GDPR Enforcement in the US
We won't go through the technical requirements of the GDPR, except to mention a couple of things that stand out.
We focus on what would likely happen if the EU decided to enforce the GDPR against a US entity. Basic facts...
- Unambiguous consent is required by the user when collecting personal data, or data that could be used to identify a user.
This is certainly the name, address, email and phone number. It is also IP address, device identifiers, cookies and even
location data. When publishers obtain this data, consent is required. When advertisers obtain it, consent is required. When
it is transferred, consent is required. And when we say required, that means unambiguous consent.
Not the cute "using this site means you consent..." mumbo-jumbo we so often see. Some SSPs claim they are mere conduits
for Advertisers and Publishers, and they are not affected by the GDPR. This is the "pass-the-buck" strategy for compliance.
- Consent required when transferring this data to another party. Like cookies. Want to receive cookies from some
entity that pertains to users in the EU? Likely consent is a requirement to be GDPR compliant.
Remarketing - surely this would be covered...
- Users can demand to see their data. Failure to comply is a violation. Have a data breach, need to inform,
- Compliance required regardless of where the data is stored or where it is processed. Simply running a data center
in Singapore or China won't work...
- Right to be forgotten. Users opting out must be 'forgotten'. Failure to comply is a violation (more later).
- DPIA Requirements. All processing of personal data requires a DPIA assessment overseen by the DPO. The assessment
is in writing and requires documenting risk mitigation. If the organization fails to the do the assessment and you are
audited, it is a violation. If you have a breach and didn't do the assessment its a violation. If you do the assessment
and you aren't sure if the risk can be mitigated, or can't be mitigated you must submit the report to the EU's
Information Compliance Office. They will advise on how to proceed. They can also order the organization to not proceed,
and will enforce it with a court order.
- Training. People working with sensitive data must follow established written procedures and the procedure must be in
writing. The Org must provide formal training for the people handling this data. Records must be stored. Probably looks
a lot like ISO-9000 or CMMI stuff, if you have ever been involved in health care or defense contracting in the US.
- Data Protection Officer. The organization must appoint a DPO that oversees all this stuff. This is a corporate officer,
not just an employee position.... Corporate officers have fiduciary duties on top of their employee duties. Sounds like fun.
New career options! Maybe...? check out the personal liability section at the end of this thing.
How is it enforced???
We can't say we are under the jurisdiction of the GDPR - that is a technical discussion first, then a legal one.
And likely your DSP has several products - some may be covered, and, others not. Each has to be examined in detail. Of
course, if you had an office in the EU its a slam dunk we would be subject to enforcement.
In the US, it works like this:
- The EU would not come to the US to bring an action. It would use the courts in the member's country or the Hague.
- The first legal requirement is to obtain jurisdiction in the EU. How the EU does that, is not something we have particular knowledge of... But suffice it to say a prosecutor would gain jurisdiction based on the broad language of the GDPR.
- The second legal requirement would be to show violation of the GDPR, say at the court in the Hague.
- The third legal requirement would be assess the damages. There are 2 tiers - 4% of gross world-wide revenue or 20M euros, whichever is greater and 2% of gross revenue and 10M euros, whichever is greater.
Higher tiers are applied to failure to get consent, transfer without consent, non-consent to the ICO order to not process (discussed earlier with the DPIA).
Lower tier is applied to data breaches and against Data Protection Officer for failure to perform their duties faithfully.
- The fourth requirement would be to issue a foreign state order of enforcement.
Enforcement in the US Courts
Perhaps you would need to fight a case in the EU... OR, maybe you wouldn't...
In the US, the EU prosecutor would then seek to enforce the order here in US Federal Court. Now the EU has to show
jurisdiction is warranted under US law. Some things like the right to be forgotten as it applies to the 1st Amendment
for journalism sites simply will be rejected by the court.
Gathering cookies is not a 1st amendment issue. But, commercial speech as in an ad is likely covered. That's why you
really can't stop telemarketers from spamming you .... their right to 'speak' to you trumps your right to privacy...
Free speech is not so protected in the EU as here. A little known law known as The Securing the Protection of Our Enduring
and Established Constitutional Heritage (SPEECH) Act was enacted in 2010 to codify the common law presumption against
enforcing foreign libel judgments in U.S. courts.
Directly applied this law invalidates ALL foreign libel enforcement in the US applying to freedom of speech. Even if not
applied directly, but rather by analogy any enforcement (like the GDPR) that restricts freedom of speech
(remember, we are talking commercial free speech) would likely not be enforceable in the US.
But, of course, if the EU brought action and couldn't enforce it, you could never open an office in the EU. Or,
they would promptly enforce it. There would be reputational damage of course.
Bear in mind, fighting a legal challenge in the Hague or in the US would be an expensive proposition.
And would likely be financial suicide if you didn't have deep pockets.
For a purely non-EU entity, a realistic view of the likely exercise and enforcement of jurisdiction would be a useful
complement to the business realities of working within Europe
DPO PERSONAL LIABILITY
Fortunately, under GDPR, the DPO is not personally liable for failure to act prudently or for even willful violations.
However, other jurisdictions that we sell ads into have similar DPO requirements to the GDPR and they DO have civil
and criminal penalties that can be applied to the DPO themselves - if they can catch them.
Canada, Hong Kong, Ireland, Malaysia, Phillipines, Singapore, and the UK have a mix of criminal and civil penalties for
violating their spam and privacy laws.
Canada, Ireland and UK have only civil penalties, but the rest have both civil and criminal laws that can affect a DPO.
A Officers and Directors Errors and Omissions Policy might cover the DPO... It would also be a good idea to obtain a
cyber liability policy.
Most insurance policies exclude coverage for criminal acts....
Hong Kong has draconian criminal penalties. Though I'm sure a shorter sentence served in the Phillipines would be even more dreadful...