By Krista Fonseca
In order to ensure that U.S. companies maintain a competitive advantage in the European Union markets U.S. companies must comply with the GDPR and any special derogations that a Member State has enacted.
The European Union’s General Data Protection Regulation (GDPR) will be applicable as of May 25, 2018. The GDPR replaces the current 1995 European Data Protection Directive (Directive 95/46/EC). Overall, the purpose of the GDPR is to protect the fundamental rights and freedoms of citizens within the European Union with regard to the protection of their personal data. Any U.S. company that has a web presence in one of the 28 Member States of the European Union and markets their products over the web will have to bring about changes to how they do business. These options include complying with the GDPR, joining the EU-U.S. Privacy Shield Program, or referring to one of the GDPR’s derogations. Of these three options the option I am recommending for U.S. companies is complying with the GDPR and also any special derogations that a Member State has enacted. In this article I will outline the three options for U.S. companies and provide guidance on the nuances of the GDPR specifically.
Options for U.S. Companies
Compliance with the GDPR
Compliance with the GDPR is absolutely necessary if U.S. companies intend to remain competitive in European Union markets. Non-European Union companies that manage E.U. citizens’ personal data and fail to comply with the GDPR are subject to substantial fines for non-compliance. These penalties can reach as high as 4% of total global revenues or €20,000,000 (which is approximately $24 million), whichever is greater. These are subject to judicial review and due process. Additional sanctions can be imposed by European Union Member States.
Joining the EU-U.S. Privacy Shield Program
According to article 45 of the GDPR, the European Commission is responsible for determining whether a country outside of the European Union offers an adequate level of data protection. The adoption of an adequacy decision involves (1) a proposal from the European Commission; (2) an opinion of the European Data Protection Board; (3) an approval from representatives of European Union counties; and (4) the adoption of the decision by the European Commissioners. The effect of an adequacy decision is that personal data can flow from the European Union to a country outside of the European Union without any further safeguards. So far, the European Commission has recognized “Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the U.S. (limited to the Privacy Shield framework) as providing adequate protection.”
For companies in the U.S that means that to be deemed as providing adequate protection they must join the EU-U.S. Privacy Shield program. If U.S. companies decide not to join the EU-U.S. Privacy Shield program, they must follow the GDPR guidelines to continue processing the personal data of “data subjects” in the European Union. The Privacy Shield program is administered by the International Trade Administration within the U.S. Department of Commerce. To join the EU-U.S. Privacy Shield program, a U.S. based company must self-certify itself on the Privacy Shield Framework website to the Department of Commerce and publicly commit to comply with the Framework’s requirements. Joining is voluntary, but once a company publicly commits to comply with the Framework’s requirements the commitment becomes enforceable under U.S. law.
Being certified under the EU-U.S. Privacy Shield can give U.S. companies a head start on fulfilling the GDPR’s standards. It also provides legal clarity and direction on the EU’s data protection laws, but it will not guarantee total GDPR compliance. Further, it is important to note that the EU-U.S. Privacy Shield will be revisited every year and could change. Therefore, if a U.S. company decides to join the EU-U.S. privacy shield it is important to have an assigned employee stay current on all future updates.
Adherence to GDPR’s Derogations
EU Member States may introduce derogations or exemptions from the GDPR’s transparency obligations, but only when the measure respects the essence of the data subject’s individual rights. The measure must safeguard one of the following: national security; defense; public security; the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; other important objectives of general public interest of the Union or of a Member State; the protection of judicial independence and judicial proceedings; the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; a monitoring, inspection or regulatory function connected to the exercise of official authority; the protection of the data subject or the rights and freedoms of others; or the enforcement of civil law claims.
Companies must therefore adhere to the GDPR and also any special derogations that a Member States has enacted. The large number derogations that exist under the GDPR may serve to undermine the core principles of the GDPR which is to create a single EU-wide law on data protection and also may result U.S. companies having to continue to deal with national data protection law variations to ensure compliance with varying EU data protection requirements.
Territoriality of GDPR
The GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (1) the offering of goods or services to such data subjects in the union irrespective of whether a payment of the data is required; or (2) the monitoring of their behavior as far as their behavior takes place within the Union. Companies outside of the European Union must comply with the GDPR when consumers or “data subjects” are physically in the European Union when the data is collected. Therefore, when these consumers are outside of the European Union the GDPR would not apply. A financial transaction is not required for the GDPR to apply. For example, if a company collects personal data as part of a marketing survey that information would be protected by the GDPR. The GDPR requirements apply no matter the size of the business processing the information, or the amount of information being processed.
Controllers vs. Processors: What’s the Difference?
Under the GDPR, both processors and controllers are accountable and responsible for the handling of European Union citizens’ personal data. Previously Controllers alone bore this burden in regard to privacy requirements. Additionally, fines under the GDPR can be applied to both controllers and processors. Fines are imposed with regard to the degree of responsibility held by the controller or processor. The controller is the company who determines the purposes and means of the processing of personal data. The controller is responsible for demonstrating technical and organizational measures to ensure compliance with the principles relating to the processing of personal data. A processor is a company that processes personal data on behalf of another company who is the controller. The processor is responsible for providing sufficient guarantees to implement appropriate technical and organizations measures in order to meet the requirements of this regulation and ensure the protection of the rights of the data subject.
Personal Data Breach
If a personal data breach were to occur the controller has 72 hours to notify the supervisory authority. If the notification occurs after 72 hours, it must also explain the reasons for the delay. When there is a high risk that individual’s rights and freedom have been compromised, the controller must notify the affected individual.
Overall, for true GDPR compliance practitioners and U.S. companies must comply with the GDPR and also any special derogations that a Member State has enacted. U.S. companies must also review their data protection policies and technology to ensure they are compliant with the GDPR in order to avoid significant penalties and fines. Failure to comply with the GDPR will put U.S. companies at a competitive disadvantage.
 GDPR Portal: Site Overview, EU GEN. DATA PROTECTION REG., https://www.eugdpr.org/eugdpr.org.html (last visited Feb. 9, 2018).
 The History of the General Data Protection Regulation, European Data Protection Supervisor, available at https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en (last visited Feb. 9, 2018).
 Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016, art. 83(5), 2016 O.J. (L 119) 1 [hereinafter GDPR]. See also GDPR, supra note 3, art. 1.
 European Union – Data Privacy and Protection, European Union Country Commercial Guide (July 19, 2017), https://www.export.gov/article?id=European-Union-Data-Privatization-and-Protection.
 How the GDPR Will Impact Law Firms and What Lawyers Need to Know, Wolters Kluwer (Sept. 8, 2017), http://www.kleos.wolterskluwer.com/en/gdpr-will-impact-law-firms-what-lawyers-need-to-know/.
 GDPR, supra note 3, art. 83.
 Adequacy of the Protection of Personal Data in Non-EU Countries: How the EU Determines if a Non-EU Country Has an Adequate Level of Data Protection, EUR COMMISSION, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en (last visited Feb. 9, 2018).
 Privacy Shield Program Overview, PRIVACY SHIELD FRAMEWORK, https://www.privacyshield.gov/Program-Overview (last visited Feb. 9, 2018).
 Olivia Munro, What You Need to Know About the EU-U.S. Privacy Shield and the GDPR, EZECASTLE INTEGRATION (Jan. 11, 2018), https://www.eci.com/blog/16000-what-you-need-to-know-about-the-eu-us-privacy-shield-and-the-gdpr.html.
 William RM Long & Francesca Blythe, Member States Derogations Undermine the GDPR, PRIVACY LAWS & BUS U.K. REP, 11, 12 (May 2016), https://www.sidley.com/-/media/publications/gdpr-derogations.pdf.
 GDPR, supra note 3, art. 23.
 Long & Blythe, supra note 17, at 12.
 GDPR, supra note 3, art. 3.
 Yaki Faitelson, Yes, the GDPR Will Affect Your U.S.-Based Business, Forbes (Dec. 4, 2017, 8:30 AM), https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#499697106ff2.
 Angela P. Doughty & Caroline O. Outten, New Year, New Data Protection Law: Is Your Company Ready for the GDPR?, WARD AND SMITH, P.A. (Jan. 8, 2018), https://www.wardandsmith.com/articles/new-year-new-data-protection-law-is-your-company-ready-for-the-gdpr.
 Don Macfarlane, What US Companies Need to Know About the GDPR, Hanzo (May 18, 2017), https://www.hanzo.co/blog/what-us-companies-need-to-know-about-the-gdpr.
 Carla Bouca, EU GDPR Controller vs. Processor – What Are the differences?, EUGDPR KNOWLEDGE BASE, https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ (last visited Feb. 9, 2018).
 GDPR, supra note 3, art. 4.
 Id. at art. 33.