Reaching Across the Pond: How the European Union’s Privacy Regulation Might Apply to Your Business
By David S. Greber, Offit Kurman Attorneys At Law
The European Union’s (the ‘EU’) latest privacy law, known as the General Data Protection Regulation (‘GDPR’), went into effect on 25 May 2018. The GDPR imposes significant and sweeping obligations on businesses that gather ‘Personal Data’ (1) – enough so that American businesses might hope that the Atlantic is wide enough to separate them from the GDPR.
But the GDPR’s territorial scope has arms that are long enough to reach many American businesses. Europe regards privacy as a fundamental human right, and it has spent more than 70 years protecting that right through a series of declarations, conventions, charters, directives, and regulations. The high value that Europe places on privacy is likely to influence the scope and zeal of its enforcement of the GDPR on American companies.
When Doesn’t the GDPR Apply to a Business in the United States?
Fortunately, the GDPR does not apply to all Personal Data gathered from or about European data subjects. It does not apply to Personal Data that is gathered from data subjects in the US if the data is also ‘controlled’ (2) and ‘processed’ (3) by companies that are not established in Europe. For example, Personal Data about a German who buys a car while she is living in New Jersey, which is controlled and processed by the dealer in New Jersey, is not subject to the GDPR. But the GDPR does apply to Personal Data gathered about an American who buys a car (or a coffee) while living in Paris.
When Does the GDPR Apply to a Business in the United States?
Any of these business attributes or activities will subject an American company to the requirements of the GDPR:
‘Establishment’ in the EU
The GDPR applies to ‘the Processing of Personal Data in the context of the activities of an establishment of a controller or processor in the [European] Union, regardless of whether the processing takes place in the Union or not.’ GDPR Art. 3(1).
Establishment doesn’t necessarily mean having a physical location in the EU, or having a subsidiary that does - although either of those facts would trigger the application of the GDPR. Any real and effective activity in the EU through stable arrangements can represent the necessary ‘establishment’ and trigger the application of the GDPR. Examples of stable arrangements include renting a post offce box or offce, establishing a bank account, and contracting with an independent contractor who acts as your business’s representative.
If a business is ‘established’ in the EU, it doesn’t matter whether the Processing of Personal Data takes place outside Europe. Processing in the United States of Personal Data relating to Data Subjects who live in the United States will still be subject to the GDPR if the processing is in the context of the activities of a European data controller or processor. For example, if an American business engages the Colorado subsidiary of a French company to process payroll data of American employees, the processing will be subject to the GDPR, even if the processing occurs in Denver.
Offering Goods or Services to Data Subjects in the EU
The GDPR applies to businesses that ‘envisage’ offering goods or services to data subjects in Europe, even if no money changes hands. Non-profits are also not exempt. Theoretically, intention to offer goods or services to European data subjects is the critical question. Regulators would examine such facts as whether the US business’s website references European customers, permits payment in a European currency, or includes translation into European languages. While intention is theoretically critical, if a US business ends up with more than a few European customers ‘unintentionally’, regulators may well find that the GDPR applies.
If an American business gathers contact information from website visitors or customers located in the EU, and then sends marketing emails to those visitors, then the business will have to comply with the GDPR.
‘Monitoring’ Data Subject Behavior in the EU
Here are activities that will catch many US businesses by surprise. A business that places cookies, uses geolocation or other tracking technologies, or engages in behavioral advertising on devices located in the EU, is subject to the GDPR. Such monitoring and behavioral profiling activities particularly concern EU regulators. And American businesses use these techniques all the time.
US businesses may be asked to agree to certain GDPR duties if they are dealing with a company that is subject to the GDPR (or thinks that it is). For example, a European company that provides data processing services to an American company is a ‘Data Processor’ under the GDPR. As such, it has obligations under the GDPR to define certain responsibilities and rights in a written contract with the ‘Data Controller’, whether the Data Controller is in Europe or not.
In the flurry to comply with the GDPR by the 25 May 2018 effective date, some companies may have asked US companies to sign contract addenda with GDPR obligations when they were not required to do so. Rather than simply sign these contract addenda, US businesses should consider exploring why the addenda are necessary. If the addenda are not required under the GDPR, push-back may be in order.
What a Business Should Do If the GDPR Applies to It
A full discussion of this topic is beyond the scope of this article, but an American business that is subject to the GDPR has several basic options:
- 1. Stop doing the things that trigger the application of the GDPR. Businesses that rely on the European market may not have this luxury.
- 2. Do what it takes to comply with the GDPR, or at least make convincing movements in that direction. The potential benefits of this approach also include coming into compliance with US federal and state privacy and data protection laws with which the business may not be complying either. Moving toward GDPR compliance would also help reduce the risk of data breaches and the financial and reputational losses that accompany them.
- 3. Chance getting caught. On the one hand, one would think that the European regulators have enough low-hanging enforcement fruit to keep them busy for many years. On the other hand, potential fines are huge (up to 4% of worldwide annual revenue) and the GDPR gives citizens the right to complain and sue in ways that pose a greater regulatory and litigation threat than what businesses face in the United States.
The GDPR applies to more United States businesses than you might think. American businesses would do well to determine if the GDPR applies to them. If it does, then making progress toward GDPR compliance will reduce exposure to EU fines and suits, improve the business’s compliance with US federal and state privacy and data protection laws, and reduce the financial and reputational risks associated with data breaches. Even if the business turns its back on the EU, establishing a comprehensive privacy and data protection program can be a good investment.
(1) The GDPR defines Personal Data as any information relating to an identified or identifiable natural person (‘data subject’). GDPR Art. 4(1).
(2) ‘Control’ means to determine the purposes and means of the Processing of Personal Data. See GDPR Art. 4(7).
(3) ‘Processing’ is broadly defined to mean ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’ GDPR Art. 4(2).
David GreberOffit Kurman, Attorneys at Law, Washington, DC, USA
T: +1 240 772 5137
Offit Kurman, Attorneys at Law is a dynamic, full-service law firm. We are our clients’ most trusted legal advisors, and help them maximise and protect their business value and individual wealth. In every interaction, we consistently strive to maintain our clients’ trust and help them achieve their goals.
David Greber's extensive business law experience includes representation of companies and corporations in all stages of their business life-cycle, from initial founding, through growth and expansion, to sale. His intellectual property law background includes the registration and protection of copyrights, trademarks and trade secrets, and litigation of intellectual property infringement cases. David also holds the CIPP/US privacy law certification from the International Association of Privacy Professionals.
Published: September 2018 l Photo: ©sarawut - stock.adobe.com