It will apply to all businesses established in the EEA and a large number established outside of the EEA.
With large potential fines (the greater of up to 4% of global turnover or Euros 20m), risk of claims from individuals and reputational damage, cruise lines, like all businesses, need to make the necessary changes to their systems and policies now in order to be prepared when the GDPR ‘goes live’, informs global law firm HWF in its latest Briefing: The GDPR iceberg: data protection in the cruise industry.
HFW, lawyers in international commerce including travel, cruise and leisure, points out cruise lines control a lot of personal data, collecting and storing information about passengers’ identities, preferences and health requirements. They also hold information on their workforces (whether employed or contracted) and have immigration law obligations in numerous jurisdictions.
‘They conduct consumer-facing marketing campaigns. All of this information is likely to cross national borders and be exposed from time to time to physical and cyber security risk. The need to ensure data protection is already essential. Once the GDPR applies, and risk of large fines and reputational damage increases, a breach of the data protection rules could potentially sink the business (or at least cause it to take on water),’ states the HFW Briefing.
So what does the GDPR change and what stays the same?
The GDPR introduces a central theme of accountability which strengthens the existing rules, and the concept of ‘privacy by design’.
It strengthens the existing rights of individuals and adds new rights. It introduces record keeping requirements and mandatory data breach reporting and increases the information which must be notified to individuals and adds mandatory clauses to contracts between data controllers and data processors.
Businesses will require their counterparties to be compliant with the GDPR and data processors will also now have data protection obligations.
All EEA Member States (including the UK, regardless of Brexit), notes HFW, will have their own data protection laws to implement the terms of the GDPR and to set out their enforcement mechanisms. Member States can tailor certain elements of the GDPR where this is permitted.
The GDPR will apply to organisations based outside of the EEA if certain conditions apply. The GDPR applies to a non EEA organisation if it has a presence in the EEA, or if it monitors the behaviour of individuals within the EEA (for example via cookies), or it offers services to individuals within the EEA. It also applies where EEA Member State law applies in accordance with international law, for example where a vessel is flagged with an EEA Member State registry.
HFW outlines eight key provisions of the GDPR which it suggests require action now covering aspects such as data auditing and record keeping, data processing, collection of personal data and the appointing of data protection officers or not?
The Briefing also points out where travel agents make decisions themselves about how and why to process personal data of passengers or prospective passengers they have the same obligations under the GDPR that the cruise lines will have (subject to variations in applicable Member State law, depending on the location of the travel agent).
Conversely, where travel agents process certain personal data only on behalf of cruise lines, for that particular processing the travel agents may have some obligations under the GDPR but do not have all of the obligations that data controllers have. If a data processor processes personal data in a way which causes a cruise line to breach its obligations under the GDPR then the cruise line may be held liable for that breach unless it can show that it is not responsible in any way.
‘Privacy rules around the world are tightening. The GDPR is just one example of a regime change which aims to put individuals’ privacy rights first. Many of the principles are similar in laws around the world, but the GDPR is often stricter. Although compliance with the GDPR will not guarantee compliance with all privacy regimes across the globe, it will help to reduce global risk,’ concludes HFW.