If your company collects, controls or processes information that can be used to identify an individual resident of the EU, either directly or indirectly, then the EU considers that you are subject to the GDPR regardless of where your company is located. The identifying data may include, among other things, names, birthdates, addresses, e-mail and IP addresses, health information, biometric information, photos and social media posts.
If your company provides goods or services directly to individuals located in the EU, even free goods or services, then the GDPR applies to your company. Examples are direct sales of products such as hardware or sales of services such as banking services, legal services, web design services, and taxi services.
If your company provides monitoring or processing of personal data of EU residents, then your company is subject to the GDPR. Examples include credit monitoring, market monitoring or social network monitoring.
In short, if you touch the data of an EU resident, the EU considers that you are subject to GDPR. So yes, the GDPR applies to your U.S. company. Compliance with the GDPR is now a cost of doing business in the EU.
Can I safely ignore the GDPR?
For a U.S.-based company within the reach of the EU courts, the penalties can be steep – up to €20 million or 4% of global revenues, whichever is greater. Those are big numbers. An administrative body in the EU enforces the GDPR. The administrative body investigates suspected non-compliance and can take any of several actions based on the results of the investigation, from applying no sanction at all, to reprimanding a company, to temporarily stopping the flow of data to that company, to permanently stopping the flow of data to the company, to assessing a money penalty. The actual penalty that the administrative body assesses is based on several factors, including the effort of the company to comply, the number of persons affected and the risk and consequences of a data breach.
The potential penalties for a company with a presence in the EU are important and include exclusion from the EU. For those companies, the answer is a easy – no, you cannot safely ignore the GDPR.
The answer is murkier for a U.S. company without a physical EU presence that, say, processes data from EU residents. What is the risk to that company of simply ignoring the GDPR?
The GDPR is not U.S. law and is not directly enforceable in the U.S. courts. Any risks to the U.S. company without a European presence are based on international law.
The U.S. has two privacy agreements with the EU – the ‘EU-US Privacy Shield‘ and the ‘EU-US Umbrella Agreement.’ The EU-US Umbrella Agreement applies to disclosure of information between law enforcement agencies. The EU-US Privacy Shield provides that a company must certify to the U.S. government that it will take prescribed steps to protect the privacy of EU residents in order to receive data concerning those residents. By so certifying, the company subjects itself to the jurisdiction of the U.S. courts and of the U.S. International Trade Commission (ITC). If the company does not meet the requirements of the EU-US Privacy Shield, individuals whose privacy rights are adversely affected can sue the company in a U.S. court. The U.S. Government also can sue the company before the ITC for deceptive practices, with a maximum fine of $40,000 per day and can revoke the company’s certification, preventing the company from accessing data on EU residents. The EU-US Privacy Shield is not the same as the GDPR and the requirements of the EU-US Privacy Shield are not the same as those of the GDPR.
The greatest risk of GDPR non-compliance to our hypothetical U.S. company that processes EU data is the loss of access to that data. If the U.S. company has no data to process, then it is out of business.
I do business only in the UK – does Brexit affect GDPR?
The GDPR is an EU regulation and the UK is in the process of withdrawing from the EU. The UK is nonetheless currently part of the EU and residents of the UK count as residents of the EU for the purposes of GDPR. A proposed UK ‘Data Protection Bill‘ equivalent to DGPR is currently winding its way through the UK parliament. Privacy is one area where the UK and the EU see eye-to-eye.
Will there be a U.S. version of GDPR?
The U.S. and the Europe follow fundamentally different approaches to privacy. Europe, with its recent experience with totalitarian surveillance states, views privacy as a fundamental right and the only defense of the individual against the midnight knock on the door. Europeans find a single strong privacy rule that applies in most circumstances to be very attractive.
By contrast, the U.S. addresses privacy on an issue-by-issue basis as a problem arises, for example HIPAA relating to medical information and GLBA and FCRA relating to financial information, ECPA relating to electronic communications and the Omnibus Crime Control and Safe Streets Act of 1968 relating to wiretaps. The U.S. does not view the loss of privacy as an existential threat. Privacy is a privilege, the benefits of which must be weighed against the compliance costs to business.
As a result, the U.S. is unlikely to enact its version of the GDPR anytime soon.
That is, unless the U.S. is pulled in the direction of the GDPR by the U.S. companies that do business in the EU. Those companies will meet different privacy requirements for Europe and for the US, which may result in duplication of systems, effort and costs. As those U.S. companies gain experience and comfort in the GDPR landscape, they may become advocates for a single privacy system to avoid those costs. We may see a U.S. GDPR-like system at some time in the future, but not yet.