Quimbee logo
DMCA.com Protection Status

GDPR Fundamentals

4.8 out of 5 Excellent(42 reviews)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

GDPR Fundamentals

In this course you will learn the basics of the world’s leading privacy law – the General Data Protection Regulation (GDPR). We will address key provisions of the GDPR including who it applies to and the obligations it imposes. We will address the fundamental privacy rights of individuals including the right to privacy, the right to transfer personal data, the right to be forgotten and more.


Brian Pezzillo
Attorney & Counselor
Howard & Howard Attorneys, PLLC


Brian Pezzillo - Well, good morning and, or good afternoon, wherever you might be is we begin our discussion here today on a very interesting topic of GDPR Fundamentals. My name is Brian Pezzillo, little bit of background about myself. I'm an attorney here in Las Vegas, Nevada. I'm going into my 26th year of practice. Part of my practice area is data privacy, it's a fascinating area and hopefully the information provided today will be useful. Back in 2018, I did something I never thought I'd do, which was go back to school and get a graduate certificate in data privacy and cybersecurity. The reason being privacy is really a dominant issue in today's legal landscape. It is something that I find really fascinating because it changes. And to say that it changes on an almost daily basis would not be an exaggeration.


So today we're gonna be talking about GDPR, which is the General Data Protection Regulation. The law that was enacted on May 25th went into effect, I should say, on May 25th, 2018 in the European Union at the time 28 nation, now down to 27 with Brexit. This is a huge piece of legislation that took about two and a half years to draft within the European Union, it is a law that is binding within the European Union on all 27 nations. And as we're gonna discuss today, it has what's called extra territorial effect in that it will affect nations outside of just those that are in the European Union. And it is a trap for the unwary, and if you're not used to dealing with GDPR it's a landmine of potential issues.


One thing I would wanna point out kinda right at the outset is here in the United States we think of privacy, as being important and it's becoming more important. People want their privacy, or at least they arguably want their privacy. And you're seeing more and more laws created here in the United States, California, Colorado, Virginia have all enacted comprehensive privacy laws, just added to that list is Utah, which in something that's not done very often passed a piece of legislation through both houses of their legislature, unanimously establishing a Utah Privacy Act.


One of the impetus for the changing law here in the US is in fact the GDPR. And as we'll talk about today, the GDPR is a very strong motivating factor and a blueprint followed by many nations, many states, and it continues to be the driving force behind privacy, pretty much on a worldwide basis. So understanding the GDPR is a great way to understand how other nations, how various states within the United States are addressing privacy. And if you understand GDPR in at least its fundamental, it'll give you a real leg up in terms of complying with new and changing US laws. Like I said to say that it's changing every day is not an overstatement. So as we go forward, we'll use this as a backdrop. Hopefully it'll be a really good background for addressing a lot of different privacy laws wherever you might be. And with that, we're just kinda jumping into it.


The first question I think that is always asked about any law, particularly in GDPR, certainly no exception is what is its scope? To whom does it apply? When does it apply? When basically do businesses and people have to worry about it? Well, if you look at the GDPR, it looked to article two and this will define the scope, and you'll see that it applies to the processing of personal data that is wholly or partly processed by automated means. It will also apply to other data that is handled and processed through non-automated means if it's part of a filing system. So you kinda have to back that out and ask, well, what does that really mean? In essence, if you have data and there's any sort of automated aspect to it, there's a computer involved, there's any sort of data processing, today obviously artificial intelligence is a huge issue. People, businesses are using that all the time. If that data is used, are processed in any fashion, by a computer or some sort of artificial intelligence, and it's done automatically you fall within the GDPR. If there's absolutely no technology involved, if I'm sitting in my office right now, I have a file cabinet and I have just good old fashioned paper in there.


GDPR will still kind of govern the day there if it's part of the filing system. So I probably gave the answer away when I said I had a filing cabinet, maybe it's in my desk. Anywhere where I've got information concerning natural persons, it does not apply to corporations, and it part of a system and I keep a filing system it's organized, again the GDPR will apply. And that's pretty overarching that probably kinda sounds like, well, that's, when would it ever not apply? There is one example that came up. It was a case that arose in Germany, where there, it was an apartment building, individual living within the apartment building. And out here in Nevada we don't really have apartments like this, but maybe back east where you have a directory in the lobby area or maybe even outside the building, with the tenant's name on it and a button, and you ring that person's apartment to be light into the building or to see if they're there.


Same thing happened in Germany. And one of the tenants filed a complaint with the DPA, the Data protection Authority within Germany, and said that basically the landlord was violating their privacy rights under GDPR because they were displaying their name out there in the public where anybody could see it. On the surface that sounded like, sure, that's personal information it's being put out there, it's essentially being published anybody could walk by and take a look at it. However, they ended up finding that that was actually one exception to GDPR and GDPR did not apply because there was no automated processing going on. It's just a name on a piece of paper by a button. And they said that that was on a filing system, it was just a label and it did not constitute a filing system. So that was one example where the GDPR did not apply.


Those sorts of exceptions are very few and far between when in doubt the authorities within the European Union will almost always find a way to apply GDPR. Why is that? Well, one of the reasons is we're gonna talk about in just a moment, is that privacy within the European Union is viewed as a fundamental human right. And so it has a very elevated level of importance. And that's why the GDPR was enacted, it was to strengthen privacy laws, which were already very strong under what was called the privacy directive prior to May 25th of 2018. And as a result of it being a fundamental right, it will be interpreted in a manner to protect natural persons people. So kinda continuing on, when with the regulation not apply, I've given some examples there, if it falls outside the scope of union law in other words, it's not within the European Union, the GDPR for instance, is not gonna apply in the United States. Although as we'll talk about under the concept of extra territorial reach, if your company here doing business in the European Union, you may be subject to it. Certain things that member states, the various nations, what you might expect, criminal enforcement, investigation of terrorism, defense of the nation. Those sorts of things are exempt.


One thing I will point out that might come as a shock to a lot of people that you will not see as an exception to the GDPR's application is public entities we're very used to in the United States having a law and then one of the exceptions to its applicability it does not apply to the government. The GDPR, by contrast in the European Union, applies to both private actors and governmental actors. So the government doesn't get off scot-free here. So instances where, there have been some examples that were given of, less a judge is acting in their judicial capacity, the GDPR I would apply to them. So if the judge is on the bench ruling on a case, GDPR does not apply. If they're back in chambers and they're doing administrative duties, such as a review of staff, they're looking over scheduling things of that nature, GDPR does apply.


So just because they're a public entity, they do not get immunity, which is a very different approach though we have here in the United States. One of the other areas GDPR would not apply is personal or household activity that will be interpreted very narrowly. So for instance, there was actually a case where a woman got into trouble because she was a volunteer with a church and she was making a list of volunteers at that church. Well, that was not considered a purely personal or household activity. And by making that list, it was on a computer. So arguably it was part partially automated, and it was certainly would've constituted a filing system and she had shared that. Something we would never really even think about, but because she did share that amongst the different volunteers, she technically violated the GDPR. Pretty extreme, not the number one target that the enforcement authorities are gonna go against, but you can see just kinda how far the applicability of GDPR reaches. And again, things such as execution of criminal penalties, public security, things of that nature are also exemptions. So there's some common principles that we can kind of identify both with GDPR and with a lot of different laws.


So this slide here, it really has kind of broad application, certainly applies to GDPR and you'll see that it flows to other forms of legislation as well. So one of the common principles, certainly I think probably one of the biggest ones is disclosure of information. When are you permitted to disclose information that you collected? How is that information gonna be used? Do you share it with somebody else? Do you only use it internally? Are you gonna use it for marketing purposes? Do you use it solely for purposes of fulfilling a contract? Are you gonna use it only to provide services to a specific customer, such that their information will be used FISA via them but nobody else, is it gonna be sold to third parties? Consent, really, really big issue.


Here in the United States when we deal with consent, it's a voluntary act, but I think everybody would probably know that. We tend to have a default position that in situations where you are allowed to restrict somebody from using your information, we have what's called an opt out procedure. In other words you, the presumption is you're okay with somebody using your information, your private data, unless you have affirmatively opt out of them using it. So many of you have probably seen on a website, the precheck box, where it says, do you give permission for us to use this information or sell it to third parties for marketing purposes? And you'll see that the box is prechecked 'Permissible in the United States generally, absolutely prohibited in the European Union'. So here in the US you would have to unclick that box and thus opt out or maybe you have to send an email to some contact at a company to opt out of the use of your information. By contrast, in the European Union, there has to be consent and you must affirmatively opt in and give consent for your information to be used. So it's kind of the polar opposite of what many of us are used to seeing.


Additionally, one of the other common principles is accountability for transfers of data. If nothing else after today, if there's one word that you remember, it's accountability. We have a system now in the European Union where essentially you can act and then be questioned afterwards, if there is a complaint in a complaining about, the manner in which you acted as violating GDPR, and then you have to be accountable for your actions, that's a change from the way that it used to be. I know the data privacy directive, you used to have to seek permission first for how you were gonna use information, get permission from a Data Protection Authority.


Then a DPA, Data Protection Authority is the agency created in each nation that oversees privacy rights. So here in the US, again, most states don't have something that's comparable to that. You'll be usually fall to an attorney general, possibly district attorneys to look at those rights, but there are specific agencies and individuals in the European Union countries that are, have existed for quite some time that solely oversee privacy rights and enforcement of privacy laws. But now with GDPR, you don't have to seek permission first, you can act, but you have to be able to prove that you are accountable for any actions you take. And as we go through today, you'll see that that will mean being able to document you have consent to use somebody's data. You have consent you gave adequate notice to transfer data, things of that nature. Another common principle is limitations on use.


This is a growing issue worldwide before, certainly here in the United States, we're used to, it being a free for all. If I get your information, I can use it for whatever I want. Fulfilling a contract with you, selling it to a third party who's gonna use it for marketing purposes, using it for my internal marketing purposes. Maybe I'm using it for a, to make sure that I am providing adequate customer relations and kinda using it for internal study purposes. Within the European Union it's not true. In fact, when you collect data, you can only use it for certain things. So if I collect data as part of selling you a car, well, I can use your personal data to sell you the car. I cannot use it for any other data without coming back to you and seeking new valid consent to use it for a different purpose. You will see that that's starting to permeate here, certainly not to the level quite yet of the European Union, but I think we're gonna go down that road more and more into the future.


Additionally, some very common issues you'll see, certainly in GDPR, in other nations that have adopted very much, very similar GDPR rules. Access, deletion and correction. Parties have the right to access their information. They have the right to delete their information, oftentimes refer to as the right to be forgotten. And if they can see their information and they see that there is an error, they have the right to force a correction to correct that error. Data integrity is also when we start getting into cybersecurity issues, data integrity, and keeping the data secure, keeping it usable, always available and protected. We're also looking at breach notifications here in the United States. Every single state here, all 50 states have a breach notification law. They vary from state to state. So if you had a fewer large company doing business at all 50 states, you suffered a data loss or data breach. You will have to comply with 50 different breach notification laws. I mean, even are very similar, but nevertheless, you've got 50 different ones. Within the European Union there's one, but it's pretty strict as we're gonna talk about.


One common thing as well. And this is a hot topic in most places is individuals who believe that their privacy rights have been breached. What's their recourse? Do they have any, is there a private right of action? Here in the United States it's a big debate. A lot of legislation is kind of on hold because parties can't come to an agreement as to whether individual consumers should have a private right of action within the European Union that question has been answered and the answer is yes. There is a private right of action there. So you have to be very cautious. So kinda given an overall GDPR overview, this is the gold standard worldwide. You will see different countries from, well, all 27 in the EU where this is a binding law on all 27 nations to Brazil, which is adopted a very similar blueprint. Canada has something called PIPEDA. You'll see the state laws here in the United States in Virginia and Colorado being very much patterned after GDPR. This is in fact, the law that people look to when they start creating their own. I mentioned before that GDPR protects a fundamental human right that's specifically laid out in article one, paragraph two of the GDPR. Within the European Union, privacy is viewed on the same plane as well, we would view here as freedom of speech, freedom of religion. It's a bill of rights, level right within the European Union. And that's why it's treated so carefully, so intently there's so much legislation and legal action ongoing with it is that it is just viewed that every single human within the European Union has a fundamental right to privacy and their information to be protected. I mentioned it applies to extra territorial, or it has an extra territorial application to it. We'll discuss that specifically.


But in short, what that means is if you're doing business within the EU, assume the GDPR applies to you. So even if you're based in another country, the US, Canada, Japan, wherever, if you are doing business within in the EU, GDPR will apply. As I mentioned, it is binding on all EU member nations. There is some flexibility there, and that EU member nations can in some instances for instance with children, adopt stricter regulations and what the GDPR requires, but the GDPR is a floor. And if you are a member of the EU, it is absolutely binding. And that's why it's called a regulation. The prior law is called a directive, 'cause it said a goal, but it allowed each nation to basically enact its own legislative solution to reach that goal. Here this regulation is in and of itself binding on every member.


Any information that is transferred across borders is subject to the GDPR and as we're gonna discuss has to meet one of the justifications for allowing information to be transferred. And it doesn't power individual rights. As I indicated, there is a private right of action and you can act, there is also a right to be represented by consumer protection groups, private groups, not necessarily a government consumer protection agency, which we might be used to. So a couple of the real threshold issues in terms of, GDPR and what sort of actions it really governs. We've discussed, what it governs in terms of anything, any data that is kept as part of a filing system or subject of automated processing. So what does that mean? What data is protected? Well, there's a specific definition in article four and these definitions as every lawyer knows those definitions are critically important. Personal data that's what's protected. So it's any information relating to an identified or an identifiable natural person that is referred to as a data subject, whether in the GDPR.


 So if you have information that relates to somebody who can be identified or that information could be used to identify somebody, it constitutes personal data, it falls within the GDPR. And I won't read this paragraph to you here on slide number five, but you can see there that it's anything very broad, any sort of identification numbers, any social identity, anything genetic, any biometric information, fingerprints, facial scans, all those things are becoming more and more common. If that can lead to the identification of an individual, it is personal data into subject of the GDPR. So what's actually covered? Well, processing, now you heard me use that term earlier in terms of, if data is processed in an automated fashion or it's kept in a filing system. Processing, I'll give you the kind of plain English version, it means everything. There's almost nothing you could do that would not constitute processing because that is whether you're collecting it, whether you are organizing it, whether you're storing it. And it's just sitting at rest on a hard drive somewhere, you are processing it, even though nothing is going on, if you use it, disclose it, trans for it, any of those things are processing.


So there's really, I think you can safely say, there's nothing that you could do or not do with information that would not constitute processing within the meaning of the GDPR. So if you are a storage facility and you just house data for somebody, that housing of the data that storage is in fact processing, if you're otherwise subject of GDPR, you're there, even though you're not doing anything with it. Now there's two very important terms here, controller and processor. These are the people that are governed by the GDPR. The real big one here is controller. Now a controller can be anybody, both financial person or a company. And the controller is the one who determines the means of processing the data, they choose what's gonna be processed, why it's gonna be processed and to an extent how it'll be processed? So the controller is the one in charge. They are the one deciding I'm gonna collect this data and I'm gonna use it and I'm gonna use it for X purpose. I'm gonna use it for marketing purposes. I'm gonna use it for sales purposes. I'm gonna use it to perform contracts. The controller will bear the vast majority of liability under the GDPR, they are in charge.


The second term you see here is processor. Now this is somebody who actually processes the information within the meaning of that last slide. So, I might collect data and give it to you to store. You don't decide what data is gonna be collected. You don't decide what's gonna be done with it. You're simply, maybe you're a cloud storage company, you are the processor. You are actually doing the whatever to the data, in this case, storage. You could be an internet service provider who simply transmits data that I give to you. You don't decide what data it is, you don't decide where it's gonna go, how it's gonna be treated, what it's gonna be used for, when it's gonna be deleted? That's me as the controller, you as the processor are actually manipulating the data in some fashion. The processor acts at the direction of the controller. So you can see where the controller is gonna have greater liability because basically they're the quarterback. They're gonna decide what's done, when it's done, how it's done? The processor may have kind of on the, how aspect, a little bit more freedom. They may, implement cybersecurity issues things of that nature. You need to be aware 'cause these are, you're gonna fall under one of these two or both. There's nothing that says somebody can't be a controller and a processor together. So if I make all the determinations and in house, I transmit the data or I'm storing the data in house. I'm both a controller and a process, but these two labels are very, very important under GDPR. The final definition and there's a lot in article four, certainly encourage you to go take a look at it.


But the final one I wanna go over with today is critically important is consent. And we're all familiar with consent. If you read this definition here, it's very similar to, I think what we've probably seen in a lot of different circumstances. Consents freely given it's informed, it's an unambiguous indication of the data subject's wishes. The reason that this is so important is because consent and kinda pulling out a couple of words there, unambiguous indication, has been interpreted as meaning. You cannot have pre-checked boxes that consent to information being stored or transferred, rather in, whereas here you have that within the European Union, somebody will need to physically check that box to give permission for the use of their data. If not, they're not giving consent. And there's this concept within the GDPR of transparency, you must be very transparent in what you're doing, how you're doing it.


You must have a appropriate, data privacy notices that put out the information as to what you're gonna collect, how you're gonna collect it, why you're collecting it, what you're gonna do with it? As well as a very big issue within the GDPR is when are you gonna delete it? Because you can only keep information so long as it is reasonable really useful for the purpose, why it was originally collected. So you have to display all of that within a policy so that when people agree to it, they've been fully informed. If you don't the consent, oftentimes will not be deemed as being freely given. That can be a huge issue and as we talk about later, when we talk about fines, that can be several percentages of worldwide revenue. This has some very real meaning. And so it's critical when using data, you have the consent of the data subject at that time. And if you use the data for something different down the road, you seek new consent.


 So kind of blanket consents oftentimes are not gonna be enforced. If you collected a person's information, their name, their address, their credit rating or something, you're selling them a car, let's say. If you collect the information for that purpose, that's not a freebie that then you can go use it for something else, marketing purposes for an unrelated project, a product, that would not be permissible. So when we talk about GDPR, we've talked a lot about kind of applicability, who it applies to? It will apply, in general now, anytime there's processing of personal data, both of those are terms of art within an establishment of a controller or a processor in the union, plain English. If you're doing business in the European Union, you fall in that definition, that's the easy way of looking at it. But in addition to that, it applies to personal data of subjects who are in the union by a controller or a processor, even if they're not located within the European Union, but you're offering goods and services to people there. So think about that. You're an airline based in the United States, you wanna start flying people out of the European Union. You start advertising, you start offering your services to people within the European Union.


Under the terms of GDPR, you now fall within that. Maybe you run a hotel, maybe you're trying to encourage tourism overseas. You specifically target EU citizens. You will now fall into GDPR, even though you're not located there, you don't have any businesses there. You've never done business, as a brick and mortar type outfit within the European Union, but you are intentionally advertising to people. That's enough. This last bullet point on slide nine is the monitoring of behavior in the union. So if you're doing some sort of, maybe it's a marketing analysis and you're collecting data on people there you're monitoring behavior. So you're not technically offering a service or a good, you're not located there, but monitoring the behavior that in and of itself is gonna be enough to place you within the overall scope of GDPR. So you have to really, when I talk to client and they mention doing anything overseas, you really have to drill down to what is actually being done and then determine whether or not that's being done within, the meaning of GDPR. There are some steps some people have taken by the way in this regard.


There's something called geofencing. Some people will set up a website, every company is got a website, but they don't want anybody interpreting that website, which could be accessed anywhere in the world as actually marketing to people within the European Union. They will do what's called geofencing, which is a software product that blocks anybody from a certain geographic region from accessing your website. So people will block the European Union 'cause they don't want it to be interpreted that, Hey, just 'cause I'm putting out a worldwide web page. It's not really worldwide. I don't mean you people in the European Union, 'cause I don't wanna fall in our GDPR. It's not perfect.  Some things will still get through that geofencing, but it is one way of doing it. To also avoid a potential application or incidental application of the GDPR some people will have popups that say, "If you are within the European Union this website is not for you. We are not offering anything to you." Something is very plain that's out there so that nobody could ever come back later and be like, well gee, I'm a data subject within the European Union. Somebody got ahold of my information 'cause I entered it on a website, I didn't get the warnings or the notices I should have, I wanna complain about it. So it's best to take affirmative steps to make sure that you don't fall within GDPR if you don't intend to.


So I mentioned we've shifted to an accountability standard, which is a deviation from the prior process that was there under the privacy directive. What does that mean? Here's the obligations that you have to have if you are a controller or a processor. Processing information in a lawful, fair and transparent matter, it's article five of the GDPR. So there's gotta be a lawful basis, which we're gonna talk about to even use the information you have to be fair. And I think, maybe number two, after lawfulness is transparent, you've really gotta state what you're doing, why you're doing it, how you're gonna do it? Lawfulness, we're gonna talk about specifically because there's specific lawful grounds to use information and you have to fall within one of them to legally collect personal data and process it within the European Union. What are some of those? Well, consent if somebody says I'm gonna give you the information. Yes, that's fine. Yeah, that's great. Consent is still the gold standard I think no matter where you are, just remember that consent has a very specific meaning within GDPR and it has to be knowingly given and it's gotta be affirmative. You have to have somebody affirmatively give that consent it can't be by default.


 Another basis for lawfully processing information is it's necessary for performance of a contract. If I'm selling you a vehicle, then I'm gonna need your personal information. I'm gonna need your name. I'm gonna need your address. You're gonna have to pay me, somehow. So I'm probably gonna get banking information or other financial data that would be a lawful basis to do it however. Legal obligations are awful, are also a basis to lawfully process information. That's things like an employer collecting information so that they can remit taxes to the appropriate governmental entity. Vital interest of a data subject, you're kinda starting to get into, the more narrow exceptions here, that might be something that if you were a data subject within the European Union, you're traveling and you get into an accident and you need medical care rendered to you. So the hospital you're at calls up your doctor in a different country and says, "Hey, I need, Bob's information because he's lying in a hospital room."


There's kind of an implication that you would consent to that 'cause it's in your vital interest, potentially survival. Public interest, interestingly, this is one that got a lot more attention in the last two years, as you might guess, because of COVID. This is the sort of information where, you might be able to process personal information because it deals with a pandemic. So that came up with COVID where there was a very, obviously a very strong public interest in preventing the spread of a worldwide disease. This one's not gonna come up real often, but it is kind of interesting that we just had a really good example where it would apply. And then legitimate interest of a controller or a third party, that's kind of a catchall that's very fact pendant, do I have a legitimate interest in processing your information? Maybe, that might be me making sure that my business is running appropriately and I am providing the required level of services, you arguably that could be followed or there. So here the big rights that are under the GDPR that everybody has. Any communications made to a data subject have to be concise, transparent, intelligible, and easily accessible.


That last one could mean that you have to translate privacy notices for instance, into the language or languages that are very commonly spoken in an area. If you provide a privacy notice for instance, in English and that's posted on your website that's being accessed from Italy, that's probably not gonna do it. There are some people who will understand it, many people there are bilingual and they'll speak Italian and English. However, there's a lot of people who don't. And if that's your target audience then you have to make sure that the rights, the information, the consent you're conveying to them or seeking from the consumer can be accessed very easily. Access information, I kinda mentioned this one before. Every data subject has a right to come to an individual to the controller and say, "What information do you have about me? I wanna know." And it has to be turned over. The right of rectification. If after looking at that data, the data subject says, "Yeah, this is wrong, my address is wrong, my middle initial is wrong, my age is wrong." They have the right to go back and say, "This needs to be corrected." And there is an obligation on the part of the controller to rectify and fix the incorrect information. I mentioned the right to be forgotten, the right of erasure.


This is a really big one. You're gonna see this come up in states here, in the United States and California, Colorado, and Virginia. I'm actually going through the Utah's brand new law right now, but I'll bet it's in there. What does that mean? It means exactly what it says. As an individual if I were a data subject within the EU, I could write to Google a Gmail, let's say I've got a Gmail account and say, "I want you to erase all of my personal data." They would have to comply. And that means backups as well.


That can be an area you have to be careful of because that's one kind of trick where you could lead to litigation, in the sense that I can see certain groups encouraging people to make a data access request, by the way, you may see those as what are called DSAR, D, S, A, R, Data Subject Access Request. Where somebody will request access to the information and say, "I wanna know what you have on me." Then they turn around and say, "Okay, delete everything. I wanna be forgotten." Six months later they're gonna come back to that same company and say, "Here's my next DSAR, I wanna know what information you have." The correct answer is, none. Because we received a request for erasure. If to come back and say, well, we have your name, your address, that could actually lead to liability. And that's some concerns that some people have that certain groups may try to kind of create litigation in that fashion. Restriction of processing.


So you have the right there to restrict the information, what the purpose of it's being processed for to a particular purpose. And if it's gonna be used for something outside of that, you have to get new consent. Data portability. That means that if I make a request you have to send my data either to me or to somebody else. So for instance, if I have a Yahoo account but I wanna switch to Gmail, I can make a request to Yahoo it says, "Please port my data from Yahoo to Gmail." And they would have to do that.


Right to object to automatic, I'm sorry, automated decision-making. In other words, you have the right to say, I don't want a computer making all the decisions about me. This is be a restriction on artificial intelligence. You have the right to have a live real person involved. Data transfers are a huge issue right now. GDPR allows for data transfers under kind of two scenarios. One, the European Union, the European Commission will evaluate the laws of a nation outside of the European Union and determine whether those laws adequately meet the goals of GDPR. If so, they'll issue what's called an adequacy decision. By way of example, Japan has an adequacy decision. This means that data can be transferred from outside, I'm sorry, from inside the EU to Japan, because Japan's laws are deemed to be strong and essentially kind of equivalent on the GDPR. The United States by way of example, does not have an adequacy determination. So you can't use that as a basis to transfer data. So then you have to try and find another reason and there's a few. If you use standard contractual clauses that are published by the government within the EU, binding corporate rules that are approved, legal and binding instruments between public authorities or bodies, not when that's gonna come up real often, but could, if you're talking about governments transferring information back and forth.


Or there's some other approved mechanism under article 42 of the GDPR, that shows a binding and enforceable commitment of the controller. What that would mean is basically, let's say it's a company would have to adopt the GDPR and says and agreeing, I will be bound by all of the rights and regulations within here and I will afford all of the rights provided by the GDPR to the data subjects, even though the country I'm in does not require me to do that and I'm otherwise not obligated to. Two that are gonna get used the most are gonna be, the standard contractual clauses and the binding corporate rules. Why is that? We used to have something that was called the EU-US Privacy Shield. It was an agreement between the US government and the EU that created a mechanism where we would offer adequate protections for information transferred from the EU here. The problem with that is it got invalidated, by a guy named Max Schrems, who is a huge data privacy consumer rights individual within the EU. And what ended up happening is, in a couple years ago July of 2020, the European Union Court of Justice, the EUCJ struck it down.


I'll give you the very short version of what happened. Long story short information was being transferred pursuant to the privacy shield from the EU to the US. It got challenged because here we have, FISA and we have FISA warrants, and the law within the United States says that certain companies are subject of secret subpoenas that the government can have issued and data can be seized. That's not permissible under GDPR. Therefore this Max Schrems they challenged that law and said, therefore, since GDRPs requirements were not being met, the Privacy Shield should be stricken and ruled to be of no effect, he won. And that's has caused a huge headache from that day to now, because there's no full proof way to transfer data from the European Union to United States. And one kind of very picky thing I'll point out, I'm talking about transferring data from the European Union. If you actually look at GDPR, what it will say is the European economic area. So it actually includes the European Union plus a few countries that are not part of the EU, but are part of the EEA. Doesn't come up real often but I do wanna mention that.


So this was a quote here on the slide 15 that came out from the US with regards to the invalidation of the Privacy Shield. The big thing out of here I wanna point out is that, even though the Privacy Shield was struck down, it did not really participants of their obligations under it from the US perspective. So you could still get in trouble. So I mentioned standard contractual clauses as playing a huge role and they do, there were some standard contractual clauses that dated back to the early 2000s. Those have just recently been replaced. You can use, if you're using the standard contractual clauses, the EUCJ, European Union Court of Justice has said that is a valid reason, even with the Privacy Shield struck down, this provides a lawful basis to transfer data. You're gonna see in just a moment, on the next slide I've given you the hyperlink to be able to look these documents up themselves, yourself. Couple of things to note, their plug and play. They do provide a good basis. I personally think Max Schrems and others like him could still challenge it and say, okay, these standard contractual clauses are great but the real issue they had with the US was actions taken by the us government. Guess who's not a party to any of these standard contractual clause? The US government. So it's not binding on them. So I personally think that any transfers are still a little bit subject of attack, which is why I say there's no full proof way right now. But these forms can be customized and they have optional provisions in them. When you see them, they're very long, but they're also very useful. You cannot change them though.


So when I say that they can be customized, they have options within there that you can pick within the documents themselves, don't get creative and start adding or subtracting language or they're no longer standard. If you were operating under the old standard contractual clauses, then those were repealed as of September 27th, 2021. If you'd already entered into an agreement under it, you're still valid until the end of this year, but then you gotta switch over to the new forms. If you go to that website you'll find those new forms and they're definitely worth taking a look at. So again, data transfer analysis, it still has to be done in the standard contractual clauses. Are there gonna be any other, look at other things. Are there other contractual mechanisms that can be used, like binding corporate rules, organizational safeguards, technical safe guards, cyber security. That's kind of what we're talking about here.


The EDPB that you see listed there, that's the European Data Protection Board. They are essentially in charge of enforcing the GDPR. And there's a six step process that they, the state has to be gone through in order to be able to transfer data. And that's mapping the transfers. Data mapping is very important on GDPR. That is where is the data now and where does it go? Verify the transfer tool. How is it mechanically transferred? Does somebody walk a file across international lines or computer? Look at how it's actually being done. You have to do an independent assessment when it's being transferred to a new country, a country outside of the EU or EEA. You have to do an assessment of that third party's law. And is it such that using the standard contractual clauses are sufficient protection? That's where I think in the US the answer is probably no. That's just my opinion and there would be others who would probably disagree with me. But here, if you said I have standard contractual clauses, I've received data, I will abide by it, but the government says, well, that's great, but I had a FISA warrant issued, they've already seized the data.


What protection is really offered the data subject in the European Union? The answer is none, because the US government is not bound by my standard contractual clause. And I'm using the US as an example, obviously, but realize this affects a countries. There are a lot of countries that have very, very tight surveillance laws. Certainly we're one, China's one, Russia, we could probably have a long conversation with on right now. Turkey has very robust laws. Israel has very robust laws with regard to being able to seize data and monitor incoming and outgoing data. Identify and see if there's any supplementary measures that you can do in addition to the standard contractual clause that might offer additional protections to the data subject. Take formal steps that would be required if you do identifying any supplemental measures. And then this is not an engage in it and forget it type of scenario. You have to come back at regular intervals and make sure that whatever steps you're taking still meets GDPR requirements on a going forward basis.


So shifting gears real quick here, we've got about 10 minutes or so left. And let me just tell you, it may feel like we're rushing and by the way we are. I think I mentioned at the top of the hour, GDPR it took two and a half years to draft this. It was a very big piece of legislation within the European Union. And we could literally probably spend weeks in seminars talking about all the enforcement actions that have been taken and interpreting things and all the unknowns that are still out there. So hopefully what we're doing though, is giving you at least kind of the 60,000 foot view of GDPR and making you aware of the issues to educate yourself on more because there a lot, and they're constantly changing, it's a day by day endeavor. So shifting gears and talking about security and breaches.


Article 32 of the GDPR, says both controllers and processors are required to implement appropriate technical and organizational measures. That's your cyber security. That's having rules within your organization as to who can access data? Under what circumstances? How is it stored? How is it going to be encrypted? Is it gonna be anonymized? Things of that nature that will protect the data. It's often been said that, it's not a matter of if you get breached but when. So you wanna certainly do everything you can under GDPR to have tight security so no breach ever occurs. But if one does, that it doesn't affect the data hopefully. And so this article 32 basically says, it's almost like a reasonableness standard that we're probably all very familiar with. Take a look at the facts and circumstances. What data do you have? How since the visiting? And what do you need to do to adequately protect that data? So there are some suggestions with regard to security actions that can and should be evaluated in our GDPR. That includes synonimization and encryption of personal data. Encryption, I would highly highly recommend to any client that if they have data at rest on their servers they encrypt it, such that if there is a data breach it won't be useful anybody. Now, pseudonymization, just so you know there's anonymization and pseudonymization.


So that you understand the difference. If I anonymize data, that means I take data and I scrub all the personal information out of it, such that nobody could look at that data and then identify an individual. If I pseudonymize data, that means kinda have two data sets. I've scrubbed data off of it, but somewhere I still have other data stored, such that if you put the two data sets together you'd be able to identify somebody. Anonymization, helps in the event of a data breach. Pseudonymization is not quite as good because it theoretically somebody could still get to personal data. You have a duty to maintain confidentiality, integrity, availability, and resilience. You'll often see that listed as CIAR. And that's what, if you ever see those letters together, this that's what it's referring to. Data remains confidential.


The integrity of the data is kept, it's safe, it's secured, it is available. So what I mean by that is, what if you can do a ransomware situation, you should have the ability to then basically say, great, you've locked my account for this ransomware, I'm shutting it down, but all the data is still available 'cause I have it backed up to six other places remotely somewhere else. And then resilience. If there is a data to breach being able to get backup and running and restore data from appropriate backups. Being able to timely address any sort of physical or technical incidents is very important. A lot of times that'll be called disaster recovery plans, DRPs, every company should have one of those. And then testing, whether that's pin testing, which is penetration testing, where you actually have somebody, a company try to kind of hack your system. If they get in, then you identify the weak spots and you fix them. You can also do things like tabletop testing, where you go through a mock breach. And then what would you do? Where where's my emergency list of phone numbers? Who would I contact? What steps would we take in the event of a suspected data breach? Oftentimes that's just preferred as a data incident. And then if you find out that the information actually has been accessed, then it turns into a breach. Data breach standards. What is a personal data breach? I wanna point out one really important definition here within GDPR and IPO, not definition but word within this definition.


 The third line down, a personal data breach includes authorized access to data. It doesn't have to be stolen. It doesn't have to be compromised. The mere access to data that is unauthorized is a personal data breach. That is very different than what you see in most US laws, which actually requires the exposure of information that could lead to fraud auto identity theft. That is not the case, it is much broader within the EU. You could actually read that in a very broad fashion and argue, you know what if an unauthorized employee accessed to data, that's a data breach. You'd probably be right. So you really have to be cautious there 'cause we're not just talking out ransomware, we're not just talking about somebody stealing the data, somebody blocking the transmission, anything like that, just the mere access to the information is enough. Very, very broad.


One of the other huge differences between the US and the EU is data breach notification. I mentioned earlier within the US we have 50 different states. We have 50 different breach notification laws. There's a single data breach notification law under the GDPR. If there's a personal data breach data controllers. And remember I said, the controller is the one who's gonna have most of the liability, must notify the supervisory authority. And I've been called that the DPA, the data protection authority, sometimes they're called supervisory authorities. Whatever countries is appropriate. So if you're doing business in the EU, wherever your headquarters is for instance, you need to notify that supervisory authority that there's been a data breach. That's the duty of the controller. If the processor becomes aware of a data breach they have to notify the controller right away.


One of the big differences between the EU and the US, timing. Notice has to be provided within 72 hours of becoming aware of the data breach. Within the United States the shortest time period I'm aware of in terms of giving data breach notification is 30 days. So you have to act very, very quickly in the EU. One of the reasons that monitoring is so very important, because if you're outside that 72 window, you'd better have a really good justification for not reporting. And stating that, oh, I don't have adequate technical monitoring in places, is not gonna be deemed to be a good justification.


A notification to the authority has to describe the following things. The general nature of the data breach, the data protection officers contact information. Some companies are required to have a DPO, a data protection officer. So, and that's gonna be the contact person for the enforcement authorities. You have to be able to describe the likely consequences of the data breach. Now hopefully, the answer to that question would be, there's likely no consequences, because all of the data was anonymized and it was encrypted. So if anybody even gets it, it's gonna be absolutely worthless. There's your best answer. But if you had unencrypted data that had a lot of financial information, you're gonna have to reveal, yeah, this could be a huge issue with regards to the theft of money as well as identity theft. And describe as the controller, what you're gonna do to to fix the breach? Mitigate those issues. Now in addition to giving notice to the supervisory authorities, you may have to give notice to the very people, the data subjects, whose information is subject of the data breach, but only if it's likely to result in the high risk to the rights and freedoms of those individuals.


So in the instance where the data is encrypted and or anonymized, you may not have to give any notice to data subjects, because there's no risk to the rights or freedoms. You still have to report to the DPA, but maybe not necessarily to those individuals. With regard to data breach notifications, there are some other exceptions such as, the controller having implemented appropriate technical and organizational protection measures that renders the data on intelligible, I'll let you read the rest of it. What does that mean? It was anonymized and encrypted. If it's encrypted and, this is a big, and the breach did not result in the key to the encryption being taken, then there's no way to unlock the encryption and you would be safe. If there's very low likelihood of rights or freedoms being affected that's also the, as we just discussed in exception to breach notifications, or if it would be disproportionate. So if there's very low danger of somebody's rights being affected, but it would be a huge expense to contact everybody whose information might have been affected, that is also an exception but I would not count on that one.


So again, I mentioned, if the data processor experience is a data breach it's gotta notify the controller, but otherwise, you know, that's their duty under GDPR. Private right of actions. I Schrems, Max Schrems he's still out there, he's filing lots of lawsuits. Just wanna point out, where that's a big issue here in the US and we don't allow for private right of actions very often. Oftentimes it's gonna be the attorney generals in states under article 79 and 82 of the GDPR, private rights of actions are permitted. If you're interested in following Max Schrems, that's his website by the way, NYOB, if you're curious, none of your business And I don't mean it's none of your business, that's what NYOB stands for. That's his website and he monitors laws. What are the consequences of violating the provisions of GDPR? Well, they're big. Now, there's aggravating and mitigating circumstances.


Here are the mitigating ones. Basically you've done everything we've talked about today. You've adequately protected information. You've minimized the use of sensitive categories of data. You take appropriate mitigating circumstances in the event of a breach. If you don't do any of those, they automatically become aggravating issues. So use this list both ways. And we're in our last minute here, so I'm gonna wrap up. But the dangers that you face under GDPR is that there are two tiers of fines, higher tier and a lower tier. The higher tier is 20 million euros or 4% of worldwide turnover.


Now, in the US what we would call that is 4% of your gross revenue worldwide, that's huge. You hit Facebook with a 20 million fine, or in this case a 20 million Euro fine, not a big deal they they'll make that up before the end of the day. 4% of their worldwide revenue, that's gonna hurt. The lower tier is 2% of worldwide turnover or revenue or 10 million euros, which ever is higher. How do you know which one you fall under? The higher tier is gonna result in if it's a violation of basic principles, such as consent, or one of those data subject rights that we talked about or a violation of transfer provisions. Those are gonna be the real big ones. And if you happen to be under any sort of an order, compliance order from a DPA or anybody else, if you violate that that's gonna result in a higher fine. The lower fine, that's more things like not getting a child's consent like you should have, timely notifying the supervisory authority, maybe there's no real harm and you were just late, notifications in the event of a data breach to individuals or failing to designate a DPO if that's what you needed to have.

So with that, I know I've run over by a couple minute and I apologize for that. My information is on the initial screen. If you have any questions at all, or just wanna talk about anything we've discussed here today, please feel free to reach out anytime. I'll leave you just with a thought, GDPR we've really only scratched the service here today, but diligence is the key word to have. The interpretation of the GDPR is still evolving. So it's really important that you stay on top of this. And with that, I hope you have a great day.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

HandoutSupplemental Materials

Practice areas

Course details

On demand
1h 2m 56s

Credit information