A comprehensive new European Union regulation on privacy, known as the General Data Protection Regulation, or GDPR, came into effect at the end of May 2018. It governs the processing of the personal data of EU residents. Processing, according to Matthew Dumiak, the director of privacy services at CompliancePoint, a consulting firm based in Duluth, Georgia, is the key term. “[The term] processing is pretty broad,” he says, “and it can simply [refer to] storing data that will directly or indirectly identify someone in the EU.” For those in the alcohol beverage industry, the larger impact is likely to be felt by the multinational companies, as opposed to local retailers who sell only to those who walk in the door.
The data we’re talking about here is any information that can, directly or indirectly, identify an individual, including name, address, and email, as well as cookies and IP addresses—anything, that is, that ties back to a specific person. Fines for a violation of the GDPR can range up to 20 million euros or 4 percent of worldwide annual revenue of the violating company, according to the EU Parliament. Individuals can also bring claims through the courts with no cap on damages.
Part of the GDPR’s protections include providing consumers with rights to their personal information. In particular, according to Dumiak, is the right to be forgotten. That means an EU resident can tell a company to delete or mask data. The masking, for instance, according to Dumiak, must happen within 30 days, with the possibility of a 60-day extension. For example, if a resident of Germany buys a bottle of alcohol from a U.S. company and has the bottle sent directly to Germany, the buyer’s name and details will be stored with the seller, whether in one or a number of systems. According to Amnon Drori, the CEO of Octopai, a metadata management company based in Rosh Ha’ayan, Israel, a buyer in the EU, such as the German buyer in the example, has the right to tell the seller he wants any record of his purchase to be masked by the seller, meaning that the data of the buyer will be named in code—or the buyer can request his information be deleted altogether. The GDPR also gives the German resident the right to access the personal data a company may have on him, and how it stores it—for example, he can request a copy of that data. But how does GDPR compliance work for companies based in the U.S.? Do they need to comply?
Don’t miss the latest drinks industry news and insights. Sign up for our award-winning Daily Dispatch newsletter—delivered to your inbox every week.
“Unfortunately,” says Rebecca Cousin, a partner and co-head of the Data Protection and Privacy practice at the London-based law firm Slaughter and May, “it’s not a straight yes or no, which is why there has been rather a lot of confusion.” If your business has a physical presence in the EU, which many big alcohol suppliers do, such as a branch office or salespeople that are based there, Cousin says that the part of the business with the EU presence will have to comply. Regarding businesses that don’t have a physical presence in the EU, like local U.S. craft distillers, U.S. wholesalers, and U.S. retailers, Cousin says, “a U.S. company would only be subject to the GDPR if they either offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU.” If this applies to your company, it still applies only to the EU offering or monitoring. Many global companies, alcohol and otherwise, are complying by updating their entire privacy policy; they’re also complying with notice requirements by implementing digital pop-up notifications. You may have recently noticed such GDPR-driven privacy policy pop-ups when visiting various websites. If you’re a U.S. company, updating your privacy policy is an efficient first step toward compliance.
If your company offers goods or services to people in the EU, Cousin says that relevant factors to consider for compliance include “the marketing message on the website, the currency of payment, and whether delivery and/or the billing address fields are designed to be for U.S. addresses only.” If, for example, explains Dumiak, your company is based in the U.S. and someone from France visits your website but you can’t sell anything to them, that is not likely to be within the scope of the GDPR.
How can you ensure that your company remains in compliance with the new regulation? The GDPR does not give specific requirements for controls, but it does require businesses to implement appropriate security controls. A couple of requirements, according to Cousin, are that a company maintain a record of data processing (essentially a large table setting out the types of data that are processed, what the purpose of the processing is, what the legal reason is under the GDPR that permits such processing, and so forth) and provide specific information to individuals whose data the company processes. For non-EU companies, the necessity of providing such information depends on whether your company offers goods or services to those in the EU or monitors behavior of those in the EU. If it does, then it also involves appointing a representative in the EU to act as the contact point for the EU authorities.
If you happen to have extensive offerings to the EU—which is fairly rare for most U.S. companies within the alcohol industry, given the likelihood that they’re simply selling to EU wholesalers—coming into compliance should be prioritized on your immediate to-do list. For smaller companies without a real EU presence or representative, it’s not clear how enforcement will take place without cooperation from the U.S. government. Certainly, EU authorities will publicize enforcement, which will likely result in some bad press about improper storage of personal information. Still, according to Dumiak, regulators have limited resources and will probably focus on only the most egregious violations. “We will see,” he says, “if the regulators want to come after U.S. companies with no EU presence.” Perhaps the real question is, should the U.S. develop a comprehensive GDPR of its own to offer better protection for its residents?
Editor’s note: Nothing in this article is intended to be—and should not be—construed as specific legal advice.
Ryan Malkin is principal attorney at Malkin Law, P.A., a law firm serving the alcohol beverage industry. Nothing in this article is intended to be and should not be construed as specific legal advice.
