Facts about Europe’s General Data Protection Regulation for the GDPR launch.
The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. The GDPR applies to all 28 European Union (EU) member nations as well as Iceland, Norway, and Liechtenstein, non-EU nations that are part of the European Economic Area (EEA). For now, the United Kingdom is also subject to the GDPR, but that could change as Brexit is finalized.
However, the impact of the GDPR reaches far beyond Europe. Businesses in the United States and around the world are subject to the GDPR’s requirements if they interact with data of EU citizens. The penalties for violating the GDPR are severe: up to 4% of annual global corporate turnover or 20 million euros, whichever is greater.
Principles Underlying the GDPR
The GDPR reflects a European sensibility that is fundamentally at odds with the values and norms that we’re used to in a U.S.-based ediscovery context. Generally speaking, U.S. laws protect freedom of speech and capitalism, favoring litigants’ access to data during discovery, whereas European countries emphasize privacy and individual control over personal data.
That means the GDPR inherently conflicts with standard U.S. discovery and litigation practices. Whereas the U.S. court system expects that litigants will retain information that may be relevant to reasonably anticipated litigation, the GDPR demands that businesses only obtain and keep data for which they have gained explicit consent, give data subjects access to their data on request, and, when asked, “forget” an individual’s personal data.
GDPR Data Rules That Could Impact Ediscovery
Under the GDPR, “personal data” covers personally identifiable information, such as name, birthdate, address, etc. — but goes even further. It also includes demographic information, health, and biometric information, and even computer IP addresses. If data could be combined with other data and traced back to identify an individual, regardless of how difficult that identification was, it is probably protected personal data.
In the context of U.S. litigation and legal operations, the GDPR can have an impact. In the course of discovery, if one were to collect emails that include a European resident’s information, e.g., a name along with the email address, then storing that data and providing it to an opponent could put an organization in violation of the GDPR.
The GDPR is regulated by the EU Parliament. In order to avoid being in violation of the regulation and accruing punitive fines, organizations should take these basic steps to comply with the GDPR:
- Limit possession and use of individuals’ personal data.
- Keep personal data secure, and give full control and ownership of personal data to the data subject, the individual person who the data is actually about.
- These mandates apply to any business that offers goods or services to European residents or collects, processes, or maintains personal data about European residents.
The General Data Protection Regulation (GDPR) strengthens and unifies the various data protection laws and regulations of the European Union, requiring businesses around the world to limit their possession of the personal data of European residents and to give data control to individual data subjects.