What Do You Need to Know About the GDPR?

Over the last few weeks you might have noticed an influx of new emails and paper mail notifying you about changes to the privacy policies of services that you may often use online. A lot of this has to do with the fact that a new European Union Law, the General Data Protection Regulation (GDPR), came into effect May 25, 2018. The GDPR is the European Union’s new, overarching privacy law and is aimed at giving consumers more control over their personal data in an effort to force companies to provide more transparency over what information they collect as well as to ensure that the personal data collected is well cared-for and adequately protected.

The GDPR affects any organization that collects data on users within the European Union (“EU”), regardless of where the actual service provider is located.  As such, as long as a Silicon Valley company is collecting any sort of personal data from users in the EU, that company becomes subject to the GDPR.

With the GDPR, the EU wants to stress that privacy should be the “default.”  And as such, even if the companies do not have direct business in or with Europe, they become subject to the GDPR as long as they have any customers within the EU.  As a result, the cost of complying with the GDPR internationally has been enormous. Some experts estimate that Fortune Global 500 companies had to spend almost $8 billion dollars in preparation of complying with the new privacy rules.

The most significant change that the GDPR brings about is that many companies are now asking for your consent to store your personal data.  Google, Twitter, Facebook, and other technology giants have all sent out emails regarding changes to their privacy practices, and most companies now require you to agree to the new policies with some even asking you to confirm your age to continue using their services.  This is significant because, unlike the United States’ Children Online Privacy Protection Act which makes the magic user-age 13, children under 16 still require parental consent in most EU countries.

The GDPR also now requires that companies prove that that they have a “lawful” basis for collecting your data.  Under the GDPR definition, lawful basis could range from legal obligations to contractual ones.  Most companies will comply with this requirement by simply asking for your consent, but the GDPR now requires that such requests be clear and written in plain language. The GDPR's aim is to do away with the old days of extensive legalese where terms and conditions could go on for pages in very small print.

The GDPR also requires that the businesses that do collect personal data must now also invest much more into protecting that personal data.  Similarly, the GDPR prohibits companies from holding onto a consumer’s personal information for longer than necessary and requires that companies delete a user’s personal information when requested by that user, although there are some exceptions to the opting-out or deletion of personal information that pertain to law enforcement purposes or specific service requirements.

Lastly, the GDPR now requires businesses to tell authorities about any data security breach within 72 hours of discovery.  This is a big change from U.S. law and would heavily punish companies such as Uber since Uber chose to buy the silence of the hackers that hacked into their database instead of notifying consumers and authorities about the breach.  With the GDPR, businesses will now face real legal consequences for a failure to disclose.  If companies fail to comply with any portion of the GDPR, the EU can fine companies up to 4% of their annual global sales.  As such, it would behoove clients to ensure that their privacy policies are up-to-date by enlisting experienced intellectual property counsel to audit their website and internal documents.

Related Type Content:

https://www.klemchuk.com/browser-act-explained-implications-facebook/

 

About the Firm:

For more information on this topic, please visit our Intellectual Property Protection service page, which is part of our IP Practice.

Klemchuk LLP is an Intellectual Property (IP), Technology, Internet, and Business law firm located in Dallas, TX.  The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights.  The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, data privacy, and domain name dispute resolution.  Additional information about the IP law firm and its attorneys may be found at www.klemchuk.com.

Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.