The EU's General Data Protection Regulation goes into effect on May 25, 2018. GDPR replaces the EU Data Protection Directive. GDPR can apply to US-based businesses even if they do not have offices or employees in the EU. It can also reach activities conducted outside the EU.
The Directive did not regulate US businesses unless the collection or processing occurred within the EU (e.g., if a US-based company had a data center in the EU). Now GDPR clearly has stronger extraterritorial reach than its predecessor.
Businesses collecting and using personal data should know their GDPR obligations. Violators of GDPR face steep penalties. Regulators can fine a company up to 20,000,000 euros or 4% of worldwide annual turnover, whichever is higher.
Follow our three-question flowchart to see if GDPR applies to your company.
Personal data means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier (like an IP or MAC address), or other specific factors.
An offer has to be more than mere internet access (e.g., Do you target customers in an EU Member State? Do you offer your service in the language of an EU Member State? Do you accept euros? Do you offer to ship products to buyers in an EU Member State?).
Monitoring refers to tracking individuals on the internet and any subsequent use of the data to profile an individual (e.g., Do you collect location information about users in the EU? Do you follow EU users as they browse the internet? Do you predict a user's behaviors based on that information?).
Does your company have a branch, office,
1 subsidiary or other establishment in the EU that collects, receives, transmits, uses, stores or otherwise processes personal data (processing need not take place in the EU)?
2 Does your company offer goods or services to individuals in the EU (paid or free)?
3 Does your company monitor behavior of individuals in the EU?
GDPR Does Not Apply
GDPR Applies GDPR Applies GDPR Applies
Our Data Privacy and CyberSecurity Team, along with our international network, including our relationships with U.K.-based firm Bond Dickinson and Lex Mundi member firms, is available to assist and advise clients in efficiently addressing GDPR-related issues. To learn more about the issues in this client alert, please contact Ted Claypoole at TClaypoole@wcsr.com or 404.879.2410.
WOMBLE CARLYLE SANDRIDGE & RICE, LLP 0717_9467