Washington State is considering sweeping legislation (SB 5376) to govern the security and privacy of personal data similar to the requirements of the European Union’s General Data Protection Regulation (“GDPR”). Under the proposed legislation, Washington residents will gain comprehensive rights in their personal data. Residents will have the right, subject to certain exceptions, to request that data errors be corrected, to withdraw consent to continued processing and to deletion of their data. Residents may require an organization to confirm whether it is processing their personal information and to receive a copy of their personal data in electronic form.

Covered organizations will be required to provide consumers with a conspicuous privacy notice disclosing the categories of personal data collected or shared with third parties and the consumers’ rights to control use of their personal data. Significantly, covered businesses must conduct documented risk assessments to identify the personal data to be collected and weigh the risks in collection and mitigation of those risks through privacy and cybersecurity safeguards.

Washington’s proposal follows the recent enactment of the California Consumer Privacy Act (see EBG’s Act Now AdvisoryCalifornia’s Consumer Privacy Act What Employer’s Need to Know). Washington’s legislation, however, will grant rights beyond those contained in the California Act and is more closely aligned with the GDPR’s framework. The heightened protections are grounded in the sponsors’ recognition of the detrimental effect of data breaches and the resulting loss of privacy. The Act cites to the GDPR as providing for “the strongest privacy protections in the world” and adopts the GDPR’s expansive definition of “personal data” – any information relating to any identified or identifiable natural person.

Businesses that process the personal data of more than 100,000 Washington residents are covered, as well as “data brokers” that derive 50 percent of their revenue from the brokered sale of personal information. Notably, “data sets” (i.e., Protected Health Information (“PHI”)) regulated by the federal Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health (“HITECH”) Act, or the Gramm-Leach-Bliley Act of 1999 are not covered. Financial and health care institutions may need to comply as to other personal data not protected under these statutes. If a health care or financial institution collects or processes other personal data and meets the thresholds above, then it is likely covered.

Employers should take note that data sets maintained only for employment records purposes are excluded. Notably, the Act excludes from coverage “an employee or contractor of a business acting in their role as an employee or contractor.” The Act will impact organizations that use facial recognition technology for profiling consumers with effects on “employment purposes” and “health care services” requiring human review prior to final decisions. Organizations who contract with facial recognition firms may see pass through contractual restrictions prohibiting use for unlawful bias.

There is no private right of action. Enforcement actions may be brought by the Attorney General to obtain injunctive relief and to impose civil penalties. If enacted, the Act, scheduled to become effective December 31, 2020, will have wide-ranging impacts requiring significant advance planning, risk assessments and consideration of privacy and security by design principles.

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens).

Who must comply? The GDPR applies to any company that has personal information of EU residents or citizens or that conducts business in the EU, regardless of its home country.

What is the risk of non-compliance? The GDPR mandates documented compliance. The regulations provide for substantial fines of up to €20 million or 4 percent of global revenues for noncompliance. Willful non-compliance is most heavily fined under this tiered system.

How far along are most companies as to compliance? The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.

Who will adopt the regulations? All 28 EU members, plus Iceland, Norway, and Liechtenstein (collectively known as the “European Economic Area”), and likely the United Kingdom, will adopt the regulations.

Will the regulations be enforced extraterritorially? The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents (again, not just citizens).

How is “personal data” defined? The definition includes any information as to a human being (called a “data subject”) that can directly or indirectly identify him or her, including, but not limited to, names; birthdates; physical addresses; email and IP addresses; and health, biometric, and demographic information.

What constitutes compliance? In general terms, a subject company must limit the use of the retained personal data and maintain it securely.

  • Explicit consent is required for each processing activity as to any covered datum.
  • Access, free of charge, must be afforded to any data subject on request to a “data controller” (a person at the company charged with maintaining data), who, in turn, must assure that any “data processor” (any person or company that takes data from consumers and manipulates or uses it in some way to then pass along information to a third party) is compliant as to the requested action.
  • Data subjects have the right to be “forgotten, i.e., to have their data expunged, and may revoke consent at will.

What does the GDPR require if there is a data breach? Data breaches that “may” pose a risk to individuals must be notified officially within 72 hours and to affected persons without undue delay.

This, of course, is only an outline of GDPR requirements and procedures. Any specific advice only can be provided knowing an individual company’s circumstances and needs. One does note that, as is the case in other regards, for example, antitrust, the assumptions prevalent within the EU are decidedly different from those in the United States. As a number of commentators have observed, while there is no defined “right of privacy” in the United States, a company is required to preserve information, including PII and personal health information, or PHI, in the event of litigation. In Europe, which has very limited litigation discovery, there is a defined right of privacy and individuals can cause data describing them to be erased (“forgotten”).

Many of you know also that there is a case pending a decision in the Supreme Court of the United States involving whether the U.S. government can compel Microsoft to produce PII that is collected and stored outside of the United States. An affirmative decision might create a conflict of law that will complicate the data retention abilities of American companies doing business overseas. So stay tuned.