U.S. Small Business Owners and Europe’s General Data Protection Regulation

data Europe U.S. small business GDPR

The five data privacy insights U.S. small business owners need to be familiar with. 

 

On or around May 25, 2018, I started to receive notices from banks, websites to which I subscribed, vendors, and even from attorney’s offices, from which I received newsletters, notifying me that their respective privacy policies were being revised in response to the European Union’s General Data Protection Regulation (GDPR) that was coming into effect.  

The GDPR is a piece of legislation passed by the European Parliament. It is not a U.S. law, but it has such jurisdictional reach as to pull in almost any company that receives or could receive personal data from citizens of the European Union.

As one legal commentator explained, “. . . if your organization is a U.S. company with an internet presence, selling or marketing product over the web, or even merely offering a marketing survey globally, you may be subject to the GDPR.” [1]

The GDPR’s reach is not unlimited. Companies with an internet presence, but that are based in the U.S. and intend only to cater to the U.S. market are, likely, not covered by the regulation. E-commerce companies that market, even in small measure to Europeans, provide a financial facility for them to be able to purchase goods from the U.S., or provide the capacity of a multilingual website to appeal to European purchasers, are most likely covered. 

Mechanisms of enforcement with respect to U.S, companies without a physical presence in the Europe need clarification, but the penalties for violating the GDPR are severe.

According to the European Commission, which provides online educational resources concerning the GDPR, Data Protection Authorities charged with enforcing the regulation will have the power to impose fines on businesses for up to 20 million EUR or 4% of a company’s worldwide revenues, whichever is greater.[2] The severity of the potential fines involved have naturally galvanized a wave of efforts to comply with Europe’s new data privacy rules.

Because of the long reach and wide coverage of the GDPR, and also because it may well be a foreshadowing of potential U.S. data privacy legislation, it is worth reviewing its high points.

Here are the five key insights which impact U.S. small businesses:

1. The Definition of Personal Data

One of the most prominent features of the GDPR is its broad definition of “personal data” which is defined as “. . . any information that relates to an identified or identifiable living individual.  Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data” 

The regulation does not apply to deceased persons or legal entities.

Also included within the definition of “personal data” is encrypted (so called pseudonymized) data that is reversable, i.e. can become again accessible to the reader. For encrypted data to fall outside the definition of “personal data” the “anonymization must be irreversible.”

The GDPR protects personal data regardless of the technology used to transfer or process it. 

As explained by the European Commission, examples of “personal data” are:

(i) name and surname of a person

(ii) home address

(iii) email address

(iv) identification card number

(v) location data

(vi) internet protocol (IP) address

(vii) cookie address, etc. [3]

2. Clarity of Language and Affirmative Consent

The GDPR requires that privacy policies have to be written in a “clear, straightforward language.” 

Prohibited now is the complicated legalese buried at the bottom of a website in micro-print.

Related to the fact that privacy policies must be readable and understandable is the concept that the user must “affirmatively consent” for a business to be able to use her data. As the European Commission explained, “Silence is not Consent.”  

Unlike Europe, the U.S. is a hodgepodge of state and federal laws governing internet privacy, but, for the most part, the theme is that unless a user objects to the exploitation of her personal data, there is no prohibition against its use. The GDPR reverses this presumption.

3. More Transparency

Businesses will no longer be able to transfer personal data to another party without “clearly informing” the user.

Moreover, although businesses will continue to be able to collect and process personal data, they will only be able to do so for a “well-defined purpose”. If a business changes the purpose behind its collecting and processing of personal information, the user will need to be informed about the new “purpose.”

If a decision by a party impacting on a user relates to that party’s applying an algorithm to personal data, i.e. approving loans based on an algorithmic process, the user must be informed by such party about whether the decision is automated and afford the user an opportunity to contest the results of the algorithm.

Next page- #4 Stronger User Rights, #5 Stronger Enfircement Measures and Take away

Pages

About the author

Robert Goodman

Robert Ian Goodman, Esq. represents clients worldwide in the areas of complex commercial immigration and international and domestic commercial law. Mr. Goodman also provides general counsel services to entrepreneurs and start-up businesses and counsels foreign businesses interested in establishing a presence in the U.S. marketplace and U.S. businesses interested in expanding abroad. Mr. Goodman is principal of Goodman Immigration. He is also Special Counsel to the international boutique law firm, Sharma & DeYoung LLP ("S&D"), where he directs the firm's commercial immigration practice. He also co-chairs that firm's Technology and Emerging Companies Practice Group and is a member of S&D's Commercial Litigation and Arbitration Practice Group. 

Website