In May 2018, the European Union passed a regulation known as the General Data Protection Regulation, more commonly known as the GDPR. Superseding the Data Protection Directive, the GDPR was passed with the intent to harmonize data privacy laws across the European Union as well as to strengthen existing data privacy laws. Despite being an EU regulation, many US companies have been making efforts to comply with the Regulation, and for good reason. Under the GDPR, an organization may be fined up to € 20,000,000, or 4% of its annual revenue, whichever is higher, if the Regulation is violated.
All of this has left many US-based companies wondering: does this apply to me? Surprisingly, many more US companies are affected by the GDPR than one might think. For example, any organization with an “establishment” in the EU might be within the ambit of the GDPR if it collects or processes data using that establishment. Actually, that is one of the more straightforward examples. Read broadly, any organization that collects or processes data of individuals located within the EU may be subject as well. While that may not sound like it affects many organizations, that description includes any company that prompts users of its website to enter their information on a “contact us” page.
But having such a page is still not dispositive of whether the GDPR applies to you. If that page is in a foreign language, or if individuals residing within the EU are targeted as potential clients, it may be enough for the GDPR to apply to a company, although other factors are considered.
There are also third-party compliance requirements. If an organization is within the ambit of the GDPR, it cannot send any information on individuals residing in the EU unless that third-party organization is also in compliance with the GDPR. A simple way to illustrate this point is to consider a company that sells marketing data on those residing in the EU. Even if the marketing company is in compliance with the GDPR, it cannot sell information to another organization unless that organization is also in compliance. This concept of third-party compliance further extends the reach of the GDPR to even more US based companies.
In the event that the GDPR does apply to an organization, compliance with the Regulation is not simple. The GDPR likely requires the organization to take significant steps to avoid violations. One overarching requirement is receiving affirmative consent and making sure individuals are fully informed of the data collection and storage process. This includes informing the individual that their information is being collected and stored, why it is being stored and used, information on how the individual can have the information erased, and who to contact if there are any questions about that data. Needless to say, any organization that has recently come within the scope of the GDPR will have to alter their practices and policies if it wishes to comply.
Many are unsure whether the GDPR applies to them and, as you may now realize, there are good reasons for that. While it may be tempting to wait and see how the Regulation will be enforced, it is important to keep in mind how substantial the penalties are. All things considered, it may be best for US organizations who believe there is even a chance the GDPR applies to them to get a definitive answer so that they may avoid the significant penalties allowed by the Regulation.
Article written by Dawn J. Lanouette, Esq. and Summer Associate Matthew Venuti. For more information, contact Ms. Lanouette at (607) 231-6917 or via email at firstname.lastname@example.org