The General Data Protection Regulation (GDPR) is a law that protects the privacy of most Europeans. The GDPR protects in part by imposing limitations on the free movement of personal data between the European Union (EU) and other countries. It took effect in May 2018.
This ground-breaking data protection and privacy regulation goes well beyond the boundaries of the European Union’s physical borders. Furthermore, it requires companies based outside of the EU to safeguard the personal data of their people.
Extra-Territorial Scope of GDPR
The GDPR’s scope goes beyond the boundaries of the EU. That means that websites outside the EU that handle personal data about EU citizens are also obliged to comply with the GDPR’s requirements.
The text of the General Data Protection Regulation (GDPR) provides an essential compliance checklist that companies should follow if they are subject to GDPR. This “checklist” contains particular requirements that are unique to countries outside of the EU, such as American companies and organizations.
You may be wondering how the laws of the European Union might be enforced in an area over which the EU supervisory authorities have no jurisdiction. The reality is complicated, but in short, there are avenues in which United States (US) courts might enforce agreements referencing GDPR and apply guidance of the EU Commission or EU supervisory authorities.
Enforcement of GDPR in the US
The General Data Protection Regulation (GDPR) is being implemented in the EU and EEA by the many supervisory authorities situated across the region. The GDPR does, however, apply to companies situated outside of Europe.
Businesses subject to GDPR that do not have a physical presence or establishment in any EU member-states may need to have a physical representative located inside the region to comply with the GDPR. For those who have violated the General Data Protection Regulation, EU supervisory authorities may address this representative for complaints or for levying fines.
EU enforcement agencies may take disciplinary actions against those who violate the rules. These organizations are likely to get support from government officials in the country where the company is based. Noncompliance may be pursued by EU enforcement agencies, especially against multinational or large corporations, by stop processing orders or regulatory investigations Furthermore, EU data protection authorities may fine companies that continue to do business with US organizations that violate GDPR, effectively preventing US companies from getting customers in the EU.
Finally, EU and US companies may pursue US companies for breach of contract, if GDPR compliance is written into the underlying agreement. These contractual claims may be adjudicated in US courts, depending on the contract, even if they relate to EU compliance.
GDPR and US-EU Data Sharing
The General Data Protection Regulation (GDPR) defines, in Article 45, the circumstances under which personal data may be transferred outside of the EU. It states that data transfers beyond the EU are permitted if the receiving country has an adequacy agreement with the EU. It is also applicable if the data processor or controller demonstrates an adequate level of data privacy safeguards inside the EU. The EU previously acknowledged the EU-US Privacy Shield as an acceptable mechanism for transfer; however, with the recent “Schrems II” decision from the Court of Justice of the European Union, the Privacy Shield framework has been invalidated for data transfers.
Since the US as a whole does not feature on the European Union’s list of countries with a sufficient level of data protection law, businesses should consult with their privacy counsel as to the best alternative mechanisms for international data transfers
GDPR Compliance Requirements for US Companies
Any US company obliged to comply with the GDPR may be subject to strict requirements as companies located in the EU.
Suppose your website collects or processes personally identifiable information (PII) of EU citizens. In that case, you should do so based on a lawful basis. The following is a checklist that companies in the United States may use as a starting point toward compliance with the General Data Protection Regulation, subject to the advice of their local privacy counsel:
- Identify and appoint a data protection officer to oversee the processing of EU personal data;
- Inform your customers about the reasons for which you are processing their data;
- Make sure you have a data processing agreement in place with your suppliers;
- Evaluate your data processing operations and improve the level of protection;
- Determine what to do in the case of a data breach in your organization;
- Comply with all applicable rules governing cross-border data transfers; and
- Designate a representative in the European Union;
With the GDPR compliance checklist and retention of local privacy counsel, you may be able to mitigate the risk of enforcement actions brought by EU regulatory authorities. Moreover, a consent management platform (often referred to as a CMP) may help you make your website GDPR compliant.
GDPR Fines for US Companies
The General Data Protection Regulation (GDPR) has significant enforcement penalties to incentivize compliance. There is the possibility of substantial fines for noncompliance with the law, which may reach 4 percent of global sales or €20 million, depending on the severity and circumstances of the violation.
As reported by the US International Trade Commission, since May 2018, data protection authorities in EU member states have collectively penalized US companies for more than $417 million under the General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR) is applicable based on the location of the data subject when their data is processed, not on their citizenship or country. Any company in the United States that provides services or monitors customers in the European Union (EU) should determine their obligations under GDPR, if any apply, and how to comply with the GDPR.
All companies based in the United States should work toward complying with the guidelines of GDPR, if they are subject to it. It is not just to protect the data being transferred and to avoid being fined. But, it is also to protect companies’ integrity and the US in dealing with data protection.
Learn more about the General Data Protection Regulation (GDPR) implications for your business’s marketing strategies. Metaverse Law specializes in data privacy, data protection, and cybersecurity laws. It continues to provide practical solutions for today’s online businesses, including GDPR compliance. To learn more about our services, please contact us now!