Why and how GDPR applies to companies globally

Depiction of an earth globe with data around

The European Union's new data privacy law (General Data Protection Regulation, better known as GDPR) takes effect today May 25th, 2018, after a two-year transition period. Despite some companies appearing to believe otherwise, and many articles misrepresenting its contents, the GDPR will have a significative impact beyond the European Union, and it will extend many of its data privacy safeguards to users’ data globally.

There are a number of reasons that explain this impact:

  • Obligations for data controllers: Companies based both within the EU and targeting people in the EU will be included within GDPR’s scope;
  • Rights for data subjects: Individuals whose data is being processed by these companies will have new and improved rights, in many cases including those located outside the EU; 
  • Impact on cross-border data flows: There are strict requirements for data transfers outside the EU, which require additional safeguards. For example, one safeguard allows the European Commission to decide if a country has an 'adequate' level of data privacy protection in order to transfer data to that country. And the adequacy bar from now on, will be the GDPR.
  • Global influence: The GDPR will also be, at least for now, one of the higher (if not the highest) available comprehensive standards on data protection around the world. When other countries adopt or reform their data protection frameworks, the GDPR will be an undeniable point of reference.

Extraterritorial scope: not only inside the EU

We will go a bit deeper on this first reason: That companies based both within the EU and those who target people in the EU are included within GDPR’s scope, and thus subject to its obligations, and if they fail to comply its sanctions.

The GDPR is extraterritorial in its scope, which means that there are circumstances in which it can apply to any company in the world. It applies to those who offer goods and services to individuals in the EU (irrespective of whether the individuals have to pay) and/or monitoring the behaviour of individuals in the EU, including online tracking.

At a minimum, companies that are operating both in and outside of the EU will have to adapt their practices for all personal data processing that falls under the GDPR (data processing basically means doing anything with data, including collecting, storing, using, altering, generating, disclosing, and destroying).

This raises some very interesting and important questions as to whether companies are going to raise their data privacy standards for everyone, or if they will make the explicit decision to implement a dual standard, where for example, consumers outside the EU are provided fewer data privacy protections.

Many companies have yet to take a clear position, and some are actively trying to bring users’ data outside EU protection.

In addition, companies are already obliged to comply with national data protection laws, depending on where they are based. However, if those companies also have EU operations or are targeting those in the EU they will also need to comply with GDPR.

This is why you likely have been receiving a slew of email about “Opt-in to keeing in touch”, “re-consent”, or “privacy changes”. In short, the reason why everybody is getting so many emails and notifications is because those companies are updating their privacy notices and/or consider that they don’t already have valid consent under GDPR.

People outside the European Union may also be getting these emails and notifications, because the company has operations in the EU and is therefore subject to GDPR. If the company is based outside the EU, they may have taken the decision to update all users and not just those in the EU.

GDPR does not prevent all processing of personal data. Rather, it sets out rules and conditions that must be followed when personal data is processed. If a company is doing anything with personal data, one condition of the GDPR is that the company must have a legal basis to do it.

The need to have a legal justification to process data

GDPR provides for six such legal bases, one of which is consent. It also raises the bar for valid consent. If a company plans to rely on consent, it must be freely given, specific, informed and unambiguous through an affirmative action (no pre-ticked boxes, a practice way too common in many apps and services). Individuals must also be able to withdraw consent at any time. Where there is a power imbalance between parties (such as an employer/ employee) consent may be invalid.

There are other conditions, too, all of which require to think about the necessity of the activity, i.e., is it possible to achieve the same goal in a way that interferes less with the individual’s rights?

The two most relevant legal basis in a commercial context are likely to be where the processing is necessary for the performance of contract and where the processing is necessary for the purposes of the legitimate interests of the party in control of the data (or even a third party).

An example of where processing is necessary for the performance of a contract is when an individual buys a product online, a company will need to process their address in order to deliver it to them. This does not mean they can use it for other purposes.

Processing on the basis of legitimate interest is harder to explain and often less clear, which has meant that in certain circumstances it has been open to abuse. However, if a company is going to rely on it a company must explain to individuals how they are going to use their data, specify what their legitimate interest is in using the data in that way and ensure that doing so doesn’t cause any prejudice to the fundamental rights of the individual.

If somebody is dealing with data that reveals sensitive personal data (such as that revealing ethnicity, political opinions, religion, biometrics, health, sex life), there are even stricter conditions. If relying on consent, it must be explicit, and it’s not possible for companies to rely on the contract or legitimate interest condition.

The long road ahead: enforcement and future

It still remains to be seen how the GDPR will be implemented, enforced and sanctioned after the 25th of May. How will the provisions be interpreted? What the targeting criteria will be? How will sanctions be imposed? What will happen in terms of enforcement, when a company is based out of the EU? Answers to these questions will be forthcoming.

What it is clear is that a new era for data information privacy is coming. And this is not limited to the implementation of the GDPR. Several countries are either implementing or reforming their own data protection laws and regulations.

And at a global level, frameworks like the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, or binding treaties such as the Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe) are also setting higher standards, in some ways similar to those contained in the GDPR.

In sum, this means that data controllers (companies, even governments) will have to step up their protection of personal data rights, by protecting data by design and default, giving individuals more control over their information, stepping up their digital security measures, and complying with new obligations that will ultimately help levelling the huge power imbalance between companies and users and protect people’s right to privacy. For now, this is more an aspiration than a fact, but the current developments are clearly steps in the right direction.