With the upcoming May 25, 2018 effective date for the new European General Data Protection Regulation, the European Union law drafted to provide greater protections for the personal data of individuals, it is a good time to review and consider the large quantity of data generated by green buildings.
The EU GDPR has long arms and its reach impacts a large number of U.S. organizations that might not expect to be subject to a European data privacy law.
Because the EU GDPR, with its global reach, carries with it very large monetary penalties, being as much as the greater of €20,000,000 or 4% of the total worldwide annual turnover from the preceding financial year, every U.S. entity that has minimum contacts with European residents should determine if it is required to comply. Most large U.S. companies are already in compliance.
Many small U.S. organizations have received notices from Google Adwords or Facebook. And among our most read blog posts last years was, Green Building Data has Enormous Economic Upside. It may be shameless self promotion to suggest if you want an overview of matters of green building data, read that blog post. This post is about a subset of those data issues, that is the impact of the new European data privacy law.
An organization must comply with the EU GDPR if it is a controller or processor of “any information relating to an identified or identifiable natural person” located in the EU.
The new law is based on a twenty first century application of a tenant of eighteenth century liberalism that “the protection of natural persons in relation to the processing of personal data is a fundamental right.” That is, the overarching principle is that the individual owns its personal data, not the data controllers or processors. This is the opposite of prevailing U.S. laws.
An example may be a U.S. landlord leasing to a French company or that landlord collecting building occupant data for a German resident living in the U.S., which data could be collected as a LEED building occupant survey or a stored video of building occupants entering the lobby. And while, absent an extension or some sort, as a result of Brexit, the UK will leave the EU on March 29, 2019, the law is expected to apply to British citizens.
There are opt-in consent requirements, right to erase (updated from the earlier ‘right to be forgotten’), right to access of one’ data, data security obligations including pseudo anonymization of that data, data breach notification requirements, responsibility for data transferred outside of the EU, and much more. Data processors with 250 or more employees are required to maintain records of processing activity. A processor with fewer than 250 employees must also keep such records if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is more than occasional, or the processing includes certain special categories of data relating to racial or ethnic origin, religious and other beliefs, sexual orientation, or criminal convictions and offenses.
The requirement of opt-in consent, as noted above, can be characterized as the core tenet of the new data protection law. But even obtaining an individual’s consent in order to process their personal data may not be as straightforward as some think, including because consents will need to be refreshed, some are suggesting every two years.
Arguably for many an easy way to comply with the EU GDPR processing requirements, for businesses only dealing with other businesses, is through standardized contract clauses preapproved by the European authorities. This is the model suggested by the Google Adwords emails to U.S. businesses that may have ads viewed in Europe.
The U.S. Green Building Council’s data practices provide the alert that “you must submit extensive information to GBCI related to the Project, including without limitation, any information related to you ..” The practices are publicly articulated in the GBCI legal section 13. Project Information and while there are other reasons not to do so, for the purposes of easily complying with the EU GDPR for purposes of data provided to GBCI, it may be both prudent to first elect for the LEED or arc project to be a “Private Project” opting out of all public data sharing and second not to pursue credits involving occupant data.
The EU law is not only mandatory of all doing business with EU residents, but its broader application may be that it is excellent guidance for any business seeking to mitigate the risk associated with data protection. Because the U.S. does not have an omnibus data protection law, the EU data protection regime has become the de facto standard.
The effective date for the EU GDPR is upon us. Organizations should first and foremost determine whether it is governed by the law. If so, the organization should promptly undertake efforts to understand what data it collects, processes, and stores. If any of that data involves a person located in the EU, the organization should prepare a plan to bring itself into compliance. Consultation with counsel may be necessary to assure an organization is complying with the new law.