Introduction
The usual assumption of most US businesses is, “the GDPR is an EU regulation, hence it does not impact my organisation.” This belief results most often in unnecessary risk. The US equivalent of this misconception would be a company registered in Texas thinking its services don’t fall under the scope of the CCPA.
The GDPR has extraterritorial effect, that is, it has effect on and more often than not, does affect organisations which are outside the European Union.
Note that since Brexit, the UK has maintained GDPR provisions but further adapted them to its body of laws, this is known as the UK GDPR which adds an additional but small level of complexity for transfers of data outside the UK. For the sake of simplicity, the term GDPR used in this article will also apply to the UK.
What is the GDPR and why it has global reach
The GDPR is the code name for the UK and the EU’s General Data Protection Regulation. It shields the personal data of individuals who are within the European Union, provides rights to the data owners (i.e. individuals) and lays out obligations for the organisations handling that data. It has a general territorial scope such that it may apply to organisations outside of the EU if certain conditions are fulfilled.
A US company may be controlled by the GDPR if it is:
- Providing goods or services to data subjects in the European Union (EEA and UK)
This trigger is independent of payment or contractual terms. A business will be deemed to be targeting or envisaging an EU audience if it engages in any of the following activity:
- Sending physical goods or providing access to digital services into a member state of the EU/EEA/UK;
- Taking payments in a European currency such as Euros;
- Running campaigns that market to email recipients in the EU/EEA/UK; and
- Providing a website or service in a language that is widely spoken across the EU/EEA/UK.
- Tracking the behavior of users in the European Union
This trigger is extremely applicable to digital-first companies today. If your business is tracking or profiling users in the European Union, the GDPR will most likely apply. This includes practices like:
- Tracking European Union website and app users with analytics tools;
- Placing cookies or other tracking tags on the devices of users in the European Union which triggers additional requirements from the ePrivacy Directive and other local laws; and
- Running targeted advertisement campaigns against users within the European Union on the basis of their online behavior.
Article 3 of the GDPR expressly sets out these conditions. These are detailed in additional guidance by the European Data Protection Board (Guidelines 05/2021). Registration of an organization outside of the EU does not necessarily remove a business from scope.
What constitutes personal data under the GDPR?
The GDPR defines personal data as any information relating to an identified or identifiable natural person. This definition is deliberately broad. This is to encompass a wider range of data than the concept of “personally identifiable information” (PII) used in other jurisdictions. It is critical for any organisation to understand what information falls under this comprehensive definition to determine its compliance obligations.
Personal data includes, but is not limited to:
- Direct identifiers: A person’s name, email address, physical address, or telephone number.
- Online identifiers: An individual’s Internet Protocol (IP) address, browser cookies, and device identifiers (IP/MAC address, IMEIs, …).
- Pseudonyms like user IDs, vehicle numbers (VINs), randomly chosen usernames, hashes…
- Metadata in context like timestamps,
- Special categories of data: Biometric data, such as fingerprints or facial recognition information. To learn more about sensitive data under the GDPR, that is addressed in Art.9 of the GDPR and our blog article detailing the differences between PII and personal data.
- Other information: Video or photo recordings, and an individual’s location data.
- IoT data associated with a device purchaser, owner, user, maintenance person, etc…
If your organization collects any of this information from individuals in the European Union, it is processing personal data and must assess its compliance obligations under the GDPR.
What if my business doesn’t comply?
Non-compliance with the GDPR will result in massive financial and reputational losses. Supervisory authorities can impose fines of up to twenty million euros or four percent of the annual global turnover of an organization. This is decided by whichever is the greater. The GDPR has a highly structured framework of administrative fines, which can be applied in two tiers:
- Tier 1: Up to €10 million, or 2% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.
- Tier 2: Up to €20 million, or 4% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.
Enforcement is also a legitimate concern for U.S. companies. For example, Clearview AI, a U.S.-based firm, was the subject of enforcement action and fines by multiple EU data protection authorities for processing EU individuals’ personal data lacking a sufficient legal basis.
Along with fines, organizations can anticipate loss of customer trust, damage to their reputation, and legal restrictions on their data processing activities. Enforcement action against household names demonstrates that regulators are willing to act against organizations outside the European Union when the GDPR applies.
A simple checklist for your U.S. company
To allow you to consider at a glance whether the GDPR applies to your business, ask yourself the following questions:
- Does your company’s website, app, or service deliver goods or services to individuals in the European Union?
- Do you use instruments that monitor the online behavior of individuals in the European Union?
- Does your company process the personal data of any of your staff members working in the European Union?
- Do you implement any vendor tool to carry any of that data processing for you?
If you answered yes to any of these queries, then it is highly likely your company is subject to the GDPR.
Real-life examples of when the GDPR applies
- An online store in the United States accepting payment in euros and shipping goods to customers in the European Union;
- A company processing payroll for a remote employee working in the European Union;
- A marketing company running targeted campaigns aimed at audiences within the European Union.
Conversely, a strictly internal website with no European customer targeting and only incidental EU visits generally will not be subject to the GDPR.
Special Case: United States companies with EU-Based employees
The processing of employees’ personal data in the European Union triggers GDPR obligations. Some examples are maintaining personal records, processing sensitive information, and monitoring work performance. Paying an employee in the European Union without additional data processing might not necessarily trigger full GDPR compliance requirements. That being the case HR processes need to be carefully reviewed. Please check out our blog article on how the GDPR and effects HR data for non EU-companies for further information.
Your next steps toward compliance
If your business is subject to the GDPR, it’s essential to be forward-leaning with regards to compliance.
- Carry out a data mapping exercise: This will lead to Records of Processing Activities, the details of which are outlined in Art. 30 of the GDPR. Record all personal data your organization gathers and processes, the reason for the data, and where it is stored;
- Determining a lawful basis for all your data processing activities: This provides a documented and valid legal rationale for collecting and using personal data. This could be e.g., user consent, contractual necessity with the person, or legitimate interest of your organization, EU legal obligation;
- Drafting accessible privacy notices: Provides an intelligible and accessible privacy notice describing data collection, purposes, storage, and data sharing practices;
- Respecting the rights of data subjects: Enable individuals to exercise their rights under the GDPR. These rights include access, rectification, erasure, restriction, and objection;
- Appointing a Data Protection Officer (DPO): Appoint a DPO where required. This could be due to processing vast volumes of sensitive personal data or conduct systematic monitoring of individuals;
- Consider an EU Representative: If your business is established outside of the European Union, you may need to have a representative within one of the member states under Article 27; and/or
- Seek expert advice: The GDPR is complex. For complete compliance, it would be ideal to obtain a professional GDPR compliance audit.
Conclusion
Whether the GDPR affects an American business or not is not a matter of a business’s physical presence, but if it has a connection with individuals in the European Union. If your business offers goods or services to EU residents or monitors their activities, then it is very likely the GDPR will affect you. The penalty for failure to comply can be extremely high, both financially and with regard to one’s reputation.
It is suggested that all U.S. businesses conduct an internal examination of data processing operations. If unsure, securing a professional GDPR compliance assessment can guarantee a clear and secure path forward.