Europe’s New Personal Data Protection Law Will Have Broad Impact on U.S. Businesses
SAS and OMP
The European Union Parliament enacted the General Data Protection Regulation (“GDPR”), which aims to protect the personal information of individuals in the EU. Many U.S. businesses will have to comply with the GDPR if they have personal information—which includes a variety of data from name to birthdate, home address to IP address, and many other data points in between—of individuals in the EU. The GDPR went into effect on May 25, 2018.
Scope of the GDPR
U.S. companies engaged in processing personal data of individuals in the EU (not just EU residents, but anyone residing there or traveling through) may have to comply with the GDPR even if they have do not have a brick and mortar place of business in Europe. “Processing” has an expansive definition and includes collecting, storing, using, or retrieving personal data. “Personal data” is also broadly defined and includes any information relating to an identifiable person. Information obtained using cookies or web beacons, for example, may qualify as personal data. As a result, any business that has any personally identifiable information about any individual in the EU is arguably subject to the GDPR.
The GDPR gives individuals who are covered by the law certain rights that may be utilized against companies that control and process their data. For example, under certain circumstances, individuals may object to the processing of their data or request that it be deleted. Additionally, individuals in the EU are entitled to receive certain disclosures about how their information is collected and used. This means that companies will likely have to revise their privacy policies, and it explains why many people, even in the United States, received a flurry of updated privacy policies in late-May and early-June of this year.
As a means of protecting covered data, the GDPR requires companies that possess personal data and utilize third-parties to assist in supplying their goods or services to include certain provisions in their contracts with those third parties. And the GDPR establishes requirements for how companies respond to data breaches, in some cases mandating that companies notify the appropriate regulatory authority within 72 hours of learning that a breach occurred.
The GDPR has garnered extensive attention. In part, that is because the law allows EU regulators to impose large fines for violations of the statute. Depending on which article is violated, the cap may be as much as €20 million (approximately 23 million U.S. dollars) or 4% of the company’s worldwide annual revenue—whichever is greater. On top of the provisions authorizing administrative fines, the GDPR also provides private causes of action under which individuals have the right to sue companies for damages.
Many variables are considered in assessing fines. An effort to comply with the law will certainly weigh in a business’s favor. All companies that keep or process personal data should evaluate whether they are subject to the GDPR. Once a company determines that it is subject to the GDPR, the next step is identifying the key areas of noncompliance that need to be addressed.
One way the EU may enforce the GDPR against U.S. companies without a physical presence in the EU is through the requirement that companies outside the EU (that process personal data more than “occasionally”) designate a representative in the EU to act on their behalf. This designated representative can be subject to enforcement proceedings in the event of non-compliance. If you are a Wisconsin business with questions about the GDPR, Stafford Rosenbaum’s business law experts can answer your questions about the GDPR and assist you in auditing your vulnerabilities under the new law.