The European Union’s landmark data privacy law, the General Data Protection Regulation (GDPR) went into effect one year ago. By now, the implications for European residents and companies are fairly well known. Many of us will have received updated privacy policies in our email inboxes, or become increasingly aware of headline-grabbing stories on mass data breaches. But what about beyond the borders of Europe? Using American companies as a particular example, we explore the way in which the GDPR has changed how to do business.
In what way does the GDPR have the power to influence how American companies handle data?
Because the GDPR introduced a single legal framework that applies across all EU member states, businesses now face a more consistent and harmonized set of compliance rules from one EU member state to the next. But in a considerable departure from the old Data Protection Directive, the GDPR imposes an expanded territorial scope. No matter where they are located around the world, companies must comply with the GDPR if they either offer goods or services to data subjects located in the EU, or monitor EU data subjects’ behavior.
These new regulations are not without teeth. Whereas fines under the previous directive maxed out at £500,000 here in the United Kingdom, fines under GDPR can reach up to 20 million euros or 4% of a breaching company’s global turnover. Accordingly, from 25 May 2018, many American companies became subject to European privacy laws for the very first time, and faced considerabe sanctions for noncompliance.
In the lead-up to GDPR taking effect, many European residents were soon geo-blocked from accessing American websites. The reason? If European customers were blocked from accessing the websites, the companies would not technically be “offering their goods or services” to Europeans, nor would they be “monitoring their behavior”.
Although the majority of companies retreating from Europe were small to medium-sized technology companies, others included global names such as the Los Angeles Times.
Compliance for American companies is possible
This underscores the point that the United States often seen as a more friendly home for those companies seeking fewer, less stringent privacy regulations. However, for many American companies, abandoning the European market is undesirable, or perhaps even impractical.
Rather than retreat from the regulations, we consider that it is absolutely feasible to use the GDPR as an opportunity to review and enhance their various IT, privacy and cybersecurity practices. If a company demonstrates commitment to data protection and privacy, this could be a key competitive differentiator. Building confidence and trust with consumers and corporate partners alike is crucial for strong, on-going relationships. In this way,
Preiskel partner Jose Saras, who leads the firm’s Privacy Team, explains: “In addition to providing legal advice on contracts and internal policies, one of the most exciting aspects of our work is when we provide our clients with a framework to create a commercial advantage. We take the time to listen to their concerns and learn their core values, to really help them how data protection and profitability can go hand-in-hand.”
One of the first things we help clients with – especially those who are not based in Europe – is conducting a data audit or “data mapping” exercise. Doing so is a great first step to better understanding the types of personal data being processed, and how determining the practical ways in which the GDPR may apply. This, coupled with our on-going support, means that clients can benefit from real-time advice on the practical issues of running their business in Europe.
If you have any questions on GDPR or data protection matters more generally, please contact Jose Saras.