Who: United States businesses that process (i.e., collect, store, or transmit) the personal information of EU residents in connection with offering goods or services in the EU (online or otherwise) are subject to the GDPR, regardless of whether the business has any physical presence in the EU or any payment is made by the EU resident.
What: The GDPR is a comprehensive data-privacy regulation that gives people control over their data in ways that are very different than what US businesses are accustomed to. Businesses must clearly and accurately disclose how they collect and use personal data and be prepared to provide EU residents copies of their data, delete their data, correct their data, and report any data breaches to EU regulatory authorities within 72 hours. Many marketing communications and other data collection will also require “opt-in” consent from EU residents, which is a drastic departure from current/standard US practices.
When: May 25, 2018
Where: Globally. The GDPR has extraterritorial reach, so it will apply to US businesses that offer goods or services to people in the EU, even if those goods or services are only being provided online and the US company has no physical presence in the EU.
Why: Data privacy is a fundamental right in the EU, but EU regulators feel that many businesses, including many US-based companies, are not adequately respecting that right. The GDPR attempts to address this by providing significantly expanded rights to EU residents, putting significantly more obligations on companies that process EU resident data, regardless of their physical location, and increasing liability exposure. The GDPR provides both a private right of action for EU residents (even without any finding of material harm) and companies are subject to enormous regulatory fines; fines may reach the greater of (a) €20 million or (b) four (4) percent of global annual revenue (even if only one (1) percent was earned in the EU).
How: There are steps that US businesses should be taking now to come into compliance by the May 25, 2018 enforcement deadline. These include: Continue Reading