|

U.S. Small Business Owners and Europe’s General Data Protection Regulation

by Robert Goodman

GDPR General Data Protection Regulation

.

 

 

4. Stronger User Rights in Connection with the Safeguarding of their Personal Information

In the event of a data breach, businesses that have been compromised will be obligated to inform users “without delay,” defined as within 72 hours  

Moreover, a user will now be able to move his/her data to another social media platform and have personal data held by the transferor platform deleted. As explained by the European Commission, the GDPR recognizes the right of a user “to be forgotten.”  

5. Stronger Enforcement Measures

Under the GDPR, there will be appointed 28 Data Protection Authorities.

These Data Protection Authorities will be able to provide guidance concerning the scope of the GDPR and to interpret the regulation and develop binding precedent regarding its construction. The Data Protection Authorities will also be able to impose severe fines as discussed in our opening paragraph.

While U.S. companies with a European presence will be more directly exposed to enforcement activity, negotiations are underway between the European Union and the United States over a EU-U.S.

Privacy Shield Data Sharing Agreement which could allow for U.S. companies without a presence in Europe to become exposed to EU sanctions. At least one commentator has pointed out that even if civil enforcement does not eventuate, there is considerable cooperation between U.S. and European law enforcement agencies in this area. 

The Take away:

  • The GDPR purports to reverse presumptions regarding the question of who should own and control personal data by empowering internet users to protect their data. Businesses using “personal data” are obligated under the GDPR to make more robust disclosures about how personal data is being used and to delete personal data as may be required by the user.
  • Although the GDPR is designed to cover the rights of EU citizens, because the marketplace is global, the jurisdictional reach of the regulation is substantial and could well reach U.S. companies even based in the U.S.   
  • E-commerce companies which market globally should review with legal counsel the application of the GDPR and whether privacy policies and practices should be modified to comply with its requirements;
  • Even if a company arguably is not exposed to the GDPR, it may still be worth considering its provisions because it may yet be a foreshadowing of significant changes in U.S. law in the data protection area. 

[1]Does GDPR Apply to your U.S.-Based Company?”, Jackson Lewis PC Workplace Privacy, Data Management & Security Report (January 8, 2018)

[2] European commission priorities, which elaborates on many of the points made in this article

RELATED POSTS

Volleyball ball huddle portrait, girl team smile and together for training workout, happy sport and diversity. Sports happiness woman, solidarity empowerment and happy teamwork girl in athlete group fitness

Settlement Approval Paves Way for NCAA Athlete Compensation

Tired, stress and business people in a meeting with a headache, problem and team depression. Sad, anxiety and corporate employees frustrated with burnout, fatigue and a coworking mistake at work

“Quiet Cutting” in the Workplace and its Effect on Latinos

Latina Cuban American Making Strides in Clinical Research