By Amy Kardel, Esq.
Everyone is talking about GDPR, the European Union’s data protection law that took effect May 25, 2018. GDPR stands for “General Data Protection Regulation”.
Even though this is a European law, U.S. companies and organizations may still be subject to it if they possess personal information of European Union citizens. But what does GDPR mean for a US-based small business that does not have any operations in the EU but has data on EU citizens? So far, it means confusion. Most articles predicting a GDPR doomsday ignore this huge segment of our economy which makes up the majority of my IT consulting company’s clients.
Todd Thibodeaux, CEO of CompTIA, has gone on the record to say this wide sweeping is like “using a shotgun to kill a fly.” I agree and would add to the analogy that the EU has aimed its GDPR shotgun into the air but has not yet pulled the trigger. Yes, it is noisy and threatening. Yes, it is hard to know who will be hit by the first pellets. And yes, the media is scaring everyone with the story. But is too early to know how it will even play out in the EU let alone for US-based businesses with or without an EU presence. We won’t know for sure what real implications GDPR will have for any U.S. companies until regulators start enforcement. Lawyers will be busy for quite some time to come resolving questions about against whom and for what and how regulators will enforce the GDPR.
The noble intent of the law is to give European citizens better control of their personal data held by organizations. Given Europe’s history-informed sensitivity to the abuse of personal data, this is understandable. However, crafting a regulation that businesses can comply with that also reaches its intended aims is a very heavy lift, and enforcing it globally will bring new challenges to the bureaucracy.
Let’s start with some terminology.
Personal Information is broadly defined as any information related to a person who can be directly or indirectly identified. That includes cookies, IP addresses, some email addresses and many other records. Personal Information does not distinguish between work roles or personal roles, so an email address like “firstname.lastname@example.org” would be personal information. You can see how easy it is to have this type of data in your organization.
What if you have Personal Information of EU citizens? A recent survey says 52% of US businesses do. I think that number is much lower in small businesses, but you know your business best. For there to be enforcement against a US company, there would have to be a complaint filed against you by an EU citizen (or a privacy group standing in its shoes) or an enforcement action or investigation by regulators of your operations and the EU regulators would have to have a way to reach you with the longarm of the law.
Further, if the data is collected while the EU citizen is outside the EU, GDPR does not seem to apply. Under Article 3, Section 2, of the Regulation, GDPR reaches data controllers and data processors who are not established in the EU when they process “personal data of data subjects who are in the Union” — where the processing of that data relates to “the offering of goods or services… to such data subjects in the Union” and/or tracking their behavior to the extent it “takes place within the Union.” If you own a hotel on the Central Coast of California and a European citizen books a room while standing at the front desk, GDPR would not apply to that Personal Information. But that same data could be subject to GDPR if that room was booked online when the guest was home in Europe. See how this gets complicated?
But don’t worry too much if you are a small, US-based business that is not actively and knowingly conducting business in the EU and targeting EU customers. Worry is not preparation anyway and how to play it safe is not totally clear. Of course, you should play it safe where you can and seek advice if you think you’ve got exposure. However, it is not even currently clear how the EU would have even have jurisdiction AKA the longarm of the law to fine you. Businesses are supposed to appoint a representative in the EU to receive such complaints if they carry out systematic monitoring like online behavior tracking or process data in sensitive categories (think health or criminal data), but asking any US business to do so is unprecedented. Small companies without European operations are not the droids the EU is looking for. We’ll have to see how this is even enforced through international law, but common sense says the resources needed to do so would be overwhelming. Larger companies with European offices will be caught in the GDPR net based on those ties to Europe and enforcement would happen through their European operations.
Of course, if your business does not have a need to have its website available to European web traffic, you could close access off to those visitors and not be troubled by GDPR at all. This might make sense for some, but others like a hotel who would happily accept a reservation from a German tourist, might not wish to close that revenue door.
The law will be enforced based on complaint-driven inquiry. That means that compliance is user-driven. An EU citizen has to ask to have her rights upheld with the company that has her data, that company has a certain amount of time to comply and then the EU citizen can file a complaint with their local regulator. And that local regulator is not an EU wide office, but rather an office in their EU country. <insert sound of cocking shotgun here> And it is anticipated that each country will have their own flavor of enforcement. Of course, keeping data secure and not abusing the use of it for marketing purposes will prevent most complaints.
Fear and threats of fines up to 20 million Euros or 4% of annual sales, whichever is higher, make great headlines. These big fines are meant to get the attention of multinational corporations. We’ve all received updating privacy policies as the deadline approached. Big companies have been working on compliance since it was announced two years ago, but even many of those are not ready or clear on its implication. A month before GDPR took effect, the Computing Technology Industry Association, CompTIA, released a survey on “The State of GDPR Preparedness in the U.S.” Given the confusion the findings are not surprising. More than half of U.S. companies say they are still trying to determine whether or not GDPR is applicable to them.
So far the biggest effect of the GDPR is to get the US to think about privacy. We have yet to pass a truly comprehensive data privacy standard. And as the recent Facebook hearings show, we need to level up our game on privacy. GDPR sets the stage for us standardize compliance and enforcement at home, which is overdue. Meanwhile, small business owners make decisions based on risk and reward and soldier on as the backbone of the US economy.
For a summary of GDPR need to know facts with nice graphics see this article.
For detailed information on GDPR see the UK Information Commissioners Office.
Amy Kardel is a California Attorney and co-founder of Clever Ducks, an IT services firm in San Luis Obispo. This article is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to your particular issues.