Although Europe’s General Data Protection Regulation (GDPR) was a hot topic last year, many Americans might not fully understand its impact and how to navigate it when conducting business overseas. The GDPR is the new data privacy law of the European Union and several other countries, whose reach stretches well beyond Europe. The law is comprehensive and consists of ninety-nine articles, and is supplemented by two dozen national laws.
The goal of this blog post is to help companies outside the EU determine if they should look at the GDPR more closely. The flowchart below is a good starting point to begin to evaluate if the GDPR applies to your business operations. In short, if you have a business presence in the EU (plus Norway, Iceland, and Liechtenstein), provide data processing services to such businesses, offer your goods or services to EU residents, or “monitor” behavior of EU residents, then the GDPR applies. Even if GPDR does not apply to your Company’s operations, pay close attention to privacy laws in other countries because numerous jurisdictions have adopted, or are considering adopting, laws similar to the GDPR.
If the GDPR is triggered, you should ensure that any processing of personal data about EU residents is GDPR-compliant because the potential maximum penalties for violating this law are steep: up to €20 million ($22.5 million) per violation in fines, plus the threat of civil lawsuits, and even jail time in certain countries.
In some circumstances, U.S. businesses may be able to avail themselves of the much simpler set of rules under the EU-U.S. Privacy Shield Framework, to meet their data protection obligations.
The GDPR is a big deal in Europe because the Europeans treat the individuals’ rights to control their personal information and have it protected as fundamental human rights. This is similar to how we view “life, liberty, and the pursuit of happiness” as inalienable rights of all Americans.
Illya Antonenko is Data Protection Officer and Counsel for TRACE, a globally recognized anti-bribery business organization. Prior to joining TRACE, Mr. Antonenko practiced law for fifteen years in a number of leading U.S. law firms and in-house. His practice included assisting clients with FCPA compliance matters and investigations, cross-border transactions, and general corporate issues.
Contributors and Writers are members and associates of the MD/ DC District Export Council. The views expressed do not necessarily represent the opinions of the MD/DC DEC.