The actual or perceived failure by us, our customers, or vendors to comply with increasingly stringent laws, regulations and contractual obligations relating to privacy, data protection, and data security could harm our reputation, and subject us to significant fines and liability.
We are subject to numerous domestic and foreign laws and regulations regarding privacy, data protection, and data security, the scope of which is changing, subject to differing applications and interpretations and may be inconsistent among countries, or conflict with other rules. We are also subject to the terms of our contractual obligations to customers and third parties related to privacy, data protection, and data security. The actual or perceived failure by us, our customers, our vendors, or other relevant third parties to address or comply with these laws, regulations, and obligations could increase our compliance and operational costs, expose us to regulatory scrutiny, actions, fines and penalties, result in reputational harm, lead to a loss of customers, reduce the use of our services, result in litigation and liability, and otherwise cause a material adverse effect on our business, financial condition, and results of operations.
For example, the EU adopted the GDPR, which imposes onerous and comprehensive privacy, data protection, and data security obligations onto data controllers and processors, including, as applicable, contractual privacy, data protection, and data security commitments, expanded disclosures to data subjects about how their personal information is used, honoring individuals’ data protection rights, limitations on retention of personal information, additional requirements pertaining to sensitive information (such as health data) and pseudonymized (i.e., key-coded) data, data breach notification requirements, and higher standards for obtaining consent from data subjects. Penalties for non-compliance with the GDPR can be significant and include fines in the amount of the greater of €20 million or 4% of global turnover and restrictions or prohibitions on data processing, which could limit our ability to do business in the EU, reduce demand for our services, and adversely impact our business and results of operations. The GDPR also provides that EU member states may introduce further conditions, including limitations, to make their own further laws and regulations limiting the processing of genetic, biometric, or health data, which could limit our ability to collect, use and share European data, or could cause our compliance costs to increase, require us to change our practices, adversely impact our business, and harm our financial condition. Assisting our customers, partners, and vendors in complying with the GDPR, or complying with the GDPR ourselves, may cause us to incur substantial operational costs or require us to change our business practices.
In addition, in January 2021, following its exit from the EU, the UK implemented its own version of the GDPR (the “UK GDPR”), which currently imposes substantively similar obligations as the GDPR and provides for fines of up £17.5 million or 4% of global turnover, whichever is greater, for non-compliance. In addition, an actual or asserted violation of the GDPR or UK GDPR could result in regulatory investigations, reputational damage, orders to cease or change our processing of our data, enforcement notices and/or assessment notices (for a compulsory audit). We also may face civil claims, including representative actions and other class action-type litigation (where individuals have suffered harm), potentially resulting in our paying significant compensation or damages, or incurring other significant liabilities, as well as associated costs, diversion of internal resources, and reputational harm.
The relationship between the UK and the EU in relation to certain aspects of privacy, data protection, and data security laws is subject to some uncertainty. For example, on June 28, 2021, the European Commission announced a decision of “adequacy” concluding that the UK ensures an equivalent level of data protection to the GDPR, which provides some relief regarding the legality of continued personal information flows from the European Economic Area (“EEA”) to the UK. This adequacy determination will automatically expire in June 2025 unless the European Commission renews or extends it and may be modified or revoked in the interim. We cannot predict how the UK GDPR and other UK data protection laws or regulations may develop, including as compared to the GDPR, nor can we predict the effects of divergent laws and related guidance. Changes with respect to any of these matters may lead to additional costs and increase our overall risk exposure, particularly if the GDPR and UK GDPR develop in conflicting or otherwise divergent ways.
S-36
