Although the EU General Data Protection Regulation comes into force in May 2018, European regulators are still producing guidance and member states are still adopting legislation to accommodate national differences. Put simply, it is unclear how to prepare for the GDPR in relation to some issues. For other issues, however, companies can confidently act now and will benefit from doing so.
Privacy statements are a great example. You can update your company’s privacy statement now to meet the GDPR’s “say what you do” requirements and in the process identify operational updates necessary to meet the GDPR’s “do what you say” demand. This article aims to help in updating your privacy statement for GDPR compliance now.
General Drafting Tips
A few general issues are worth considering when drafting a privacy statement for GDPR compliance. First, be aware of terminology that might send consumers and regulators a message of indifference or ignorance. U.S.-based companies may wish to avoid the term “personally identifiable information” or “PII” in favor of the European term “personal data,” particularly as the scope of the latter is broader than the former.
Second, your drafting efforts may benefit from keeping a hypothetical “reasonable person” top-of-mind. According to guidance from the U.K.’s Information Commissioner’s Office, you should proactively convey information on anything you do with personal data that an individual would not reasonably expect. Although the ICO does not speak on behalf of all the member states represented in the Article 29 Data Protection Working Party (“AP 29”), the ICO’s guidance is likely to help predict the opinions of other European regulators.
Third, do not forget that your privacy statement is a legal document. It relays required information and creates legal obligations that can trigger liability. As such, it must strike a balance between the level of detail required by the law and the risks inherent in excessive factual detail, such as inaccuracies or becoming quickly obsolete.
Finally, although this article separates out the EU-only privacy statement requirements from those that match up with common U.S. requirements, your privacy statement should not necessarily contain such a separation. Nor should you necessarily have one privacy statement for all jurisdictions in which you operate. Whether you draft several jurisdiction-specific privacy statements, or a one-size-fits all statement, you should use plain language and group topics in a common sense fashion.
The GDPR and the U.S.: Where the Requirements Match Up
The detailed content of a U.S.-focused privacy statement depends on state and sectorial data protection laws. Regardless of which of those U.S. laws your company is subject to, the GDPR will require your privacy statement to answer all of the following questions, generally answered in U.S.-focused privacy statements too:
Who Is the Data Controller?
A privacy statement must give the name and contact details for the entity or entities that have the ultimate say or control over the data (the data controllers) and provide contact information for your European representative if you are not established in the EU. It should also list the names of all the websites to which the privacy statement applies and provide contact information for your data protection officer (DPO), if applicable.
A Known Unknown: The European Representative
If captured by the GDPR’s extraterritorial reach, your company must designate a European representative to serve as a contact point for EU regulators and consumers. The representative must be a natural or legal person established in a country where one of your European data subjects resides. Your representative must have access to your company’s GDPR compliance records. Should your company fail to comply with the GDPR, your European representative may also be subject to enforcement proceedings. It is currently unclear who will offer to act as a European representative as a service to foreign companies and, given the potential liability, at what cost. Non-European companies newly subject to the GDPR would certainly be grateful for guidance on this practical matter.
What Data Do You Collect?
A privacy statement should disclose the personal data or categories of personal data you collect or obtain. For example, it should identify passively collected internet protocol addresses, device identifiers or geolocation information related to a particular mobile device. It should also identify special categories of personal data including “sensitive personal data.” Remember that the GDPR expanded the definition of sensitive personal data to include “genetic data” and “biometric data.”
How Did You Get the Data?
The origin of some data will be obvious, like when submitted directly from an individual using a web form. If the data was obtained indirectly, the privacy statement should specify all third-party sources of the data. Try to be specific but at a minimum list the categories of sources: social networks, public sources, other partners. Take extra care to disclose receipt of data from data brokers such as third-party analytics services.
What Will You Do With the Data (the Purpose)?
The privacy statement must tell the data subjects what you will do with their personal data. Describe the categories or types of uses and provide examples such as, we anonymize and sell or rent your data to third parties, or we use your data for direct marketing and advertising.
Are You Sharing the Data With Third Parties?
A privacy statement should tell individuals about nonaffiliated third parties with whom you might share their personal data. For GDPR purposes, err on the side of overinclusion. Are you transferring data in an HTTP referral header? Do you allow third parties such as advertising networks, analytics services or content providers to track data subjects’ activities? Do you have commercial relationships that require the sharing of personal data with social networks, accountants, auditors, law firms, payment processors, information technology support providers, or customer service vendors? To future-proof your privacy statement, specify that a merger, acquisition, divestiture, or similar transaction could trigger personal data sharing. And don’t forget the ever-present possibility that law enforcement could compel disclosure!
Do You Serve Cookies or Use the Data for Behavioral Advertising?
Do You Keep the Data Secure?
The GDPR requires companies to state that they implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” The appropriate level is a factor of technological reality, cost, the scope, context and purposes of processing weighted against the severity and likelihood that the processing could threaten individual rights and freedoms. Disclosure of the analysis is not required, only a high-level statement about the conclusion: that appropriate technical and organizational measures ensure the data’s security in relationship to risk.
Do You Use the Data to Make Automated Decisions or to Profile Individuals?
A privacy statement must disclose a company’s use of personal data to make automated decisions, such as credit scoring or employment decisions, or to build individual profiles. If your company conducts such activity, it must describe what it does, explain its logic for doing so, and set out the significance and anticipated consequences for the data subject. On first glance, this requirement may appear benign, but a recent discussion paper released by the ICO shows that regulators are keen to ensure EU citizens are informed of such practices.
Do You Tell Individuals About Their Rights and Make Those Rights Actionable?
Some sectoral U.S. legislation requires companies to notify individuals about their rights in relation to their personal data and enable individuals to correct inaccuracies. For example, the Fair Credit Reporting Act requires companies to inform consumers of their right to a free copy of a consumer report. When applicable, a privacy statement should notify individuals of those rights and provide a mechanism to help the consumer invoke his or her rights. Note that the privacy rights of individuals are the raison d’être for the GDPR. Under EU law, individuals have the right to access their personal data. The GDPR expands upon this by creating several additional rights that must be described in your privacy statement and are discussed in detail below.
European Requirements: GDPR-Specific Requirements
In addition to the above elements, the GDPR imposes requirements not clearly echoed in other jurisdictions. Those requirements require a privacy statement to answer the following EU-specific questions:
What Is Your Legal Basis for Collecting the Data?
As a general rule, the European Union prohibits the collection and use of personal data other than in limited circumstances. Thus it is critical that your privacy statement explain to consumers and regulators why your company’s data collection practices are not unlawful, i.e., provide a legal basis for the collection. The GDPR provides six possibilities:
- “Legitimate interest”;
- Out of necessity for the performance of a contract to which the data subject is a party;
- Legal compliance (with another law);
- Protecting the vital interests of a person; and
- Public interest.
Note that regulators will likely expect a privacy statement to reflect the different ways you process data and identify the legal basis that justifies each use.
Consent as Legal Basis
Before specifying consent as the legal basis for your processing, consider double-checking to ensure the validity of your consent practices. If you are relying on consent obtained pre-GDPR, the U.K.’s Information Commissioner’s Office indicates that fresh GDPR consent is unnecessary so long as the “old” consent complies with the requirements of the GDPR. If the organization cannot demonstrate that it has obtained GDPR compliant consent, then fresh consent will be required. Obtaining fresh consent may be much easier said than done.
In March 2017 the ICO issued draft guidance on what GDPR consent looks like. The ICO is waiting to publish its final guidance until after Europe-wide consent guidelines have been agreed upon, which is currently estimated to be December 2017 (see blog post). For companies that understandably do not want to wait until then, Information Commissioner Elizabeth Denham describes the draft guidance on consent as “a good place to start right now.” She considers it unlikely that the guidance will change significantly in its final form. Page 38 of the draft guidance provides a checklist on asking for consent.
Legitimate Interest as Legal Basis
If your company collects personal data on the basis of a legitimate interest of your organization, then your privacy statement must describe that legitimate interest and provide an analysis of its compatibility with the data subjects’ fundamental rights to privacy and confidentiality.
What Happens If a Data Subject Does Not Provide the Data?
Your privacy statement must state whether providing data is mandatory and provide possible consequences of not providing data. This requirement is not new with the GDPR. Current European rules include this requirement, and it is typically met with a general, high-level statement.
Do You Tell Individuals About Their EU-Specific Legal Rights and Make Those Rights Actionable?
The GDPR creates several new individual rights. Although many of those rights “come to life” only in specific (and likely rare) circumstances, your privacy statement must nonetheless tell individuals about all of their individual rights and provide a mechanism to actualize them. Your privacy statement presents an opportunity to educate individuals on the real availability of these rights (i.e., make their limited application clear) and prevent damaging your relationship with consumers by denying them a perceived right.
- The right to be informed: Individuals are entitled to be informed about the use of their personal data. The privacy statement is the typical vehicle for delivering such information.
- The right of access and correction: Individuals have the right to confirmation that their data is being processed and access to that data, the idea being that individuals can then verify the lawfulness of the processing. The data controller has a duty to hold accurate data so if the data is found inaccurate or incomplete, individuals have the right to correction or deletion.
- The right to data erasure (the so-called “right to be forgotten”): This is a commonly misunderstood right. It does not provide an absolute “right to be forgotten.” Instead, individuals have the right to have their data erased only in certain situations.
- The right to object (opt-out): Your privacy statement must inform data subjects that they have the right to object to your processing of their personal data if you:
- Process their data based on legitimate interests or the performance of a task in the public interest as an exercise of official authority (including profiling);
- Use their data for direct marketing (including profiling); or
- Process their data for purposes of scientific/historical research and statistics.
Note that the GDPR also requires you to inform individuals about this right at “the point of first consent” and that it must then be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”
- Personal data an individual provided to a controller (the “brain” that decides what to do with the data),
- Data processing that relies on consent or the performance of a contract for a legal basis, and
- Data processing that is automated.
- The right to object to processing at any time (the right to opt-out): Where an organization processes personal data based on the consent of the data subject under GDPR the subject must be able to opt-out. Articles 6(1)(a) or 9(2)(a), the regulations require that the privacy statement state the existence of the right to withdraw consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal).
- The right to refuse to be subjected to automated decision making, including profiling: Your privacy statement must inform individuals that they have the right not to be subject to a decision and insist on human intervention if the decision is:
- Based on automated processing; and
- Produces a legal effect or a similarly significant effect on the individual.
- The right to lodge a complaint with a supervisory authority.
Are You Responsible for International Data Transfers?
If your company is the data controller and it intends to transfer personal data to a third country or international organization, your privacy statement must detail the transfer and specify one of the following:
- The existence or absence of an adequacy decision by the European Commission, or
- An explanation of the “suitable safeguards” the transfer is based on, such as contractual provisions or binding corporate rules, a description of those safeguards, and how to obtain a copy of them.
By drafting a GDPR-compliant policy statement and operationalizing all of the content therein, your company will be in a great position when the GDPR adventure officially begins. I hope that this article has been useful in moving your company in that direction.
For GDPR-related inquiries, please contact Robert Stankey at 202.973.4214.