U.S. Public Agencies May Need to Comply With European Union Data Privacy Regulation
Todd Leishman and Leeann Habte are attorneys with the law firm of Best Best & Krieger LLP and can be reached at Todd.Leishman@bbklaw.com and Leeann.Habte@bbklaw.com, respectively. Elizabeth Barket, formerly with Best Best & Krieger LLP, also contributed significantly to this article.
A sweeping new global privacy law took effect in May, and its reach extends even to local public authorities in the United States. The General Data Protection Regulation (GDPR)1 of the European Union (EU) regulates the way personal data must be collected, stored and shared. Although its impact on private companies is being broadly discussed, little attention has been paid to its impact on public authorities that fall within its scope.
This article offers information to help public agencies understand if and how the GDPR might apply to them and which of their day-to-day advertising, partnership and online activities might bring them under the GDPR’s purview. This article also provides practical steps that public agencies can take to comply with the law.
Privacy Law Applies to Local Agencies That “Process” Certain Personal Data
Unlike its predecessor, the EU’s Data Privacy Directive, the GDPR’s territorial scope reaches certain private entities and public authorities outside the EU — including federal, stateand local government agencies. For a public authority or private entity in the United States, the GDPR applies in two instances:
- When the entity processes personal data of individuals (sometimes called “natural persons”) in the EU (including the United Kingdom)2 where the processing relates to “the offering of goods or services,” even if no payment is required;3 or
- When processing relates to monitoring data-subject behavior as far as the behavior takes place in the EU.4
Many public agencies in the United States might process data within the scope of the GDPR. “Process” here generally means to collect, use or both.5
Processing Related to Offering Goods and Services to People in the EU
Although the GDPR does not clearly define when processing relates to “the offering of goods or services” to individuals in the EU, the GDPR does provide some guidance on factors that a court might consider in making that determination, such as whether advertised goods or services can be purchased in an EU country’s language or currency or whether the context of an advertisement is clearly designed to reach an overseas audience.6
For example, a local public agency might process data within the meaning of the GDPR by:
- Hosting a tourism website (such as a website for a conference center, hotel or special event) with content that advertises to a global or EU audience;
- Providing an option to purchase certain goods (such as tickets or hotel bookings) in an EU member state’s currency or language;
- Publishing testimonials of EU residents or organizations that have used the advertised goods or services; or
- Maintaining an email distribution list targeting entities or persons interested in knowing about certain events or availability related to the public authority.
Processing Related to Monitoring Behavior in the EU
If a public agency collects information on EU residents through advertising or online tracking, the agency is likely processing personal data related to monitoring behavior and is subject to the GDPR. If a public agency gathers personal data through a website or a mobile app or provides a third party with access to personal data that it gathers through such sources, the agency should investigate to learn whether any person in the EU is “monitored” by the agency within the meaning of the GDPR. Although the GDPR does not define “monitoring,” its implementing regulations indicate that monitoring occurs when “natural persons are tracked on the internet.”7 This includes the use of personal data processing techniques like “profiling” a person, which may entail analyzing or predicting his or her personal preferences, behaviors or attitudes based on the personal data gathered.8
However, it doesn’t end there. Far less technical practices appear to constitute monitoring within the meaning of the GDPR. A public agency might be deemed to be monitoring people in the EU if the agency:
- Uses website analytics tools or behavior-based ad-retargeting programs;
- Employs tracking technology, such as using cookies on a website or collecting a visitor’s IP address;
- Profiles users for fraud-prevention purposes;
- Engages in location-based data gathering (for instance, through a mobile app associated with a particular local authority or an app connected with a third-party offering services in partnership with the local authority, such as a bike-share program); or
- Passes on personal data to third parties for monitoring or profiling purposes.
Requirements for Agencies Subject to the GDPR
For entities subject to the GDPR, the law imposes two significant requirements. First, it provides new privacy rights to natural persons in the EU, including the rights to require the deletion of personal data,9 object to the processing of their personal data10 and, in certain instances, obtain personal data held by an entity regulated by the GDPR.11 Second, it places substantive data security, transparency and breach notification requirements on those entities under its purview — along with many other compliance requirements designed to regulate the use and transfer of “personal data” — defined broadly as “any information relating to an identified or identifiable natural person.”12 Personal data includes a data subject’s name, identification numbers, location data and online identifiers, such as an IP address, cookie13 or a radio frequency identification (RFID) tag14 and “special” data categories, like genetic and biometric data.15
Penalties for Failure to Comply With the GDPR
Public agencies in the United States that are subject to the GDPR are expected to comply — and may face consequences for failing to do so.16 Penalties for noncompliance can reach up to 20 million Euro or 4 percent of annual worldwide revenue — whichever is higher17 — and individual “data subjects” (persons with rights under the GDPR) can seek compensation for damages caused by a GDPR violation.18
Steps to GDPR Compliance
Public agencies should view the GDPR as a call to action and an opportunity to increase and clarify internal controls and policies for data gathering, use and storage activities. Key decisionmakers should be made aware of potential GDPR compliance obligations. As public authorities increasingly gather and use data for official and commercial purposes — including in partnership with private third-party entities — GDPR compliance will likely comprise an important step toward institutionalizing appropriate privacy and data security practices.
The GDPR has established new norms for privacy and data security that have already shaped California law and public perception regarding privacy rights. Earlier this year, the California Legislature enacted a privacy law similar to the GDPR. Although the California law does not appear to apply to local governments, privacy laws are evolving at a rapid clip, and local governments must diligently assess compliance obligations.
Complying with the GDPR should include the following steps:
- Assess and update data inventories, business processes and data strategies;
- Update privacy notices and policies;
- Implement protocols to ensure consumer rights;
- Make security updates;
- Update third-party processor agreements; and
- Conduct training for employees.
Each of these steps requires evaluation and development of new policies and procedures. Legal counsel can assist in assessing compliance needs and in implementing a compliance strategy that is appropriate for your agency.
 Regulation (EU) 2016/679. The GDPR is a comprehensive update of its predecessor, the Data Privacy Directive. Directive. Directive (EU) 95/46/EC (the “Directive”). Many GDPR provisions remain largely unchanged from the Directive, and Directive jurisprudence and guidance provides insight for GDPR compliance.
 The UK’s Information Commissioner’s Office stated that the GDPR will apply in the UK, as the UK has adopted materially similar laws in the UK Data Protection Act. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
 Art 3(2)(a) GDPR.
 Art 3(2)(b) GDPR; Recital 24 GDPR (specifying that internet use profiling is an example of “monitoring” within the meaning of Art. 3).
 Processing is defined broadly under the GDPR to include any manual or automated “collection, recording, [organization], structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of personal data “or on sets of personal data.” Art. 4(2) GDPR.
 Recital 24 GDPR.
 Recital 24 GDPR.
 Art. 4(4) GDPR.
 Art. 17 GDPR.
 Art. 21 GDPR.
 Art. 20 GDPR.
 Art. 4 GDPR (italics added). Data is “identifiable” if it can be used to identify a natural person using “all means reasonably likely to be used” — which is generally regarded as a low standard. Recital 26 GDPR.
 Recital 30 GDPR.
 Recital 30 GDPR.
 See, e.g., Art. 4(7) (specifying that a data “controller” includes a “public authority” or “agency,” acting in concert or alone to determine the “purpose and means” of processing personal data). Official EU guidance clearly provides that the GDPR covers national public bodies as well as “regional or local authorities, bodies governed by public law and associations formed by one or several such authorities or one or several such bodies governed by public law.” Article 29 Data Protection Working Party, Opinion 2/2016 on the publication of Personal Data for Transparency purposes in the Public Sector (1806/16/EN WP239), http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp239_en.pdf.
 Art. 83(5) GDPR; Recital 148 GDPR.
 Art. 82(1) GDPR (establishing right to compensation for any person who has suffered “material or non-material damage” as a result of a GDPR breach); id. at Art. 80 (data subjects can mandate consumer protection bodies to bring claims on their behalf); id. at Art 79.