• Gdpr Client Alert Part 1: What it is, What it Means in the U.S., and how U.S. Companies Should React
  • June 22, 2018 | Authors: Johanna H Jochum; Kevin T. Wills
  • Law Firms: Babst Calland - Pittsburgh Office; Babst Calland - Washington Office
  • On May 25, 2018, the European Union General Data Protection Regulation No. 2016/679 (GDPR), which limits personal data processing, became effective and enforceable. Unlike most EU regulations, portions of the GDPR are applicable to companies in third party countries—including companies in the United States.

    The extraterritorial ramifications of the GDPR are already apparent. Many U.S.-based companies that generate revenue from processing large amounts of personal data have recently revised their privacy policies to comply with the GDPR requirements. However, for companies with business models that do not center on personal data processing, the extent of the GDPR’s reach and application is less clear.

    1. What is the GDPR?

    In the age of the internet, nearly everyone routinely shares personal data in everyday tasks. The purpose of the GDPR is to protect the “fundamental rights and freedoms” of people who share that personal data by limiting the extent a third party can process that personal data.

    The GDPR’s definitions of “personal data” and “processing” are broad enough that most online activities are captured. For example, “personal data” can be “any information” relating to an identifiable person, including a person who can be identified by a username or location ID.[1] Further, “processing” is defined to include activities such as collection, storage or dissemination of personal data.[2]

    Generally speaking, no company may process personal data that is distributed during these everyday tasks at all unless the data falls into one of six broad exemption categories: (1) consent; (2) contractual obligations; (3) legal obligations; (4) protection of “vital interests”; (5) public interest; or (6) legitimate interests.[3] The person or legal entity that directs the data processing, the “controller,” and in some situations, the person or legal entity that processes data on behalf of the controller, the “processor,” are liable for violations.[4]

    Although the GDPR has recently become a subject of media interest, its principles have largely been part of EU Member State law since the European Commission Data Protection Directive (DPD) first became effective in 1998.[5] While the GDPR requirements are more stringent than the DPD (such as stronger data privacy and data erasure requirements), the GDPR is newsworthy because it is extraterritorial. In other words, the GDPR is applicable to companies in third party countries that process personal data of EU persons, including U.S.-based companies.

    2. What does the GDPR mean for U.S. companies?

    Not all aspects of the GDPR apply to U.S. companies.[6] The GDPR’s extraterritorial oversight is limited to processing activities of EU persons related to (a) offering goods and services (regardless of whether payment is required); and (b) monitoring their behavior to the extent it takes place in the EU.[7] But even these limited provisions can still go a long way. It is often difficult for companies to determine the location of their users (even an IP address is not a clear indicator of a person’s location) and notionally, any EU person who believes a company has improperly processed his or her personal data can complain to a supervisory authority within an EU member state without notifying the potentially offending company in advance.

    The potential repercussions for noncompliance with the GDPR are prohibitive. Violations can ultimately result in very high fines (up to €20 million or 4 percent of global annual turnover (whichever is greater)) and/or suspension of receiving EU data.[8] However, it is not yet clear how the GDPR will be enforced in the U.S.

    Under the GDPR, only third party countries with privacy laws that the European Commission has determined are “adequate” to the GDPR may currently receive EU data from a source that processes or controls such data. The European Commission has determined that the U.S. does not have privacy laws that are “adequate” to the GDPR without using other “appropriate” safeguards.[9] Therefore, a U.S. company, in principle, may not receive personal data from any EU source without appropriate safeguards in place. Accordingly, it is very important for U.S. based companies to determine if their business practices place them under the purview of the GDPR and, if necessary, implement appropriate safeguards.

    3. Does the GDPR affect my U.S. company’s practices?

    Many U.S. companies that are not affiliated with an EU subsidiary or partner are not yet in compliance with the extraterritorial requirements of the GDPR. Much of this stems from uncertainty about whether the GDPR applies to their everyday business activities. If your company falls under this umbrella, some questions may help clarify the GDPR’s applicability to your business:10

    • If your company offers goods and/or services, free or paid:
      • Does my company’s website allow international customers to use the services provided on the website?
      • Does my company provide services in exchange for personal data, such as an email address and/or phone number that may be linked to an EU person?
      • Does my company offer international shipping on any goods or services?
      • Does my company’s website use another language other than English?
    • • If your company has an online presence:
      • Does my company’s website use cookies or any other type of tracking to monitor user behavior?
      • Does my company’s website collect personal data (with or without consent of a third party) to monitor activities?
      • Does my company share user analytics with third parties?

    Affirmative answers to any the above questions may indicate that the GDPR’s extraterritorial requirements may, in fact, apply to your business. Any concerns as to whether the GDPR applies to your current company practices or policies should be discussed with counsel.

    4. What are some best practices U.S. companies can use to comply with the GDPR?

    If the GDPR does apply to your company, there are some general best practices you can use to mitigate risk and comply with the applicable parts of the GDPR. You should consult with counsel to implement these safeguards and identify other best practices that may be appropriate for your particular industry

    a. Update your company web site’s privacy policy. Your company’s privacy policy should address GDPR-required areas, such as types of data collected, data retention, and individual user consent to data processing.

    b. Audit your current collection and recordkeeping practices. Ask the following: Who are the persons from whom you collect data? How did you obtain it? Why was it gathered? Is it secure?

    c. Create an accountability system. This may include appointing a data protection officer, creating a data breach notification system, training personnel, or other risk management techniques.