What US Construction Companies Need To Know About the GDPR To Avoid Fines
By Julie Negovan
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) took effect. This law makes significant changes to European data privacy and security requirements for companies dealing with individuals located in the EU (whether they are citizens, immigrants, or visitors at the time their data is collected). So what? How would such a technical EU regulation effect a US-based construction company?
The EU has always had a different take on the protection of personal information than the US. GDPR was implemented because, essentially, the EU’s old data protection laws that were first enacted (way back in 1995) were perceived to be inadequate to keep up with the explosive growth in data and the technology surrounding it. According to the GPDR website, the new regulation was designed to “to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”
What information is involved?
GDPR aims to protect the “personal data” of EU residents– including how the data is collected, stored, processed and destroyed. Importantly, the meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the US. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.
While that information is not generally the target of collection by US construction firms, some such information is routinely provided by subcontractors, consultants, and vendors during the contracting process. It is particularly likely that such information is collected where the team members are participating in a project using Building Information Management (“BIM”) protocols.
How does the EU Regulation Reach the US?
A major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.
Under Article 3 of the GDPR, your company may be subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of goods or services or the monitoring of behavior that takes place in the EU.
Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR. Particularly, if your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company.
Since this is a brand-new law, and the application of the language concerning the scope of the prohibitions has never been tested, it is important for all US companies to be aware of the possibility of the law’s enforcement against them.
What should I do?
For U.S. companies, interactions with those situated in the EU will have to be adjusted to obtain explicit consumer consent to collect personal information. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
For example, say a New Jersey-based company is looking to run a campaign to advertise for partners for a project (vendors, subcontractors, consultants) in France and has set up a webpage to collect email addresses. At the very least, the company will need a checkbox — without a default “x” in it — accompanied by clear language about what it will be doing with these email addresses. And it’s not allowable to ask the user to click on a link to a long “terms and conditions” document filled with legalese.
Once the data is collected, US companies will then have to protect it under the GDPR’s rules. In particular, the tough new GDPR 72-hour breach notification rule will certainly require special attention. When there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” then your firm will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU citizens.
The GDPR gives some leeway in weighing the risks, but inadvertent exposure of email addresses or personal data that contains sensitive information, would require notification to an EU regulator or “supervising authority” within 72 hours. Where there’s “high risk” to fundamental property and privacy rights — typically, exposure of credit card numbers or account passwords — then the EU citizens affected will also have to be notified.
There are still many questions of how the EU will enforce these actions against US and other multinational companies. What we do know is that the EU is serious about a uniform data and privacy law and major US companies have changed their practices as a result.
What happens if I don’t?
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.
There are reports predicting that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018, even though the deadline of May, 2018 has passed. Considering that one of the main objectives of the GDPR was to expand the territorial scope of protection, companies based outside the EU should not be surprised to find that they are a particular target of EU data regulators.
As a precaution, US construction companies should evaluate their communications with their EU partners to determine whether they may be subject to regulation under the GDPR, and if so, how to structure those communications to protect against any possible violation.
Reprinted with permission from the August 6, 2018 edition of The Legal Intelligencer. © 2018 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.