This is part one of a multi-part look into the EU’s General Data Protection Regulation (GDPR) and why U.S. companies need to concern themselves with an EU law, the difference from U.S. regulations and the different mechanisms available to comply. We will conclude this series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series.
The GDPR is a new privacy regulation that will go into effect in the EU on May 25, 2018. The impetus behind the legislation is to strengthen privacy protections for EU citizens as well as unify the laws across the EU member states. The EU has been operating under a privacy directive, which was established in 1995. This directive set a baseline for privacy regulations throughout the EU but left it up to each individual member state to enact its own privacy laws. The GDPR is going to be an EU regulation, which will apply to all member states and become a uniform set of laws.
The impact that it could have on U.S. companies will depend on whether or not your company processes the personal data of EU citizens. The definition of what consists of personal data under the GDPR is quite broad. It is defined as any information that relates to an individual, such as names, email address and other personally identifying information. This definition also extends to technical information, such as an IP addresses or device identifiers. Further, your company does not have to have a physical presence in the EU in order to be subject to this regulation. With the expansive reach of the internet, it is now easier than ever to collect personal data from E.U. residents while operating solely in the U.S.
The most significant and severe change that should have U.S. companies paying attention is the new penalties associated with the regulation. Violations of the GDPR can fall into two levels of severity. The lower level carries a maximum penalty up to €10 million euros or 2% of worldwide annual revenue of the prior financial year, whichever amount is higher. An upper tier violation can be up to €20 million euros or 4% of worldwide annual revenue of the prior financial year. These new penalties are a strong incentive for companies to comply with the GDPR and compliance for U.S. companies can be a radical shift if they are only familiar with operating under U.S. privacy laws. “For years the U.S. has been viewed as the ‘Wild West’ when it comes to the handling of the personally identifiable information of EU residents,” says Scot Ganow, Senior Counsel in Taft’s Privacy and Data Security practice area. “I think many U.S. companies have operated in the EU under the existing Data Directive without even being aware that it applied to them. The GDPR represents a wake-up call to all companies operating in the global marketplace. Now, more than ever, such companies need to have a solid handle on what personally identifiable information they collect, from where they collect it and how to safeguard it. The clock is ticking.”
In our next post we will look at the differences in the way U.S. privacy law and EU privacy law operate with respect to private sector companies.
Brian Eaton is a member of the Taft Privacy and Data Security practice area and is a Certified Information Privacy Professional in EU privacy law.