Posted in Corporate Law
The European Union’s (EU) General Data Protection Regulation (GDPR) is in effect. It’s the greatest change to European data security two decades. But if your business isn’t physically present in one of the 28 countries of the EU should you care?
U.S. data protection and privacy laws are weaker than the EU’s approach. There’s also a patchwork of protections with different states having different laws.
If your company has a presence on the internet and uses it to market products and services in an EU country you need to pay attention. Part of the GDPR states that if you collect personal data or behavioral information from a consumer in an EU country when it was collected your company falls under the GDPR.
Financial transactions don’t need to take place for the GDPR to apply. If you collect “personal data” (generally what is personally identifiable information under U.S. law) as part of a marketing survey, for example, and data collected it needs to be protected in accordance to the GDPR.
Do you need to comply with the GDPR?
- Are you targeting consumers in an EU country?
- Is the language used in your marketing the language of an EU country?
- Are there are references to EU users and customers?
- Do you accept local currency as payment?
- Do you have a website associated with a European country (“.nl” for the Netherlands for example)?
If so your webpage would be considered targeted marketing and the GDPR will apply. General marketing wouldn’t count.
If your company falls under the GDPR,
- EU-directed online marketing forms and interactions must obtain explicit consumer consent.
- If an EU customer signs up for a service or buys something you’ll need to get explicit permission for each type of processing done for the customer’s personal data (email promotions or sharing information with third-parties need separate checkboxes).
- After obtaining the data you will have to protect it according to GDPR’s rules.
The GDPR includes a 72 hour breach notification rule.
- If there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” then you’ll will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU consumers.
- A large exposure of email addresses, data that includes medical or financial information or identifiers associated with children, would all require notification to an EU regulator or “supervising authority” within 72 hours.
- If there’s a “high risk” to property and privacy rights (credit card numbers or account passwords) individuals need to be notified.
It’s too soon to know how the EU will enforce GDPR rules against companies physically outside the EU. It’s much more serious about creating a uniform data and privacy law than the U.S. Major U.S. companies have changed their internet practices to comply with these rules. This isn’t just to play nice with the EU it’s also to try to avoid significant fines. If you don’t report a qualifying breach to a regulator within 72 hours, fines are 2% of your global revenue.
If you have any questions about the GDPR and what your business needs to comply with it, contact our office so we can talk about it, I can answer your questions and we can discuss how we can help.