Editor’s note: WRAL TechWire is running a five-part series on data privacy law to bring some clarity to one of the fastest growing and most complex areas of technology law, and the first part is here. This article, the second in the series, is contributed by Steve Britt, Counsel for Cyber, Data Privacy & Technology (CIPP/E, CIPM), Parker Poe and Sarah Hutchins, Partner for Cyber, Data Privacy & Technology (CIPP/US), Parker Poe.

Note to readers: WRAL TechWire would like to hear from you about views expressed by our contributors. Please send email to: info@wraltechwire.com.


RALEIGH – The enactment of the European Union’s General Data Protection Regulation (GDPR) on June 25, 2018, was a watershed event globally for data privacy.

It set the high-water mark for data privacy, and, while California took some diversions in its initial iteration of the California Consumer Protection Act (CCPA), several of those departures are now being revisited under the new California Privacy Rights Act (CPRA), which we’ll discuss next in this five-part series.

Data privacy & you: What you really need to know from a legal point of view

Baked into EU culture

But the first thing to understand about Europe, as evidenced by GDPR, is that data privacy is baked into the European culture. In fact, in 1995, just as America was discovering the Internet that led to the explosion of e-commerce, Europe enacted the Data Protection Directive (DPD) containing many of the same principles now found in GDPR.

A “directive” in Europe is a common set of guidelines across the 27 EU and 3 European Economic Area (EEA) states. The problem with a directive is that it requires each member state to implement those rules by enacting their own local law.

Just as we are seeing in the US right now, requiring individual local laws results in a checkerboard of inconsistent and often conflicting rules. A regulation, on the other hand, creates a mandatory set of rules that apply to all member states, which is what GDPR represents. Even though GDPR applies to all EEA states, it still permits separate local rules for certain specific issues like for HR data.

As to scope, GDPR applies to any legal entity (profit or nonprofit) which is “established” in the EU. An entity is “established” if it is formed in the EU, has an affiliate, branch or office in the EU or even has an employee or contractor in the EU.

Warning: Virginia’s new data privacy law may affect North Carolina businesses, too – here’s how

A major change

But the major change in GDPR was its extraterritorial application. Even if a business is not established in the EU, GDPR applies if the (non-EU) organization markets goods or services to EU residents (even online) or otherwise profiles EU residents. That swept into GDPR a broad range of US companies doing business internationally as to their European activities.

GDPR imposes a broad range of new obligations, all backed up by the threat of regulatory fines reaching 4% of a company’s turnover (i.e., worldwide gross revenues). Fortunately, GDPR is primarily enforced by data supervisory authorities (similar to our Attorneys General), though GDPR permits class actions by consumer organizations if permitted under local law.

Internet service providers drop opposition to tough Maine privacy law

Key provisions

Here are some of the key provisions of GDPR:

  • It grants broad data rights to a natural person whose data a business collects, including the following:
    • The right to know what personal information has been collected
    • The right to correct any errors in such data
    • The right to be forgotten (i.e., to request deletion of its personal data)
    • The right to request restrictions on or object to the processing of their personal data
    • The right to the return of their personal data back in a machine-readable format so the data can be forwarded to another processor
    • The right to be free of adverse decisions based upon automated processing, and
    • The right to withdraw any prior consent given to the processing of their personal data
  • Companies must conduct data protection impact assessments for high risk activities,
  • Companies must also implement privacy by design (PbD), which means that the default setting for data processing must be the most protective of data privacy,
  • Covered businesses must document all data processing activities and compliance efforts through comprehensive recordkeeping,
  • Businesses must either appoint a data protection officer if they have an establishment in the EU or a representative in the EEA if they do not,
  • Companies must sign formal data processing agreements with processors restricting the handling of personal data, and
  • Companies must provide detailed privacy notices to data subjects with prescribed contents.

Data crackdown coming: FTC launches effort to protect consumers privacy

Further complexity

Another area of complexity relates to GDPR’s regulation of cross-border transfers. GDPR data rights attach to EU personal data and companies are not permitted to export EU data unless those rights will be respected in the importing country. Merely accessing EU data in an EU data server is a cross-border transfer under this rule, requiring the use of special data transfer mechanisms beyond the rules for collection and use of the data in the first instance.

There are many other elements of GDPR, including the coordination of jurisdiction for multiple supervisory authorities for multinational security incidents. For now, we would just note that Europe’s stated goal in 2016 to “change the world” on the handling of personal data has, in fact, been realized.

FCC: Your wireless data info is kept by carriers, provided to police