May 31, 2018
On May 25, 2018, Europe’s General Data Protection Regulation (“GDPR”) went into effect with the aim of standardizing data protection laws for businesses that, among other things, collect, retain and/or use the personal data of European Union (“EU”) residents. Businesses across the world are trying to determine what impact the GDPR data rules will have on their operations. Larger companies, such as Google and Facebook, are already facing GDPR compliance challenges: multi-billion-dollar lawsuits have been filed against some companies for allegedly forcing consumers to consent to the collection of their personal data for targeted advertising purposes.
Over time, the enforcement of the GDPR will become more predictable and businesses will get more comfortable with the data collection and use restrictions imposed by the GDPR. However, in the first few days following the GDPR’s effective date, there are still several questions surrounding the scope of enforcement. One of those questions is:
What GDPR data can I maintain when a consumer has directed that her/his data be deleted?
Maintaining an Unsubscribe List
In the United States, businesses have worked hard to comply with the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”), including in situations where consumers unsubscribe from the receipt of commercial email. In order to comply with CAN-SPAM, businesses should maintain an unsubscribe or opt-out list of individuals who have opted out of receiving further commercial email. In light of the GDPR data rules, many businesses are unsure as to whether those unsubscribe or opt-out lists (to the extent that they include EU resident data) would be perceived as personal data regulated by the GDPR.
On March 6, 2018, the Information Commissioner’s Office (“ICO”) updated its Direct Marketing Handbook (the “Handbook”) to include GDPR compliance guidance. The ICO is an independent body in the United Kingdom (just one of many EU member countries) set up to enforce consumer information rights. The ICO refers to an unsubscribe list as a “suppression list” and paragraphs 190-194 of the Handbook directly address the use of suppression lists. The ICO states, “[t]he right to object to direct marketing under Article 21(3) does not prevent a controller from holding a suppression list, as the list supports the individual’s right to object and is held for compliance rather than direct marketing purposes.” However, according to paragraph 192, businesses should retain “just enough information to ensure that their preferences are respected in the future.”
Retaining GDPR Data in the Face of the Right to be Forgotten
As discussed in previous posts, the GDPR applies to the collection and processing of personal data (both direct and indirect personal data, including: name, location and online identifier). The GDPR addresses an individual’s right to be forgotten under Article 17. Specifically, Article 17(1) of the GDPR grants individuals the right to have their personal data deleted from a business’s databases upon request.
However, the right to be forgotten is conditional and may not apply under an Article 17(3) exemption. Specifically, Article 17(3) provides the following circumstances where the right to be forgotten may not apply:
- For exercising the right of freedom of expression and information (i.e., media, news and journalism outlets);
- For compliance with a legal obligation (i.e., an individual has requested that his/her personal data be removed after a court has ordered the data to be retained for evidentiary purposes);
- For achieving purposes in the public interest, scientific or historical research purposes; or
- For the establishment, exercise or defense of legal claims.
The GDPR in Practice
It is still uncertain how enforcement of the GDPR will play out in courts of law and through regulatory enforcement actions. In the meantime, in the face of potentially crippling monetary penalties, businesses should work diligently to become compliant with the express provisions of the GDPR.
Given the GDPR statutory nuance and enforcement uncertainty, businesses that control, process or collect personal data from individuals in the EU should consult with experienced counsel to ensure that all of their data collection, use and sharing policies and procedures are compliant with the new regulations. If you are interested in learning more about this topic or need assistance with GDPR compliance, please e-mail us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: