The EU General Data Protection Regulation (“GDPR”) goes into effect in less than 24 hours. While you have probably heard or read something about it and how it might affect your company, it is just as likely (if my inbox is any indication) that you are only now considering compliance and what you may need to do to become compliant.
However, you are in good company (no pun intended)— few if any businesses will be 100% compliant by May 25th. As with any sweeping body of international regulation, some areas of the new law were drafted with an eye to allowing the individual EU Member States and even companies to come up with their own strategies and solutions for meeting GDPR’s stated goals. Many Member States are still struggling to adopt and adapt the new regulation. Most companies aren’t entirely sure that the strategies or legal positions they have adopted in anticipation of GDPR will be accepted by the respective Member States.
And it’s not likely to get much clearer soon. Reasonable minds may differ, and likely some Member States will adopt the regulation in a manner that will invariably conflict with the adoption practices of another Member State.
So now that it’s here, what should you be thinking about to ensure you won’t violate the new law? How can U.S. companies comply with this new regulation in the first place? Why should they have to? And what mechanisms can U.S. companies take advantage of to make this process easier?
The GDPR was established to grant specific privacy rights to EU “data subjects”, or individuals residing or located in the EU—and even here, as we first step into GDPR, we’re confronted with some fairly vague language as to who and what that means. The GDPR defines a data subject as any “identified or identifiable person” that is “in” a country subject to the regulation. Note that the regulation does not specify that it applies solely to individuals domiciled and residing in the EU.
It also applies to any company that takes data out of the European Economic Area (“EEA”), which implicates most U.S. based game companies. Even if you are not located in the EU and otherwise don’t do business there, if you have players in the EU and take their data outside of the EEA, you are liable under GDPR. To deal with the broad reach of GDPR, the U.S. has negotiated the EU-U.S. Privacy Shield Framework. Certifying with Privacy Shield doesn’t mean that you are GDPR compliant—but if your sole liability under GDPR arises from transferring data out of the EU, this is almost definitely the best solution to meet GDPR compliance for US based companies, and will get its own discussion shortly.
GDPR has several moving parts that can be broken down in three basic relationships: Your relationship with the Member State or Member States you report to (if any, which will be discussed later), your relationship with your service providers and ad mediators or partners, and your relationship with your “Data Subjects”, or end users.
Your Relationship with the Member State
Companies seeking to comply with GDPR must have various mechanisms in place for compliance, recourse, and enforcement. Most of these implicate DPAs, or Data Protection Authorities, which are independent bodies established in each country in the EU that regulate data protection laws. These mechanisms include processes for verification compliance, recourse, and enforcement. U.S. based companies qualifying under Privacy Shield must commit to cooperating with DPAs, and enforcement through arbitration and mediation. If your company already does business in the EU and has offices there, your “independent recourse mechanism” may be the EU country where your company is located/your DPA.
If you are a US based company that doesn’t have offices in the EU, the question becomes a little trickier and will depend largely on your own cost-benefit analysis. The EU-US and US-Swiss Privacy Shield Frameworks allow companies to use third party mechanisms like TrustE for this process. Privacy Shield also offers the option to cooperate directly with DPAs.
If you’re required to or elect to appoint a local representative in a Member State, your DPA will likely be in the country where your representative is based.
Your Relationship with your Business Partners
As mentioned before, a U.S. company’s primary liability under GDPR arises from transfers of data out of the EEA. To comply with GDPR, you need to ensure that your business partners: a) reside in a territory where GDPR is enforced, or where the EU Commission has reached an adequacy finding with respect to that territory’s data protection framework; b) have adopted Binding Corporate Rules; or c) will execute an addendum to your base agreement that includes model data protection clauses.
For U.S. companies, this generally means (b) and/or (c). Under U.S.-EU Privacy Shield, companies are required to include model contract clauses for every instance where the relationship causes data to leave the EEA.
Your Relationship with your End Users
The relationship that gets the most attention under GDPR is your relationship with your data subjects/end users. The GDPR grants a bundle of rights to individuals located in the EU with respect to any data you collect. This includes the right to access and receive a copy of their data in a portable format, the right to modify or request the deletion of their data, the right to restrict who you share their data with, and the right to object to any data collection practice. Additionally, where you rely on consent as your legal basis to collect data, data subjects have the right to withdraw consent at any time.
It is up to each studio or company to determine the resources they want to commit to GDPR compliance. This will depend largely on where you are located, the amount of data you collect from the EU, and how you use it. Similarly, the strategies you incorporate will vary depending what makes sense for you economically and legally. Operating under and certifying with the EU-U.S. Privacy Shield Framework will likely be the most efficient way for U.S. companies to meet the rigorous standards of the GDPR.
For some background, the U.S. sought an adequacy decision from the EU Commission for a framework that would allow EU to U.S. data transfers under Chapter 5 of the GDPR. Chapter 5 prohibits transfers to non EU-territories unless certain safeguards are in place. Obviously, Privacy Shield won’t help you if your service provider is based in Japan—in that case, you would need to rely on a different mechanism provided for under the GDPR, including the model contract clauses referenced above. But as a US company receiving data from the EU, the Privacy Shield framework will enable to comply with GDPR with relatively minimal effort.
You can self-certify with Privacy Shield by applying online at http://www.privacyshield.gov. Additionally, third party data protection programs like TrustE and E-Verify offer GDPR compliance solutions that have been vetted through the Privacy Shield framework. While costs vary, the fees for self-certification are reasonably low depending on your company’s revenue.
If you have not taken steps to determine your liability under GDPR and what you need to do to comply, now would be a good time to start that process. Enforcement begins tomorrow, and the law will be around for a while—at some point (hopefully before you’re the subject of a complaint or fine), you are going to need to take steps to comply.
Most importantly, you need to ensure that you have mechanisms in place so that as privacy rights expand both geographically and in scope, you can effectively allow for enforcement of those rights at the least cost possible to your end users.
Approaches will vary. If the data you collect is minimal or anonymized, your liability under GDPR decreases. If you collect substantial personal information from individuals located in the EU, your liability will increase proportionally. Your strategies will often be based on the extent of your liability under GDPR and the costs required to come into compliance—for example, some of my clients are cancelling distribution in the EU for titles that aren’t performing well, while others are operating as if the rights granted under GDPR apply to ALL end users, regardless of location. Your philosophy concerning data protection is equally important when choosing compliance mechanisms and strategies.
It is important that you make data protection a core tenant of your company’s business practices regardless of the approach you take or the strategies you implement. Yes, GDPR is intimidating. Yes, for smaller companies and studios, the human resource costs and financial commitments are particularly daunting.
However, the costs of failing to comply are far more likely to lead to cancelled projects and closed studios. Fines under the GDPR are going to be significant, and with the current pro-protection environment of our global economy, you can be sure that we will see enforcement of GDPR sooner rather than later.