FALL 2018 TODAY’S GENER AL COUNSEL
Cybersecurity
GDPR Makes the EU’s Regulatory Reach Global By Guillaume Bordier
38
C
ompanies increasingly collect, process and transfer personal data about their employees, customers, partners and suppliers, and others with whom they are in contact. As a result, there is a corresponding increase in the risk of data breaches, financial losses and damage to reputations. The European General Data Protection Regulation (GDPR), which came into force in the EU in May 2018, expands the scope of the EU’s data privacy regulatory framework to cover companies that process or control the personal data of employees or other individuals residing in the EU, regardless of the company’s location. Depending on the data breach and local laws, companies may have to inform the relevant data protection authority and data subjects of the breach, as stipulated by the GDPR. Chinese legislation provides for similar obligations of notification to relevant authorities and data subjects. Failure to comply with these rules may expose a company to heavy administrative sanctions, as well as civil and criminal liability. In Argentina, there is currently no
legal requirement to notify a data privacy breach to the Data Protection Agency; however, this will change if a proposed new law is passed. The bill defines a security breach of personal data as “any incident occurring in any phase of the treatment that implies unauthorized loss or destruction; theft, loss or unauthorized copying; unauthorized use, access or processing of data; or damage, alteration or modification not authorized.” Whether in Europe, the United States or most other jurisdictions, any breach of the GDPR’s provisions concerning the requirement to give notice of a data breach could trigger an administrative penalty of up to four percent of the company’s annual global revenues or €20 million, whichever is greater. The company may also be exposed to civil claims for damages from individual data subjects. The GDPR permits class actions, whereby data subjects appoint a not-for-profit body, organization or association to exercise their right to receive compensation, where such actions are permitted by the laws of the member state. In France, a recent data protection law provides for this possibility.
Non-compliance with data protection laws can also expose companies to criminal liability, depending on member states’ laws. In France, failure to comply with data protection rules is a criminal offence. For individuals, this is a criminal offence punishable by a fine of up to €300,000, up to five years’ imprisonment, and by various other sanctions including restrictions on civil rights and limitation on the exercise of certain professional activities. For legal entities, this is a criminal offence punishable by a fine of up to €1,500,000 and by other sanctions. In China, government authorities can order a company to rectify a data breach, issue a warning or fine, confiscate illegal income, and impose a fine or detention on the person responsible. If the circumstances are serious, the authorities can also order companies to suspend or cease operations and have their licenses revoked. Lastly, the misuse or improper disclosure of personal data will expose the company in question to civil claims, financial damages and criminal liability. Depending on the company’s operations and infrastructure abroad, complying with a notification deadline could be challenging, particularly if an investigation is being led from outside the jurisdiction where the breach occurred. As a result, it is important for companies to understand GDPR at the outset, and ensure they have a competent plan in place for timely investigation and handling of allegations or evidence of a data privacy breach. This is particularly true in the United States. Therefore, in case of a personal data breach, a company — especially a multinational company doing business in Europe or conducting business involving individuals based in Europe —should take the following steps: