If you’ve been following the headlines, you know that a day doesn’t pass without a reference to the “GDPR”. On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will take effect, marking the most significant change to European data privacy and security in over 20 years. Most multinational companies, and of course EU-based companies should be in the process of ensuring GDPR compliance by May 2018. But what about if you are a US-based company with no direct operations in the EU? Do you think you are free of the GDPR’s reach? Think again!
In short, the GDPR aims to protect the “personal data” of EU citizens – including how the data is collected, stored, processed and destroyed. The meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the U.S. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.
A major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.
Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU.
Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR.
US-based companies with no physical presence in the EU, but in industries such as e-commerce, logistics, software services, travel and hospitality with business in the EU should already be in the process of ensuring GDPR compliance. However, all US-based companies, especially those with a strong Internet presence, should assess whether their business activity falls within the territorial scope of the GDPR.
Consequences of Non-Compliance
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.
How EU regulators can fine you ?
Now, for the big question: How does an EU regulator fine a U.S. company under an EU law that has no analogue in the U.S.?
Simple: They do it with authority, jurisprudence, and the aid of international law.
“For U.S. companies that have a physical presence (establishment) in the EU, which increasingly they do, the GDPR can be enforced directly against them by EU member state authorities,” Priebe says. “EU authorities have been aggressively pursuing data protection enforcement actions against U.S. companies with locations in the EU for a number of years.”
But things get a little murkier for U.S. companies without a physical presence in the EU. GDPR addresses this issue “by requiring companies without an establishment in the EU … to designate a ‘representative’ located in the EU.”
This won’t apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and “unlikely to result in a risk to the rights and freedoms of natural persons.”
But this all relies on the EU member state’s judgment. Some EU countries such as Germany take a harder approach to data privacy, and may not be as lenient.
Last but not least: EU regulators rely on international law to issue fines. Written into GDPR itself is a clause, stating that any action against a company from outside the EU must be issued in accordance with international law.