The European Union’s (the “EU”) latest privacy law, known as the General Data Protection Regulation (“GDPR”), went into effect on May 25, 2018. The GDPR imposes significant and sweeping obligations on businesses that gather “Personal Data”—enough so that American businesses might hope that the Atlantic is wide enough to separate them from the GDPR.
But the GDPR’s territorial scope has arms that are long enough to reach many American businesses. Europe regards privacy as a fundamental human right, and it has spent more than 70 years protecting that right through a series of declarations, conventions, charters, directives, and regulations. The high value that Europe places on privacy is likely to influence the scope and zeal of its enforcement of the GDPR on American companies.
When Doesn’t the GDPR Apply to a Business in the United States?
Fortunately, the GDPR does not apply to all Personal Data gathered from or about European data subjects. It does not apply to Personal Data that is gathered from data subjects in the United States if the data is also “controlled” and “processed” by companies that are not established in Europe. For example, Personal Data about a German who buys a car while she is living in New Jersey, which is controlled and processed by the dealer in New Jersey, is not subject to the GDPR. But the GDPR does apply to Personal Data gathered about an American who buys a car (or a coffee) while living in Paris.
When Does the GDPR Apply to a Business in the United States?
Any of these business attributes or activities will subject an American company to the requirements of the GDPR:
“Establishment” in the EU
The GDPR applies to “the Processing of Personal Data in the context of the activities of an establishment of a controller or processor in the [European] Union, regardless of whether the processing takes place in the Union or not.” GDPR Art. 3(1).
Establishment doesn’t necessarily mean having a physical location in the EU, or having a subsidiary that does—although either of those facts would trigger the application of the GDPR. Any real and effective activity in the EU through stable arrangements can represent the necessary “establishment” and trigger the application of the GDPR. Examples of stable arrangements include renting a post office box or office, establishing a bank account, and contracting with an independent contractor who acts as a business’s representative.
If a business is “established” in the EU, it doesn’t matter whether the Processing of Personal Data takes place outside Europe. Processing in the United States of Personal Data relating to data subjects who live in the United States will still be subject to the GDPR if the processing is in the context of the activities of a European data controller or processor. For example, if an American business engages the Colorado subsidiary of a French company to process payroll data of American employees, the processing will be subject to the GDPR, even if the processing occurs in Denver.
Offering Goods or Services to Data Subjects in the EU
The GDPR applies to businesses that “envisage” offering goods or services to data subjects in Europe, even if no money changes hands. Non-profits are also not exempt. Theoretically, intention to offer goods or services to European data subjects is the critical question. Regulators would examine such facts as whether the U.S. business’s website references European customers, permits payment in a European currency, or includes translation into European languages. While intention is theoretically critical, if a U.S. business ends up with more than a few European customers “unintentionally,” regulators may well find that the GDPR applies.
If an American business gathers contact information from website visitors or customers located in the EU, and then sends marketing emails to those visitors, then the business will have to comply with the GDPR.
“Monitoring” Data Subject Behavior in the EU
Here are activities that will catch many U.S. businesses by surprise. A business that places cookies, uses geolocation or other tracking technologies, or engages in behavioral advertising on devices located in the EU, is subject to the GDPR. Such monitoring and behavioral profiling activities particularly concern EU regulators. And American businesses use these techniques all the time.
U.S. businesses may be asked to agree to certain GDPR duties if they are dealing with a company that is subject to the GDPR (or thinks that it is). For example, a European company that provides data processing services to an American company is a “Data Processor” under the GDPR. As such, it has obligations under the GDPR to define certain responsibilities and rights in a written contract with the “Data Controller,” whether the Data Controller is in Europe or not.
In the flurry to comply with the GDPR by the May 25, 2018 effective date, some companies may have asked U.S. companies to sign contract addenda with GDPR obligations when they were not required to do so. Rather than simply sign these contract addenda, U.S. businesses should consider exploring why the addenda are necessary. If the addenda are not required under the GDPR, push-back may be in order.
What a U.S. Business Should Do If the GDPR Applies to It
A full discussion of this topic is beyond the scope of this article, but an American business that is subject to the GDPR has several basic options:
1. Stop doing the things that trigger the application of the GDPR. Businesses that rely on the European market may not have this luxury.
2. Do what it takes to comply with the GDPR, or at least make convincing movements in that direction. The potential benefits of this approach also include coming into compliance with U.S. federal and state privacy and data protection laws with which the business may not be complying either. Moving toward GDPR compliance would also help reduce the risk of data breaches and the financial and reputational losses that accompany them.
3. Chance getting caught. On the one hand, one would think that the European regulators have enough low-hanging enforcement fruit to keep them busy for many years. On the other hand, potential fines are huge (up to 4% of worldwide annual revenue) and the GDPR gives citizens the right to complain and sue in ways that pose a greater regulatory and litigation threat than what businesses face in the United States.
The GDPR applies to more United States businesses than you might think. American businesses would do well to determine if the GDPR applies to them. If it does, then making progress toward GDPR compliance will reduce exposure to EU fines and suits, improve the business’s compliance with U.S. federal and state privacy and data protection laws, and reduce the financial and reputational risks associated with data breaches. Even if the business turns its back on the EU, establishing a comprehensive privacy and data protection program can be a good investment.
 The GDPR defines Personal Data as any information relating to an identified or identifiable natural person (“data subject”). GDPR Art. 4(1).
 “Control” means to determine the purposes and means of the Processing of Personal Data. See GDPR Art. 4(7).
 “Processing” is broadly defined to mean “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” GDPR Art. 4(2).
Questions about this or any other privacy law matter, including GDPR?
Contact David Greber at firstname.lastname@example.org or 240.772.5137
ABOUT DAVID GREBER
Mr. Greber is a member of the International Association of Privacy Professionals (IAPP) and holds the following IAPP certifications: CIPM (Certified Information Privacy Manager), CIPP/US (Certified Information Privacy Professional / US law), and CIPP/E (Certified Information Privacy Professional / European law).
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our twelve offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.
You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
MARYLAND | PENNSYLVANIA | VIRGINIA| NEW JERSEY | NEW YORK | DELAWARE | WASHINGTON, DC