Our Blog

European Union’s New Privacy Laws Set to Take Effect

Any U.S. based business that sells products or provides services via the internet, no matter how large or small, is technically a global business. Although having a global reach is normally a good thing, it can also come with serious responsibilities. For instance, if your business has any customers residing in the European Union (“EU”), then there is a good chance that the General Data Protection Regulation (“GDPR”), a new set of laws designed to protect the data security and privacy of EU citizens, may impact your business.  The new regulations, which replace the EU’s Data Protection Directive 95/46/EC, is set to go into effect on May 25, 2018, and is applicable to every citizen residing in the EU and any business that transacts with them, regardless of where the business is located.  

In other words, if your business has a customer from the EU, and as part of any business transaction, collects any personal data from that customer, your business could be subject to the rules and regulations of the GDPR.  There are absolutely no exceptions based on the size or scope of the business, which means any business with an internet presence, including those owned and operated by a sole proprietor, is potentially subject to the new law. Indeed, GDPR expressly states that its jurisdiction applies to any company processing the personal data of subjects residing in the EU, regardless of the company’s size or location. However, in order for the new law to apply to your U.S.-based business, your organization must target a data subject in an EU country.  Broad. generic marketing does not qualify. So, for example, a German user who Googles and finds an English-language webpage written for U.S. consumers would most likely not be protected under the GDPR. However, if the marketing is in the language of an EU member country and there are references to EU users and customers, then the webpage would most likely trigger the GDPR.

This broad jurisdiction of the GDPR, combined with potentially drastic penalties for non-compliance, means that the new law may have a significant impact on even businesses located far beyond the geographic shores of the EU.

Under the GDPR, “Personal Data” is defined as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  Accordingly, Personal Data includes, among other things, IP addresses and mobile device IDs.
Although some would claim the provisions of the GDPR for keeping the personal data of customers secure and regarding the legal collection and use of that data by businesses is straightforward and basic, the penalties imposed for violations are no less significant. Enterprises found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros (approximately $23,600,000), whichever is greater.
 
Under the GDPR, before processing any personal data, a business must ask for explicit permission from the subject in clear language. The provisions of the regulation specifically outlaw the use of long boilerplate documents filled with complex legalese. Accordingly, hiding the permissions within a tome of Terms and Conditions will not count as compliance. The consent must be given for a specific purpose and must be requested separately from other documents and policy statements.
There are still questions about how the EU will enforce the laws  against U.S. and other multinational companies doing business over the internet. However it is clear that the EU is serious about a uniform data and privacy law for its market.  Accordingly, U.S. companies with a strong internet presence should be paying very close attention and should determine whether practices should be altered to ensure compliance.
Fo more information: www.eugdpr.org/gdpr-faqs.html