On April 14, 2016, the European Union formally adopted a new scheme – known as the EU General Data Protection Regulation (GDPR) – to protect the personal data of European residents. The GDPR will enter into force in May 2018, replacing the EU Data Protection Directive 95/46/EC.  The GDPR is significantly more onerous than the Directive, seeking to enhance data privacy protections for Europeans. US health care organizations processing Europeans’ personal data should start preparing now for compliance.

US health care companies who may come into contact with personal data belonging to EU data subjects should carefully consider whether they will be subject to the GDPR. Unlike the Directive, the GDPR will also apply to organizations outside the EU where the organizations’ personal data processing activities relate to goods and services offered to individuals in the EU or to the monitoring of such individuals’ behavior. This will mean that US health care companies marketing health care goods and services to European residents may be subject to the GDPR.