Kyle Petersen, J.
The European Union General Data Protection Regulation (GDPR) went into effect on May 25, 2018. You have likely already heard of GDPR, but why should you care about EU law? You should care because GDPR expands the territorial scope of EU data protection laws, significantly increases the penalties for non-compliance, and is enshrouded with uncertainty. In other words, it should have your attention because: (i) organizations with no physical presence in the EU may be subject to GDPR; (ii) like U.S. anti-bribery and anti-trust laws, GDPR introduces extremely high fines – up to 4% of annual global turnover (an activist group in the EU filed complaints against Facebook and Google within hours of GDPR coming into effect seeking roughly $8 billion in fines); and (iii) it remains to be seen how strict EU data protection authorities will enforce GDPR. GDPR comes from a civil law legal system, which can be frustrating for U.S. trained attorneys to navigate. Civil law jurisdictions are historically highly regulated, but enforcement of those regulations is often inconsistent. For these reasons, you should be aware of GDPR and understand it enough to recognize when it might affect your clients.
The first thing to know about GDPR is to whom it applies. GDPR applies to organizations established outside the EU that: (i) process (as defined below) personal data of individuals located in the EU; (ii) offer goods or services to individuals located in the EU; or (iii) monitor behavior of individuals located in the EU. See Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, 2016 O.J. (L 119), art. 3. U.S. organizations will be subject to GDPR if they engage in these activities, despite not having a physical presence in the EU.
This article addresses key provisions of GDPR that are likely to affect U.S. organizations, particularly those in the business-to-business, or B2B, context. It also provides practical insights on achieving compliance and the challenges organizations will likely face in doing so. While it focuses on aspects that many consider to be the most concerning, this article addresses a mere fraction of GDPR. For example, in the B2C context, organizations need to have a legal basis for processing personal data, comply with GDPR’s notice requirement, and be able to respond appropriately to individuals exercising their “data subject rights,” all of which this article does not address but are equally important.
BACKGROUND ON EU DATA PROTECTION LAWS
Since 1995, the EU has regulated data privacy under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) (Directive). A directive is EU legislation that requires member states to achieve a certain goal but allows each member state to implement its own laws on how to reach such goal. The Directive resulted in twenty-eight data protection laws across the EU. In an effort to keep pace with technology, offer greater protections and rights to EU citizens, and harmonize data protection laws, EU Parliament approved the final text of GDPR in 2016. Unlike the Directive, GDPR is a regulation – a binding legislative act that is enforceable as law in all EU member states. The immediate result of GDPR will be one comprehensive data protection law in the EU, instead of twenty-eight, although GDPR has several “opening clauses,” which permit EU member states to modify certain provisions of GDPR. While many aspects of the Directive continue in GDPR, there are key differences that will affect U.S. organizations. Just how much effect GDPR will have on an organization will...