Blogs > International Business Law Blog

Here Comes The GDPR – US Companies, Make Sure You’ve Got It Covered

Way back on August 17, 2017 (seems like a lifetime ago), we brought you information regarding the European General Data Protection Regulation (“GDPR”) and its impact on those doing business in the EU*.

And now, guess what–the GDPR goes live on May 25, a week from today.  According to article 3(2) of the GDPR, the Regulation applies to the use and/or processing of personal data or information of subjects who come from or are based in the EU by a controller or processing entity outside of the European Union if the processing activities relate to: (i) the offering of goods or services to such data subjects in the European Union; and (ii) the monitoring of their behavior.  For example, “a US insurance company not based in the EU will be subject to the GDPR (and all the requirements thereunder) if it offers its insurance products to entities in EU countries.”

A website has been established to explain the law, how it operates and address FAQs. You can access that website here.  As provided in the law and explained in more more understandable terms on the EUGDPR website, the GDPR significantly increases the scope of the former Data Protection Directive 95/46/EC.

Expansive Jurisdiction and Coverage“Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment.’ This topic has arisen in a number of high profile court cases. GDPR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”

Penalties for Violations Can Be Severe“[O]rganizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater),” which as of this writing would be US$23,600,000. “This is the maximum fine that can be imposed for the most serious infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.”  Note that it doesn’t matter whether one is controlling the transaction or just processing data – “cloud” storage or processing is not exempt.

Any Safe Harbors?  Can one obtain Consent to Disclose?  The GDPR has significantly bolstered the requirements for a legitimate consent. No longer may companies rely on long, unintelligible, and highly technical legal documents as a basis for legitimate consent.  As noted on the EUGDPR website, “a request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”

It is important that you review these new guidelines and ensure your business is following them. If you have any questions regarding the new law, or any other related matters, please email me at

* The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.