The European Union (EU) is an important market for many U.S. businesses, and now firms must comply with new EU data protection requirements by May 25, 2018 or face penalties. The General Data Protection Regulation (GDPR) authorizes fines of up to four percent of the company’s global revenue or up to 20 million euros (US $23 million), whichever is higher.
Certifying to the EU-U.S. Privacy Shield Framework through the U.S. Department of Commerce can help U.S. companies comply with GDPR data transfer requirements. The U.S. Commercial Service at the European Union (CSEU) located in the U.S. Mission to the European Union describes some relevant requirements for U.S. companies to consider
Background on the privacy issue
Similar to the United States, policymakers in the EU have spent years addressing the complex issues of privacy, economic innovation, and questions of trust and security online. In fact, the EU established its first overarching personal data protection law in 1995. This law was designed to encompass all sectors, an approach different from the sectoral approach adopted in the United States. The GDPR is the EU’s effort to update its 1995 law.
Successfully managing the digital revolution is key to the EU’s future. The European Commission’s Digital Single Market initiative, for example, aims to create a 28-country market for digital goods and services that is innovative and competitive. GDPR seeks to ensure that European law upholds a fundamental right to data protection.
About General Data Protection Regulation (GDPR)
The GDPR replaced the data protection Directive 1995/46, but retains its essence — businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed – while introducing numerous new requirements and setting a two-year transition period to allow companies to achieve compliance. The transition period ends on May 25, 2018, at which time GDPR requirements will be enforceable.
Some key principles of GDPR are:
- Lawfulness: processing of personal data must be lawful and where it is based on consent, the consent must be freely given, specific, informed and unambiguous;
- Transparency: information regarding processing must be provided in a concise, transparent, intelligible and easily accessible form;
- Purpose limitation: the purpose for which data is collected must be specified, explicit and legitimate;
- Data Minimization: only data relevant for the purpose laid out can be collected and processed;
- Data Integrity: data must be accurate and kept up-to-date;
- Security: data must be processed in a way that ensures appropriate security of the personal data;
- Accountability (new principle): the data controller is responsible for, and must be able to demonstrate compliance with its GDPR obligations.
Scope of GDPR in terms of what data is covered
The GDPR applies to the processing of personal data, which is defined very broadly under EU law. “Personal data” is any information relating to an identified or identifiable natural person, “such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. “Processing” is also defined broadly to mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, including storage, collection, consultation etc.
GDPR impact on U.S. businesses
The territorial scope of the GDPR is much broader than that of the 95 Directive, which it replaces. The GDPR applies to the activities of an establishment in the EU, to activities related to the offering of goods or services to EU persons (even if the seller is outside the EU), and to activities related to the monitoring of behavior of persons in the EU. If a U.S. company engages in these activities, it would likely be subject to the GDPR.
Types of U.S. businesses affected by GDPR
All U.S. businesses doing business in Europe, seeking to sell to EU persons, or that have clients or employees in Europe should be aware of GDPR and assess what obligations they may have under the GDPR. For example, a company based in Ohio that sells products to customers in the EU should examine information it is collecting from those customers. If that information includes personal data such as name, address, and credit card information, the GDPR may apply. In general, the GDPR makes no distinction between large and small companies, except that organizations with fewer than 250 employees are generally not subject to the record keeping requirements.
GDPR does not distinguish between IT and non-IT companies. It also potentially applies to other types of organizations such as universities, research centers, etc.
GDPR requirements: potential impact on interests of U.S. companies
As of May 25, 2018, companies falling within the scope of the GDPR will have to comply with numerous requirements. The GDPR is more complex than its 1995 predecessor and includes several elements with a potentially significant impact on the interests of U.S. companies. Some key changes include:
- enhanced data protection principles (namely Article 5)
- stricter rules around consent (Articles 4, 7, and 8)
- expanded data subject’s rights (Chapter 3)
- breach notification rules (Article 33 and 34)
- joint liability obligations (Article 79 and Article 26)
- a data portability right (Article 20)
- a requirement for a data protection officer or representative in the EU (Articles 27, 37, 38, and 39).
Penalties for Non-Compliance
Non-compliance can be very expensive. There is a fine of up to four percent of the company’s annual global revenue or up to 20 million euros (US $23 million), whichever is higher
U.S. Manufacturing and GDPR
The International Trade Administration’s (ITA) U.S. Commercial Service has prepared an overview of the GDPR to familiarize companies with some of the basic requirements of the GDPR so they can begin to assess whether the GDPR would apply to them.
EU-U.S. Privacy Shield Framework and GDPR
In 2016, the ITA launched the EU-U.S. Privacy Shield Framework to provide U.S. companies with a mechanism to comply with those EU data protection requirements pertaining to the transfer of personal data from the EU to the United States.
To join the Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment becomes enforceable under U.S. law. For further information, visit the Privacy Shield website.
U.S. Department of Commerce Digital Attaché program
Europe-based Digital Trade Officers can assist U.S. companies in navigating both EU and EU Member State government privacy regulations. Like U.S. companies responding to state-level and federal-level regulations, operating in EU markets requires careful attention to both EU and EU Member State rules. Additional information about the Digital Attaché program including U.S. Embassy contacts.
EU Guidelines on data protection
The European Data Protection Authorities are issuing publicly-available guidelines to help organizations better understand how the DPAs interpret GDPR requirements. Furthermore, the privacy landscape continues to evolve in Europe, including vis-à-vis international data flow mechanisms. The U.S. Commercial Service will continue to monitor this area very closely and will strive to keep U.S. companies abreast of changes.