The Extraterritorial Reach of GDPR to United States Businesses
The European Union General Data Protection Regulation (GDPR) is the world’s leading government effort to protect the privacy of electronic data held by businesses. Due to its expansive terms, even businesses operating beyond the EU’s borders, in the United States and other countries, will need to comply with the terms of the GDPR if they capture the data of EU individuals or risk substantial fines. With the maximum fine for some violations set at four percent of the corporation’s annual worldwide revenue (or €20 million, whichever is higher), the start of the enforcement period in May is looming large on the horizon. (Update: May has since passed and the GDPR is in effect!)
This introduction to the intersection between the GDPR and U.S. companies provides an overview of GDPR extraterritoriality, a discussion of what companies are affected and some of the problems of GDPR compliance for U.S. companies.
The Extraterritorial Application of the GDPR
Before the globalization of the world’s economy and the rise of the internet, the laws adopted by a government typically only controlled conduct by their own citizens and those individuals and businesses located inside their borders. Most laws today still have only limited reach beyond a country’s geographic borders.
However, governments are increasingly adopting laws that impact conduct beyond their borders in order to address substantial concerns. Due to the worldwide application of these laws, often with a tie to the adopting country based on citizenship or geographic presence, they can create substantial compliance concerns for businesses operating outside of the country’s borders.
The Foreign Corrupt Practices Act (“FCPA”), signed into law by the United States in 1977, is one of the leading examples of the compliance problems created by extraterritorial laws. It was passed in order to begin to address the world’s serious public corruption problem. In short, the law prohibits the bribery of foreign officials by U.S. citizens, U.S. based businesses and publicly traded corporations with shares listed on a U.S. stock exchange. It applies to conduct occurring outside of the United States as well as certain conduct performed by third-parties on behalf of the entity with U.S. ties. Businesses linked to suspected violations of the FCPA may have to expend substantial monetary resources in order to investigate and correct the misconduct, as well as pay substantial enforcement penalties. For the world’s largest businesses, these costs can run more than $1 billion dollars.
The GDPR is another extraterritorial law that raises substantial compliance issues. It is Europe’s latest effort to tackle the problem of data privacy for its citizens. It replaces the Data Privacy Directive, which regulates the processing of personal data within the EU and the transfer of that data outside of the EU. The GDPR does so, in part, by requiring businesses outside of its member states to comply with its data privacy protections when they are a controller or processor of the data of data subjects of the EU.
Ecommerce websites are a prime example of a class of businesses that may be located outside of the EU but are targeted by the GDPR. An American company with a website presence selling goods to EU citizens and shipping the items to Europe from the United States must comply with the GDPR for the data collected in the process. Those companies that do not follow the law’s terms risk an enforcement action with large potential fines against them.
The extraterritorial reach of the GDPR is broadly defined. It applies to a controller or processor of data when they are monitoring the behavior of data subjects within the EU, when they are processing data related to the offering of goods or services to data subjects in the EU, or when they have an establishment in the EU and the processing of data is happening in the context of that EU establishment.
Although the scope of these provisions will likely be the subject of further interpretation in the coming years, U.S. businesses with connections to the EU through subsidiaries, employees, vendors, service providers, customers or even website visitors will all need to assess their compliance with the GDPR and their risk of an enforcement action.
What U.S. Companies are Affected by GDPR?
Large multinational companies with subsidiaries, offices or employees in the EU are clearly covered by the law and will need to take appropriate steps to comply.
Medium and small businesses operating online will also need to assess their compliance with the law. In addition to the impact of this law on ecommerce retailers shipping overseas, companies that are internet-based, sell software services or involve the travel and hospitality industry are among those that are likely to fall within the extraterritorial scope of the law.
Although the law does make some exceptions for organizations with fewer than 250 employees, all covered entities are expected to comply with the majority of the law’s data privacy requirements. The law does not exempt small and medium sized businesses from a duty to protect the personal information they collect.
What does the GDPR mean for US Companies?
The anticipated cost of the technology to comply with the requirements of the GDPR at a large corporation are over $1 million.
Some of the key provisions for companies in the U.S. to examine are:
– A data subject must freely give informed and specific consent in an unambiguous statement or affirmative action in order for a business to process his or her personal data (assuming it doesn’t fall within one of the other lawful basis of processing).
– Companies must erase personal data upon request, known as the right to erasure.
– Companies must report data breaches to supervisory authorities and affected individuals within 72 hours of detection of the breach.
Does the GDPR Apply to EU Citizens in the US?
If a controller or processor with the appropriate ties to the EU is collecting data on EU citizens, compliance with the GDPR is the best protection against a violation of the law and a resulting enforcement action. For non-EU businesses, the consensus is that the data of EU citizens located outside of Europe collected by U.S. companies without other ties to the EU are not covered by the law. However, consultation with an attorney about your legal obligations is always the right course.
Does the GDPR Apply to Non-EU Citizens?
Although the GDPR is often described as an effort to protect and empower the data privacy of EU citizens, its terms offer protection to data subjects. Data subjects are defined as natural persons and not expressly limited to citizens or residents.
As a result, non-EU citizens may be protected under the GDPR while they are residing or traveling inside the EU. The GDPR applies both to data controllers and processors inside the European Union as well as those located outside the European Union who are processing personal data of data subjects in the European Union.
How can the GDPR be Enforced against Third-Country Organizations?
Although some minor violations of the GDPR by small businesses located outside of the European Union may ultimately be forgiven (particularly early in the law’s enforcement), U.S. businesses that are knowingly and actively collecting data to conduct business in the EU ignore the law at their own peril.
In order to continue to operate in the EU, entities located outside of the EU falling within the law’s extraterritorial scope as well as the Data Protection Officer requirements are obligated to name a representative with a business or personal residence in the EU as contact person for all issues with data protection. This can be fulfilled through a virtual DPO.
If they do not, their ability to operate in the EU may ultimately be limited and the EU may even be able to enforce fines issued against U.S. businesses. There has been increased cooperation between United States and European Union law enforcement agencies and regulators in recent years. With the U.S. relying on the assistance of the EU in order to enforce its laws abroad, it is premature to think that the EU will not be able to compel payment of fines by companies located in the United States.
Update – January 8, 2019
The first insight into the approach that may be taken to GDPR enforcement by a DPA in cases of US companies came out of the United Kingdom in November 2018. The UK ICO issued a warning to the Washington Post over how it was obtaining consent for cookies. The ICO concluded that consent was not freely given under GDPR Article 7 because the paper did not offer a free alternative to accepting cookies. However, the ICO noted that there was little that it could do if the Washington Post decided not to change its practices. This comment by the ICO leaves its ability and likelihood to bring enforcement actions in doubt.
However, it is far too soon to draw inferences based on this note. It is worth noting that the first company to be fined under GDPR by ICO was a Canadian company. Other DPAs may also decide not to respect the decision. Indeed, the EDPB has since issued a clarifying paper on the obligations with respect to GDPR of companies that are not located in the EU. So this debate on the scope of the obligations is likely to continue.
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.