The GDPR and Social Media
By Gayle O’Connor – GDPR is a big buzzword these days as the implementation date of May 25, 2018 draws closer. But what exactly is the GDPR and what impact, if any, will it have on the collection and authentication of social media data?
The General Data Protection Regulation (GDPR) is a regulation promulgated by the European Union (EU) which will replace Data Protection Directive 95/46/EC. It is designed to harmonize data privacy laws across Europe and protect all EU citizens data privacy. For our specific purposes, it will require US organizations to ensure that EU personal data handled here is done so for “legitimate, explicit and specific reasons.”
A little background is necessary to give us some context. In 1980, the European Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.” These guidelines were, however, non-binding, and data privacy laws still varied widely across Europe.
So, in 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliged the signatories to enact legislation concerning the automatic processing of personal data, which many did. But the European Commission realized that diverging legislation amongst EU member states impeded the free flow of data within the EU acted to propose a Data Protection Directive.
All the OECD principles were incorporated into the EU Data Protection Directive (officially the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data) which was adopted in 1995. However, since European directives are guidelines which propose certain results but leave each Member State free to decide how to transpose them into national laws, the 28 members of the EU made different laws that sometimes contradicted each other.
A regulation, on the other hand, is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Since the 1995 Directive was only able to provide overall guidance in this area, the GDPR is designed to effectively harmonize European data protection laws. Adopted in April 2016, it will officially supersede the Data Protection Directive and be enforceable starting on May 25, 2018.
I should also note that the GDPR affects more than merely the EU. The regulation applies not just to the 28-member states of the EU but is also being integrated into the 1992 EEA Agreement and thus applies to the 31-member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein.
But more important, companies do not have to have a physical presence in Europe to in order to be covered by the GDPR. It applies to not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, OR holding personal data of European nationals, regardless of the organization’s location
Equally important is the understanding of what constitutes personal data under the GDPR. It is a much broader standard than we commonly accept in the US and includes:
- Identification number such as SSN, INSEE code (France), Codice fiscal (Italy), DNI (Spain) etc.
- Location data such as home address
- An online identifier such as e-mail address, screen names, IP address, etc.
- Genetic data such as biological samples or DNA, including gene sequence
- Biometric data such as fingerprints or facial recognition
- Health data
- Data concerning a person’s sex life or sexual orientation
- There is also a general category which includes data which may reveal:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
All such sensitive personal data is afforded enhanced protections under the GDPR and usually requires an individual’s explicit consent whenever such data is retained or used.
So, what does all that mean for social media ESI? Two things that every company should keep in mind. The first is how you get the data and the second is how you handle it.
First, your company only has to have minimal contact with the EU for the provisions of the GDPR to apply. You don’t need to do business in Europe, just have an “establishment” in the EU that processes personal data “in the context of its activities,” whatever that means. So if you somehow handle an EU resident’s personal data, you are probably covered by the GDPR. And that means you must limit to data you’re handling to what you need for your purpose and handle it in a way that ensures maximum protection.
Second, you must ensure the EU residents “right to be forgotten.” They have a right to demand their data is deleted and you must have a specific no-cost procedure to handle any such request.
If you don’t adhere to these two principles, what happens? There are significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply. And they may go as high as 20 million Euros or 4 percent of annual worldwide revenue.
So, the simple capture of a Facebook page or gathering of data from Snapchat or Instagram can have far-reaching ramifications if one of the sources collected is an EU resident. And if you routinely capture such data, it is your responsibility to ensure that data of EU origin is handled according to the requirements of the GDPR.
For more detail on the subject, please go to the series of articles by Tom O’Connor called eDiscovery and the GDPR: Ready or Not, Here it Comes on the eDiscovery Daily web site.
Gayle O’Connor is a legal technology consultant with 30 years’ experience specializing in legal marketing, particularly social media, content marketing, speaking, and websites. She is currently working as the Marketing Manager at Social Evidence, a cloud-based application designed to discover, organize, analyze, and authenticate specific social media evidence. She was recently named as an Honoree in the 5,000 strong membership of Women in eDiscovery. Gayle was previously the Marketing Manager at Degan, Blanchard and Nash, a large law firm located in New Orleans. Gayle is also a former trial technician for the federal public defenders, a marketing director for numerous legal software providers and has taught legal research at law schools. Additionally, she has been a featured speaker at American Lawyer Media LegalTech Events, ABA TECHSHOW, Online World, Special Libraries Association, Washington State Paralegal Association, National Business Institute, ABA Litigation Section Meetings, local Bar Associations throughout the U.S., and international organizations such as the Law Society of British Columbia and the New Zealand Law Society. She can be reached at firstname.lastname@example.org, www.social-evidence.com or @gaylemoconnor.
Please let us know you were here by providing us with your name and email. Enjoy!