How the GDPR Will Impact U.S.-Based Companies (Part 1)
On May 25, 2018, the European Union (“EU”) will implement the most robust regulation of privacy data that the digital world has ever seen—commonly known as the General Data Protection Regulation, or “GDPR.” The GDPR is the product of years of negotiation among European legislators about how best to protect individual rights to privacy. The GDPR takes a consumer-first perspective and formalizes the principle that individuals have a fundamental right to privacy, or more specifically to privacy of their personal data.
This article is Part I of a four-part series where we will be discussing various aspects of the GDPR’s implication on U.S. businesses. Part II of this series will address key requirements of the GDPR, Part III will address how U.S.-based companies can best prepare for the GDPR’s implementation, and Part IV will address specific concerns for Human Resources individuals who may deal with personal data of an EU resident.
Should Non-EU companies care?
Before we get into the weeds, let’s address the elephant in the room. Should non-European-based companies care? Yes. They should care for a few key reasons.
1. The GDPR has a very broad reach.
Unlike the patchwork regulation of privacy in the United States, the GDPR essentially applies to any data controller or data processor of the personal data of data subjects within the EU, regardless of industry or where the company is based. In order to understand what this means, there are few key definitions to consider:
- Data controller. A data controller (i.e., an entity that controls data) is the entity that determines the purpose, conditions and means of the processing of personal data. It is usually the company that is collecting or using the data.
- Data processor. A data processor (i.e., an entity that processes data) is an entity that operates on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Personal data. Any information relating to a data subject, such as a name, identification number, location data, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Data subject. A data subject is an an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For purposes of GDPR applicability, “data subject” is not limited to consumers, but also includes employees and other individuals.
- Within the EU. While many have assumed that the GDPR only applies to the personal data of EU residents, others anticipate the regulation to apply to any single individual physically located in the EU—even a U.S. citizen. Unpacked, the scope of the GDPR encompasses any company, regardless of the industry, that collects, records, organizes, structures, adapts, alters, retrieves, consults, uses, discloses, disseminates, restricts, erases, or destroys any information that could identify an individual person. Therefore, U.S. companies that offer goods or services in the EU, monitor the behavior of individuals in the EU, or process the person data of an EU data subject on behalf of other businesses should care about the GDPR.
The GDPR considers a number of other factors to determine applicability, including whether a company has localized its website to an EU-based domain, whether there is an option to translate the website into European languages, whether the company accepts European currencies, or whether the company collects email addresses to confirm receipt of contact or a purchase but uses them for other (e.g., marketing) purposes. It seems that the GDPR will be particularly sensitive about companies that “track” data subjects in the EU. This would include a company that obtains an EU consumer’s email address to provide him or her with a receipt of purchase, then uses that email address to send marketing material that tracks whether such material has been opened, forwarded, or otherwise utilized—a common practice among web-savvy retailers.
2. The GDPR can implicate B-to-B entities.
A common misconception among U.S.-based companies about the GDPR is that the GDPR will not apply if they are not directly obtaining personal information of data subjects in the EU. Data is becoming more and more fluid and, consequently, more difficult to contain. In addition, companies rarely, if ever, work alone in transacting with consumers.
Take for example Company A, a B-to-B marketing company. Company A contracts with Company B, an online retailer, to help best utilize the data of Company B’s customers. The customers (or data subjects) provide their names and email addresses to Company B in order to use its website. Here, although Company A has no direct contact with the data subjects and is not asking for the customer email (i.e., Company A is not a data controller), it could fall into the purview of the GDPR as a data processor.
3. A violation of the GDPR can be very expensive.
Unlike under the current EU privacy law, the Data Protection Directive, failure to comply with the GDPR could result in very steep fines. While omitting specific guidelines on how fines will be calculated, the GDPR requires fines to be “effective, proportionate, and dissuasive.” (Article 83(1).) Infringements of the GDPR could result in a fine the greater of €20 million or 4% of turnover (revenue), which, in certain cases, can include corporate families (e.g., parent companies and subsidiaries). There will be 28 Data Protection Authorities (DPAs) with authority to issue fines.
What does this mean?
The broad reach of the GDPR has the potential to affect a large portion of U.S.-based companies that do not consider themselves to be within the purview of its regulations. Underestimating its applicability could result in a significant financial burden on such companies.
If you have any questions about whether the GDPR will impact your company, or about steps to take to prepare for its upcoming implementation, please stay tuned for additional information. Attorneys in the Schwabe, Williamson & Wyatt, P.C., privacy group will coordinate with firms in the EU to provide assistance.