By Legal Futures’ Associate Knovos
When it comes to comprehending the intricacies of the General Data Protection Regulation (GDPR), legal information management professionals on either side of the pond may occasionally find themselves further confused by the difference in meaning between terms used in Europe versus the United States. With that in mind, here’s a list of some GDPR terminology that varies from folk to bloke — but are essential to those involved in collecting, storing, processing, and transferring personal data.
Data Controller vs. Custodian
In the EU, the person, public authority, agency, or other entity involved in the processing of personal data and related decision-making is referred to as a “data controller.” In the U.S., the person or persons with administrative control of a document (e.g., a witness in possession, custody, or control of a relevant document or file) is called a “custodian,” “data custodian,” or “ESI custodian.”
Data Processing
In the EU, “data processing” refers to any operation applied to personal data, including collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction. U.S. eDiscovery practitioners use the same term data processing to describe the technical process used to filter ESI and convert it into forms more suitable for document review and analysis.
Personal Data vs. PII
Europeans apply the term “personal data” to special categories of data prohibited from processing, including any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Also prohibited for processing in the EU is genetic, biometric, or health-related data, as well as any data concerning an individual’s sexual orientation. Americans prefer the term “personally identifiable information (PII),” which applies to six “special” categories of similar data afforded further protection in the U.S., including health, finance, education, child-related, consumer credit, and federally held PII.
Third-party/Cross-border Data Transfers
The GDPR meaning of “cross-border data transfers” is narrower than the U.S. concept, applying only to the transfer of data within the EU territorial limits of a single controller, processor, or establishment. (Transfers that are not within the EU are called “third-country data transfers.”) U.S. practitioners think of cross-border transfers as any international data transfer, whether into the U.S. or not. The position of the Federal Trade Commission and other U.S. regulators is that the applicable U.S. laws and regulations still apply to data after it leaves the country.
Data Breach & Timing of the Notification of Breach
GDPR defines a “data breach” as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.” In the EU, any data breach notification should be made “without undue delay and…not later than 72 hours.” The standard criteria triggering a data breach notification in the United States is the “unauthorized access or acquisition” of sensitive/personal data elements such as Social Security numbers and credit card numbers. In the U.S., data breach notifications must be made “in an expedient manner,” with a small handful of jurisdictions requiring definite timetables ranging from 5 to 30 days.
Mandating Independent Supervisory Authority
Generally speaking, the main contact point for questions on data protection in the EU is the Data Protection Authority (DPA) in the EU member state where the company or organization is based. In the U.S, the FTC has jurisdiction over most commercial entities and has the authority to issue and enforce privacy regulations in specific areas (e.g., for telemarketing, commercial email, and children’s privacy). State attorneys general typically have similar authority and bring some enforcement actions, particularly in the case of high-profile data security breaches.
In conclusion, effective communication is as important as ever, so take a moment to verify that the terms you are using are clearly understood by both parties, especially in transatlantic situations!