The European Union’s latest privacy law, known as the General Data Protection Regulation, went into effect May 25. The GDPR imposes significant and sweeping obligations on businesses that gather “personal data” – enough so that American businesses might hope the Atlantic is wide enough to separate them from the GDPR.
But the GDPR’s territorial scope has arms long enough to reach many American businesses. Europe regards privacy as a fundamental human right, and it has spent more than 70 years protecting that right through a series of declarations, conventions, charters, directives and regulations. The high value that Europe places on privacy is likely to influence the scope and zeal of its enforcement of the GDPR on American companies.
Fortunately, the GDPR does not apply to all personal data gathered from or about European data subjects. It does not apply to personal data gathered from data subjects in the United States if the data is also “controlled” and “processed” by companies that are not established in Europe. For example, personal data about a German who buys a car while she is living in New Jersey, which is controlled and processed by the dealer in New Jersey, is not subject to the GDPR. But the GDPR does apply to personal data gathered about an American who buys a car (or a coffee) while living in Paris.
Any of these business attributes or activities, however, will subject an American company to the requirements of the GDPR:
Establishment in EU
The GDPR applies to “the Processing of Personal Data in the context of the activities of an establishment of a controller or processor in the (European) Union, regardless of whether the processing takes place in the Union or not.”
Establishment doesn’t necessarily mean having a physical location in the EU, or having a subsidiary that does – although either of those facts would trigger the application of the GDPR. Any real and effective activity in the EU through stable arrangements can represent the necessary “establishment” and trigger the application of the GDPR – for example, renting a post office box or establishing a bank account.
If a business is “established” in the EU, it doesn’t matter whether the controlling and processing of personal data takes place outside Europe. A controller determines the purposes and means of data collection. A processor can do any number of things with personal data, including collection, storage, retrieval or use. Processing in the United States of personal data relating to data subjects who live in the United States will still be subject to the GDPR if the processing is in the context of the activities of a European data controller or processor. For example, if an American business engages the Colorado subsidiary of a French company to process payroll data of American employees, the processing will be subject to the GDPR, even if the processing occurs in Denver.
Good or services
The GDPR applies to businesses that “envisage” offering goods or services to data subjects in Europe, even if no money changes hands. Nonprofits are also not exempt. Theoretically, intention to offer goods or services to European data subjects is the critical question. Regulators would examine such facts as whether the U.S. business’s website references European customers, permits payment in a European currency, or includes translation into European languages. While intention is theoretically critical, if a U.S. business ends up with more than a few European customers “unintentionally,” regulators may well find that the GDPR applies.
If an American business gathers contact information from website visitors or customers located in the EU, and then sends marketing emails to those visitors, then the business will probably have to comply with the GDPR.
Here are activities that will catch many U.S. businesses by surprise. A business that places cookies, uses geolocation or other tracking technologies or engages in behavioral advertising on devices located in the EU is subject to the GDPR. Such monitoring and behavioral profiling activities particularly concern EU regulators.
U.S. businesses may be asked to agree to certain GDPR duties if they are dealing with a company that is subject to the GDPR (or think they are). For example, a European company that provides data processing services to an American company is a “data processor” under the GDPR. As such, it has obligations under the GDPR to define certain responsibilities and rights in a written contract with the “data controller,” whether the data controller is in Europe or not.
In the flurry to comply with the GDPR by the effective date, some companies may have asked U.S. companies to sign contract addenda with GDPR obligations when they were not required to do so. Rather than simply sign, U.S. businesses should consider exploring why the addenda are necessary.
An American business that is subject to the GDPR has several basic options:
- Stop doing the things that trigger the application of the GDPR. Businesses that rely on the European market may not have this luxury.
- Do what it takes to comply with the GDPR, or at least make convincing movements in that direction. The potential benefits of this approach also include coming into compliance with U.S. federal and state privacy and data protection laws. Moving toward GDPR compliance would also help reduce the risk of data breaches and the financial and reputational losses that accompany them.
- Chance getting caught. On the one hand, one would think European regulators have enough low-hanging enforcement fruit to keep them busy for many years. On the other hand, potential fines are huge (up to 4 percent of worldwide annual revenue) and the GDPR gives citizens the right to complain and sue in ways that pose a greater regulatory and litigation threat than what businesses face in the United States.
The GDPR applies to more United States businesses than you might think. American businesses would do well to determine if the GDPR applies to them. If it does, then making progress toward GDPR compliance will reduce exposure to EU fines and suits, improve the business’s compliance with U.S. federal and state privacy and data protection laws, and reduce the financial and reputational risks associated with data breaches. Even if the business turns its back on the EU, establishing a comprehensive privacy and data protection program can be a good investment.
David S. Greber is a principal with Offit Kurman in Frederick. He can be reached at firstname.lastname@example.org.