In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses GDPR, a newly enforced EU privacy law, and what it means for businesses in America.
Q: What is the General Data Protection Regulation (GDPR)?
A: It’s a law regulating data protection and privacy for all individuals within the European Union (EU). It gives control to individuals over their personally identifiable information. It both standardizes the requirements throughout the EU and bolsters protections available to individuals amid well-publicized, costly data breaches in Europe. It’s a regulation rather than a directive, which means national governments within the EU don’t have to pass enabling legislation for these requirements to be effective. Rather, the regulation is directly binding on the members of the EU. The spirit of the General Data Protection Regulation also is embodied in recent legislation in the United Kingdom, providing consistency across Europe even though the U.K. withdrew from the EU effective in March. The regulation, passed two years ago, became effective May 22. Because of the length of time between passage and enforcement, there’s no transitional or grace period before compliance is required.
Q: How is this relevant to American businesses?
A: In certain circumstances, the GDPR also applies to organizations and other businesses based outside of the EU if they collect and/or process personally identifiable information located within the EU. For example, U.S. companies offering a website to market their products or services to individuals within the European Community or scientific concerns actively engaged in recruiting individuals within the European Community to be subjects in clinical trials are required to comply. It’s important for such commercial concerns to act quickly to determine if they are covered by the General Data Protection Regulation as processors of data or collectors of such data from individuals within the EU. Concerned about the potential burden of compliance on foreign businesses, some international websites have taken steps to block EU users on the effective date, thereby removing the need to comply and ensuring against potential liability under the regulation. USA Today’s international website redirected users to simplified sites limited in scope. Other U.S. newspapers with European editions made them temporarily unavailable to readers in the EU. In another example of responses by U.S. companies, Instapaper, a read-it-later app, temporarily shut off access to European users to allow sufficient time for compliance.
Q: What type of data is protected by the General Data Protection Regulation and how’s it protected?
A: Personally identifiable information is anything that allows a living person to be identified directly or indirectly. Such data elements include name, email and home addresses, medical information, bank or other financial information, computer IP address and photos. A data processing officer must be appointed by businesses involved in processing or collecting data who is similar to a compliance officer with special information technology proficiency in managing and securing personal and sensitive data as well as a local representative for the company. Individuals have the right to the portability (access) of their stored data, erasure of data in certain circumstances, the right to file complaints with the data processing authority and the right to contract automated decision-making made on a solely algorithmic basis. Data breaches must be reported in a manner similar to the Health Information Portability and Accountability Act of 1996 and its amendments (HIPAA).
Q: You mentioned HIPAA. Is informed consent required for American businesses engaged in business in Europe similar to that required for HIPAA?
A: Personally identifiable information may be lawfully processed under the General Data Protection Regulation with informed consent or with a legal basis for doing so which ranges from legitimate interests of the entity collecting the data or a third party performing a task under official authority in the public’s interest, in compliance with the controller’s legal obligation, in fulfillment of a contract with a data subject, and to protect vital interests of a data subject or another person. There are some similarities to the HIPAA informed consent and the various exceptions to the consent requirement including the requirements of clarity and the opportunity to withdraw consent. As with HIPAA, individuals must be apprised of their privacy rights and their ability to withdraw consent at any time under the General Data Protection Regulation.
Q: Are there exceptions or limitations to an individual’s right of access to information?
A: Limitations to disclosure and the individual’s right of access to protected data exist for overriding interests such as national security. Further, in recognition of the importance of providing health care across country boundaries and clinical research to fight disease, the General Data Protection Regulation doesn’t apply to statistical and scientific analyses. A recognition of the need to maintain the integrity of clinical research resulted in the limitation of the erasure right of the individual. The strengthened data protections of the General Data Protection Regulation are limited in the face of requirements of good science although companies engaging in clinical research, including patient recruitment in the EU, will need to evaluate their data compliance plans considering the requirements of the newly enforced law. In addition, the General Data Protection Regulation doesn’t apply to data related to employer-employee relationships.