Is it time to panic yet?
Morgan Malino and Timothy M. Zwerner, J.
Two years ago one of the most impactful data privacy legal regimes was enacted across the European Union. Although the General Data Protection Regulation—or GDPR— was immediately binding across the entire EU, affected companies were afforded a two-year transition period to comply. A spate of new privacy notices and warnings are popping up on our mobile phones, computers and other devices as we browse the internet. After two years of assiduously ignoring what was happening across the pond, U.S. companies are beginning to come around to the idea that maybe, just maybe, GDPR might be important to them.
Does GDPR apply?
First things first: should your clients care about GDPR? For businesses that operate completely locally, the answer is "no." Dry cleaners, gas stations, plumbers can all safely ignore the GDPR and its enforceability date of May 25, 2018.
There are three situations where a U.S. company might be caught in the GDPR net: (1) the company has EU presence, (2) the company targets EU customers or (3) the company monitors the behavior of people in the EU. EU presence typically means a U.S. company has an EU branch or subsidiary, but it might be satisfied with a single individual working from the EU (keep in mind, there is still very limited official guidance). Having a U.S. website that occasionally attracts EU customers probably does not trigger the GDPR, but geographically targeting EU customers, providing EU language options that don't serve your local customers, providing EU currency options and using websites with EU country top level domain names (e.g., .fr, .gg, .it, .es) each strongly suggests an intent to target EU customers.
If a company checks off one or more of the three boxes, then the next question is: does it directly or indirectly process the "personal data" of individuals within the EU? Personal data is anything that can be combined with other information in order to identify a natural person. This is radically different from how U.S. law treats " personal- l y identifiable information," or PII.
In the U.S...