On April 27, 2016, the European Parliament passed Regulation (EU) 2016/679, better known as the EU General Data Protection Regulation. The extensive consumer data privacy bill has an overarching goal to give European Union residents control over their personal data and to provide transparency between companies and consumers, causing wide-reaching effects on businesses and organizations worldwide. Further, many other jurisdictions have introduced their own consumer data privacy bills in line with the GDPR. Not all potential consequences of the GDPR (and similarly situated laws) are clearly evident quite yet, but companies nonetheless will encounter challenges in their dealings with consumers in the global marketplace, pursuant to the GDPR and other such regulations. One of the hidden consequences this new proliferation of consumer data privacy measures throughout the world will affect product liability matters, specifically concerning product recalls.

Conducting a product recall is extremely challenging for manufacturers. A recall is vital for a company to mitigate several harms, including liability exposure for injury, illness or property damage that could possibly occur from the use of its defective product, in addition to reputational damage. In conducting a recall, a company first must contact its distributors to halt the sale of the defective product. It then must notify possibly impacted consumers in an effort to prevent injuries from the dangers that the defective product poses. Depending on the risk of injury, the urgency to notify consumers of the recall may be high.

Manufacturers may publicize a product recall on their websites, in distributor’s stores, through the press and on social media. In addition, manufacturers are encouraged (and, at times, required) to provide direct notice of the product recall to consumers via mail, email, telephone call, or text message to individual customers possibly impacted by the defective product. In anticipation of potentially being required to properly notify consumers of a subsequent product recall, manufacturers must actively collect and maintain personal data of the purchasers of their products. However, with the GDPR and other consumer privacy laws in effect, manufacturers will face challenges in notifying consumers of product recalls due to the restrictions in collecting and storing consumer data.

The first issue manufacturers will face is changing the manner in which they collect, store and use the personal data of consumers. The GDPR requires companies to obtain consent through clear and plain language documents, absent of legalese, that inform the consumer what information is being collected, with whom it will be shared, and the purpose for collecting and storing it. This will translate to manufacturers being required to draft updated terms-of-sale agreements that detail what information will be collected and stored, in addition to their purposes for doing so. Beyond that, it would behoove manufacturers to include this language in their privacy policies or other forms accessible through their online platforms (potentially including terms of use and other documentation, depending on the particular type of product and possibly the company’s industry). From a conservative standpoint, these manufacturers should seek for consumers/customers to provide expressed consent to all terms contained in these forms.

Another issue facing manufacturers will be obtaining consumer’s personal information from their distributors. Generally, a company that does not interact with consumers directly, but rather furnishes products to distributors, would need to obtain customer lists from those distributors to notify the impacted consumers. This presents a challenge for manufacturers, due to the restrictions upon the transferring (or processing) of a consumer’s personal data. The transferring of personal data from the data controller to a third party under the GDPR (see GDPR Article 6 §1) is lawful only when:

  • Data subject has consented to that specific purpose.
  • Necessary for performance of contract to which data subject is a party.
  • Necessary for compliance under a legal obligation to which the controller is subject.
  • Necessary to protect the vital interests of the data subject or another natural person.
  • Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of the legitimate interests pursued by the controller or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Since there are narrow circumstances under which a controller of data is legally permitted to transfer personal data to a third party, manufacturers will need to take steps as soon as a consumer purchases its products to ensure that a product recall will be possible at all. It will be best practice for a manufacturer to include (1) language in its contracts with distributors that obligates those distributors to be GDPR compliant; and (2) specific language in its terms of sale and other forms detailing that the distributor is obligated to transfer its consumer data to the company for a product recall. This will ensure that the distributor has received the consent of the consumer, enabling the controller to transfer that data to the third-party manufacturer so that it may use that data to conduct the product recall.

An additional, more overarching issue that manufacturers will face, regardless of the first two issues discussed above, will be what to do when an EU data subject exercises their “right to be forgotten” under the GDPR prior to a product recall. If a consumer exercises this right prior to a product recall, it would be impossible for a company to contact that individual regarding the defective product. It is too early to determine how a court would analyze liability in such a case, but if a company used all other avenues (press release, social media, etcetera) to notify the consumer, it may be able to mitigate liability for harm. However, that is a major issue that businesses will need to consider and to work through comprehensively.  

The GDPR has had wide-reaching effects, both anticipated and unanticipated by manufacturers. As similar legislation is passed and enacted in other jurisdictions, individual businesses and, on a larger scale, entire industries are discovering they must alter the manner in which they conduct business. Product recalls are an already complicated process requiring a great deal of planning. The GDPR requires manufacturers to begin thinking about recalling products much earlier in the process than they traditionally have. As more jurisdictions introduce their own versions of consumer privacy laws, manufacturers will have to move consumer data privacy concerns and action items at the top of their list of priorities.