GDPR Basics for U.S.-based Organizations
By:
The European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”) came into effect on May 25, 2018, imposing a new regulatory regime on companies that process, collect, and/or share personal data. The GDPR also provides EU Member States’ data protection authorities with long-arm jurisdiction over many non-EU companies that process data about individuals located in the EU. While the GDPR largely builds upon the foundation of its precursor, Directive 95/46/EC (the “Directive”), the expanded scope of the law means that many non-EU companies are being quickly introduced to the EU’s deferential treatment of data privacy as a fundamental right. Accordingly, under the GDPR, individuals are given data privacy rights that may be unfamiliar to U.S. companies. In addition, the GDPR imposes new data privacy obligations and risk management frameworks on companies within its scope. Compared to U.S. law, many of the terms and concepts in the GDPR also have broader scope, covering more types of data and processing.
Global companies like Microsoft, Google and Facebook, which are heavily involved in data processing, have been watching and adapting their policies to the new GDPR standards. In the age of the internet, however, most organizations, non-profits, and traditional businesses are regularly involved in the processing of personal data in day-to-day activities, such as processing payments, providing individuals with registered accounts on websites, storing contact lists, and sending out marketing or promotional materials. All of these activities involve some level of personal data processing and, where the GDPR applies, organizations may be subject to new rules and standards on everything from their technical data security measures, customer service, contractual arrangements with vendors, privacy policies, and marketing activities.
What Exactly Is the GDPR?
The GDPR is an EU Regulation issued by the EU Commission. This means that the regulation is immediately applicable across the EU on its effective date (May 25, 2018). EU Member States have the option of creating additional national laws and regulations to support or fill in the blanks in the GDPR. The national rules, however, must be consistent with the GDPR.
Under the Directive, which was passed in 2010, EU Member States each created one or more national data protection authorities (“Supervisory Authorities”) responsible for administering, interpreting, and enforcing national rules on data protection. The GDPR piggy-backs on this system, using these same Supervisory Authorities to administer and enforce the GDPR across EU territory.
A Supervisory Authority can exercise its investigative, corrective, advisory, and enforcement powers over organizations if it believes the organization or its processing activities fall under the GDPR. This can include the initiation of legal proceedings against U.S. organizations in EU courts.
Does the GDPR Apply to My Organization?
Determining whether the GDPR applies to your organization is not a cut and dried issue. There are two tests for determining whether an organization falls within the scope of the GDPR, and both definitions are based on vague regulatory language without much substantive interpretation by authoritative agencies or courts. While there are still some gray areas, EU courts have consistently favored long-arm jurisdiction for EU data privacy laws. Accordingly, it is important to evaluate the applicability of the GDPR to your organization and assess the risks of any operations in gray areas.
What Are the Penalties of Violating the GDPR?
In order to incentivize the protection of EU residents’ rights through compliance with the GDPR, the EU has adopted a hefty penalty structure for violations. The Supervisory Authorities are granted broad powers for ordering organizations to stop, change, or continue their data processing activities. In addition, Supervisory Authorities have the power to issue administrative fines.
The most egregious instances of noncompliance can be penalized with fines of up to €20 million or four percent of an organization’s annual gross revenue, whichever is higher. For less egregious violations, administrative fines can be as high as €10 Million or two percent of an organization’s annual gross revenue, whichever is higher.
Contacting Counsel for a GDPR Evaluation
Given the broad scope and serious penalties under the GDPR, it is important for companies to evaluate the applicability of the GDPR to their activities. At GKG Law, we have helped numerous organizations conduct reviews to determine how the GDPR may apply to them and the appropriate steps to become compliant. If you have any questions, please contact Oliver Krischik at 202.342.5266 or okrischik@gkglaw.com.