General Data Protection Regulation
The General Data Protection Regulation (GDPR), which governs how personal data of individuals in the European Union may be processed, went into effect on May 25, 2018. The GDPR, which replaces the Data Protection Directive 1995/46, is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. Personal data as defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier. Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.
A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, European Economic Area residents (i.e., Norway, Lichtenstein, and Iceland), and Switzerland, if the company offers goods or services to data subjects in the European Union; or if the company is monitoring data subjects’ behavior, which is taking place within the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope. For example, the mere accessibility of a company’s website in the European Union is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union might mean that the Regulation is applicable.
Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance. There is an exception to this requirement for small scale and occasional processing of non-sensitive data. Fines in case of non-compliance can reach up to 4% of the annual worldwide revenue or twenty million euros – whichever is higher.
The European Data Protection Board released official guidelines to help companies with their compliance process.
Transferring Data Outside of the European Union
The GDPR not only provides for the free flow of personal data within the European Union but also for its protection when it leaves the region’s borders. The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (as mentioned, the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the region, and whether it is transferred to controllers, processors, or to third parties (e.g., subcontractors). In addition, restrictions on transfers of personal data outside of the European Union specify that such data could only be exported if “adequate protection” is provided.
The European Commission is responsible for assessing whether a country outside the European Union has a legal framework that provides enough protection for it to issue an “adequacy finding” to that country. There has not been an adequacy finding with respect to the United States, such that U.S. companies can only receive personal data from the European Union if they provide appropriate safeguards (e.g., standard contractual clauses or binding corporate rules), or refer to one of the GDPR’s derogations.
The EU-U.S. Privacy Shield
The EU-U.S. Privacy Shield Framework was established by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the Privacy Shield Framework. For more information, consult the website of the U.S. Department of Commerce, Privacy Shield Framework.
Network and Information Systems (NIS) Directive
The Directive on security of network and information systems (NIS), applicable since 2016, sets baseline requirements to ensure better protection of critical infrastructures in the European Union. The NIS Directive sets basic principles for Member States for common minimum capacity building and strategic cooperation. It also directs operators of essential services and digital service providers to ensure that they apply basic common security requirements. Obligations for operators of both groups include taking technical and organizational measures for risk management; to prevent and minimize the impact of security incidents; and to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide. Member States have implemented this directive in different ways, particularly with respect to operators of essential services, which led to a proposed legislative modification of the NIS Directive (the NIS 2 Directive) in December 2020. If adopted into law, the NIS 2 Directive would obligate more entities and sectors to strengthen security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisor measures and stricter enforcement requirements.
The March 2019 Cybersecurity Act set up a mechanism to develop a voluntary certification scheme for information and communications technology security products, processes, and services. The European Commission has not yet proposed the specific areas that would benefit from certification schemes, and the European Union Agency for Cybersecurity has created ad-hoc stakeholder groups to help it create certification schemes, which includes industry participation in accordance with the Act.
Draft Regulation on Artificial Intelligence
On April 21, 2021, the European Commission published its draft regulation on artificial intelligence, known as the Artificial Intelligence (AI) Act, which is the first proposed regulation on artificial intelligence in the world. The AI Act would promote the development of such technologies; harness their potential benefits; and protect individuals against potential threats to their health, safety, and fundamental rights that artificial intelligence systems might pose. The AI Act is part of a package of Commission initiatives aimed at positioning the European Union as a world leader in trustworthy and ethical technological innovation. The AI Act would include a risk-based approach to regulating artificial intelligence and would apply to any artificial intelligence system that affects the European Union’s single market, irrespective of the provider’s location, and includes online platforms, financial services, vehicles, machinery, industrial tools, toys, and medical devices. A pilot program for regulating artificial intelligence will be tested in Spain in 2022, a year before the regulation is expected to enter into force in the European Union.
European Strategy for Data
On November 25, 2020, the European Commission introduced the Data Governance Act, the Digital Services Act, and the Digital Markets Act under the rubric of the European Strategy for Data, the Commission’s vision for a single market that supports global competitiveness and data sovereignty, among other goals.
Data Governance Act
The Data Governance Act would establish a legal framework for the reuse of public sector data covered by intellectual property rights, confidential non-personal data, and personal data. While the General Data Protection Regulation regulates international transfers of personal data, the Data Governance Act would regulate international transfers of non-personal data by a user who was granted access to such data by the public sector. In addition, the Act would establish a supervisory framework for data sharing service providers; it would facilitate the collection and processing of data made available by individuals or private entities for altruistic purposes, including through a voluntary registration system for “data altruism organizations;” and create a European Data Innovation Board to enable the sharing of best practices by Member States and to advise the Commission on cross-sector interoperability standards.
Digital Markets Act
The Digital Markets Act would regulate the market power of large online platforms to achieve fairer and more open digital markets within the European Union. The Act would regulate certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services – and apply to those large online platforms with more than 45 million active users, services in at least three Member States, and 6.5 billion euro in annual turnover in the last three years or 65 billion euros in market value in the last year. The Digital Markets Act would prohibit these gatekeepers from engaging in self-preferencing activities and restricting access to services connected to their platforms, such as online marketplaces like an app store, and be barred from preventing users from removing pre-installed software or apps. Under the proposed act, EU regulators could levy fines of up to 10% of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations.
Digital Services Act
The Digital Services Act aims to harmonize mechanisms throughout the European Union for the removal of illegal content and to require due diligence for certain online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms. The Digital Services Act would regulate “very large online platforms;” those online platforms that would reach at least 10% of the population in the European Union. The Act would require those platforms to conduct annual risk assessments on the availability of illegal content through their platform and its effects on fundamental rights, public health, and public security; to provide greater transparency about their operations, including algorithms used, advertising, and content; to report information associated with a serious criminal offense; and to suspend services that frequently provide illegal content.