By Douglas G. Bonner and Jeff Kosseff.
The EU’s General Data Protection Regulation (“GDPR”) becomes legally effective on May 25, 2018, only six months from now. The GDPR replaces the EU Data Protection Directive (“Directive”) regulating the collection and use of personal data of EU residents. It has greater extraterritorial reach than the Directive, which does not regulate U.S. companies unless the collection of personal data or processing occurs within the EU, such as a U.S.-based company operating a data center or business location in the EU.
It is critical that businesses collecting and using personal data be aware of and prepared to meet their GDPR obligations. EU regulators can assess fines for GDPR violations against a company that are as high as 20,000,000 Euros or 4% of its worldwide annual revenues, whichever is greater.
Does the GDPR apply to your company? You need to answer the following three questions:
- Does your business have an office or subsidiary in the EU that collects, transmits, uses, stores or processes personal data (name, ID number, location data, IP address, or other individually specific data)?
- Does your business offer goods or services to individuals in the EU, whether paid or free, by targeting customers in an EU Member State (this still includes the U.K. pending its withdrawal from the EU)? This requires more than maintaining a website accessible to EU residents. Do you offer service in the language of the EU Member State? Do you accept payment in Euros? Do you ship products to buyers in an EU Member State?
- Does your business monitor behavior of individuals in the EU? Monitoring means tracking the online behavior of individuals in the EU using the Internet, such as collecting location information and tracking their Web browsing activity or predicting their future online behavior for advertising or other business purposes.
Our Privacy and Cybersecurity Practice professionals are available to assist and advise clients in addressing their GDPR compliance issues, including developing a GDPR compliance program.
Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.