Any U.S. based business that sells products or provides services via the internet, no matter how large or small, is technically a global business. Although having a global reach is normally a good thing, it can also come with serious responsibilities. For instance, if your business has any customers residing in the European Union (“EU”), then there is a good chance that the General Data Protection Regulation (“GDPR”), a new set of laws designed to protect the data security and privacy of EU citizens, may impact your business. The new regulations, which replace the EU’s Data Protection Directive 95/46/EC, is set to go into effect on May 25, 2018, and is applicable to every citizen residing in the EU and any business that transacts with them, regardless of where the business is located.
In other words, if your business has a customer from the EU, and as part of any business transaction, collects any personal data from that customer, your business could be subject to the rules and regulations of the GDPR. There are absolutely no exceptions based on the size or scope of the business, which means any business with an internet presence, including those owned and operated by a sole proprietor, is potentially subject to the new law. Indeed, GDPR expressly states that its jurisdiction applies to any company processing the personal data of subjects residing in the EU, regardless of the company’s size or location. However, in order for the new law to apply to your U.S.-based business, your organization must target a data subject in an EU country. Broad. generic marketing does not qualify. So, for example, a German user who Googles and finds an English-language webpage written for U.S. consumers would most likely not be protected under the GDPR. However, if the marketing is in the language of an EU member country and there are references to EU users and customers, then the webpage would most likely trigger the GDPR.
This broad jurisdiction of the GDPR, combined with potentially drastic penalties for non-compliance, means that the new law may have a significant impact on even businesses located far beyond the geographic shores of the EU.