On May 25, the new European Union General Data Protection Regulation (GDPR) will take effect. The stated purpose of the regulation, which has the force of law in the EU, is to protect the data of “natural persons,” meaning humans as opposed to legal entities like corporations.
The real difficulties arise because the rules, intended to create equal rights in all EU member countries, apply to everyone regardless of their nationality or residence and all of their covered data regardless of where it is processed and whether the processing is automated or manual. Despite that goal, however, the regime created by the GDPR allows individual EU states to adopt separate rules in some circumstances.
Individuals will retain the right to access their data, demand correction of factual errors and have their data deleted. An individual can transfer personal data from one social platform to another on demand.
There is an exemption from the record keeping rules for firms with less than 250 employees and the member states are encouraged to “take account of the specific needs of micro, small and medium-sized enterprises” when applying the GDPR. The exemption is, however, subject to multiple exceptions. When applicable, the exemption appears to largely undermine the core principles of the GDPR. The rules also state that “files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.” Many other subparts of the regulation have their own exceptions and limitations and are generally overridden by the giving of the data subject’s consent. Overall, then, it is impossible to be certain of the circumstances under which the GDPR will apply to specific small businesses in the U.S.
The GDPR also contains a provision allowing data collection when in the firm’s “legitimate interest,” a term with unclear boundaries. Hopefully, the application of the “legitimate interest” concept will be elaborated in the near future.
The potential penalties for violation of the GDPR are life-threatening to many businesses; the upper limit is 4 percent of a company’s global sales (or $20 million, whichever is larger).
The GDRP creates many issues. I will identify some of the key ones here but cannot in the context of an article like this, attempt to address them all.
Enforceable if not physically present in the EU?
One central question is to what extent the courts in the U.S. will enforce EU regulations in circumstances where the regulatory violation claim relates to conduct by a U.S.-resident person who was never physically present in the EU for purposes of making a transaction involving the processing of personal data of an EU resident. The outcome may differ depending on whether the U.S.-based person overtly offered her services in the EU or whether the EU person merely reached out to the U.S. person for assistance.
The GDPR addresses this issue to some extent but is not conclusive or even helpful. One of the tests for the application of the rules is whether the data processor is, “offering … services to data subjects who are in the Union.” To decide whether services are being “offered,” the GDPR says it must be “apparent” that the data processor “envisages offering” such services. Merely having a website accessible in the EU, or a generally accessible email address is not sufficient. However, “use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
What about monitoring behavior online?
If that were not bad enough, the GDPR says that if personal data is used to “monitor the behavior” of data subjects in the EU, then that entity is covered by the regulation. Monitoring includes whether data subjects are, “tracked on the Internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing [sic] or predicting her or his personal preferences, behaviours [sic] and attitudes.” [emphasis added]
Taken at face value, that provision seems to address the airlines’ use of the New Distribution Capability (NDC) to make “personalized individualized offers” to consumers. The processing of the data involved in that will primarily lie with the airlines and perhaps the GDSs or other data intermediaries, but it may also involve travel agencies passing such offers to customers and processing or storing data arising from such transactions.
The issue of consent
Finally, for the limited purposes of this article, there is the matter of “consent” by the data subject to the processing of her personal data. The GDPR provides that:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an Internet website … or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” [emphasis added]
Even though one of the apparent purposes of the GDPR is to eliminate the long, legalese-infused Terms & Conditions that everyone “accepts” without reading or understanding, the vague language and lengthy requirements seem certain to produce the opposite result.
The GDPR goes further:
“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”
There is much more, but I will not further belabor it. The GDPR seems inevitably destined to yield more rather than less verbiage in Terms & Conditions that few, if any, customers will actually read. The rules may become a trap for the unwary, however, as individuals or groups focused on privacy monitor the GDPR compliance of firms.
Worth doing business with EU residents?
Every travel agency must decide for itself whether the rules are so costly to implement that the agency is better off declining to do business with travelers who reside in the EU. It seems unlikely that the EU would actually seek to aggressively enforce against a small agency in the U.S. that was not itself overtly soliciting business in the EU, but the possibility of “demonstration cases” always exists just to make the point that the EU takes the GDPR seriously. The risk of becoming an enforcement target is small, but probably not zero. Larger agencies with active sales in the EU are at much greater risk.
Here are a couple of websites with useful outlines of some of the GDPR requirements: EUGDPR Academy; Business.com; Digital Guardian; EU Website. For those who want to read the actual 261 pages of the GDPR, you can find it here. Finally, for those who want to further investigate the roots of all this, the EU Directive of 2000 is here.