U.S. Small Business Owners and Europe’s General Data Protection Regulation

data Europe U.S. small business GDPR




4. Stronger User Rights in Connection with the Safeguarding of their Personal Information

In the event of a data breach, businesses that have been compromised will be obligated to inform users “without delay,” defined as within 72 hours  

Moreover, a user will now be able to move his/her data to another social media platform and have personal data held by the transferor platform deleted. As explained by the European Commission, the GDPR recognizes the right of a user “to be forgotten.”  

5. Stronger Enforcement Measures

Under the GDPR, there will be appointed 28 Data Protection Authorities.

These Data Protection Authorities will be able to provide guidance concerning the scope of the GDPR and to interpret the regulation and develop binding precedent regarding its construction. The Data Protection Authorities will also be able to impose severe fines as discussed in our opening paragraph.

While U.S. companies with a European presence will be more directly exposed to enforcement activity, negotiations are underway between the European Union and the United States over a EU-U.S.

Privacy Shield Data Sharing Agreement which could allow for U.S. companies without a presence in Europe to become exposed to EU sanctions. At least one commentator has pointed out that even if civil enforcement does not eventuate, there is considerable cooperation between U.S. and European law enforcement agencies in this area. 

The Take away:

  • The GDPR purports to reverse presumptions regarding the question of who should own and control personal data by empowering internet users to protect their data. Businesses using “personal data” are obligated under the GDPR to make more robust disclosures about how personal data is being used and to delete personal data as may be required by the user.
  • Although the GDPR is designed to cover the rights of EU citizens, because the marketplace is global, the jurisdictional reach of the regulation is substantial and could well reach U.S. companies even based in the U.S.   
  • E-commerce companies which market globally should review with legal counsel the application of the GDPR and whether privacy policies and practices should be modified to comply with its requirements;
  • Even if a company arguably is not exposed to the GDPR, it may still be worth considering its provisions because it may yet be a foreshadowing of significant changes in U.S. law in the data protection area. 

[1]Does GDPR Apply to your U.S.-Based Company?”, Jackson Lewis PC Workplace Privacy, Data Management & Security Report (January 8, 2018)

[2] European commission priorities, which elaborates on many of the points made in this article


About the author

Robert Goodman

Robert Ian Goodman, Esq. represents clients worldwide in the areas of complex commercial immigration and international and domestic commercial law. Mr. Goodman also provides general counsel services to entrepreneurs and start-up businesses and counsels foreign businesses interested in establishing a presence in the U.S. marketplace and U.S. businesses interested in expanding abroad. Mr. Goodman is principal of Goodman Immigration. He is also Special Counsel to the international boutique law firm, Sharma & DeYoung LLP ("S&D"), where he directs the firm's commercial immigration practice. He also co-chairs that firm's Technology and Emerging Companies Practice Group and is a member of S&D's Commercial Litigation and Arbitration Practice Group.