmail. But if any other company touches Data Subject’s personal information through your activities, the Data Subjects have the right to know.
  5. Get Informed Consent. Before now, we generally did not require customers to “consent” to privacy policies. Moreover, even consent to Website Terms didn’t have to be informed (it’s not like anybody reads those). But now it’s up to data processors and controllers to be able to demonstrate that Data Subjects gave informed consent to how their information was being used, each and every time. This is going to require some re-programming.
     • Add your Privacy Policy to your “checkbox” before a Data Subject orders goods or services from your website, and do not pre-fill in the checkbox.
     • In that checkbox, or in an email you send after they check the box and before they can place orders, add a summary of what information you’re going to collect, how it’s going to be used, how it’s going to be protected, and how they can ask you to remove or correct it.* 
     • Do not rely on telling them in an e-mail now that the Privacy Policy has changed and that they will be subject to it in 28 days. Lots of companies seem to be doing that, and they’re doing it wrong. That is not consent.

     If you can’t get informed consent for whatever reason, there are other bases that give a controller or processor the right to act on a Data Subject’s information:

     • If there’s an EU law or EU country law that requires it.** 
     • If you have a contract with the Data Subject to fulfill.
     • If there are third party interests, not outweighed by the Data Subject’s interest, which will always be given more weight.
     • If you are sharing the information internally in your company, including with affiliates, for internal administrative purposes. (Not so your affiliates can market separately to the Data Subjects).
     • For network security testing
     • For reasons that are “compatible with the purposes for which the personal data was initially collected.” This is a nice catch-all provision, but it would be inadvisable to abuse it. If Holding on to a Data Subject’s information because you are providing them with a monthly service or magazine subscription are good examples of “compatible purposes.”

     It’s a lot, and it’s coming fast, but you can do this. And of course, we’re here to help. 
     * Yes, this is going to make it harder to do business with EU-based customers.
     ** Yes, it’s very possible that this provision and the GDPR at large are going to run up against U.S. law.
      

Tara Aaron

Tara helps clients across multiple industries and countries with licenses and disputes involving trademarks, copyrights, domain names, software, trade secrets, and privacy compliance. She earned her Certified Information Privacy Professional (CIPP) in U.S. Privacy Law in 2018 and in European Data Protection Law in 2019. Her clients include many technology start-ups, software developers, and website designers as well as long-standing institutional clients who come to her for representation in copyright, trademark, licensing and privacy. She also assists with the purchase and sale of intellectual property assets. She has on multiple occasions successfully obtained hijacked domain names for the rightful owners, and regularly negotiates service and technology agreements with the largest telecommunications and software providers in the country.