GDPR in the US

The recent Facebook fiasco trigged a debate on the safety and security of internet users’ data collected by tech giants, including Google. While many countries are still evaluating many proposed practices to safeguard the private information of their countrymen, EU set some strict deadline, 25 May 2018, for publishers worldwide to adhere to GDPR, which European Parliament passed in April 2016 after 4 long years.

The General Data Protection Regulation (GDPR) is a new piece of legislation that outlines how organizations and businesses collect, use and protect personal data for all individuals in the European Union. It took effect on May 25, 2018, and while officially providing a stricter set of standards for only those citizens and businesses from the EU, its implications reach far wider than the European continent, with rippling effects seen even here in the United States.

The U.S. itself has not yet tackled data security and privacy at a federal level. However, because many American businesses deal with European customers, clients and partners, a large number of them will be subject to compliance with GDPR regulations or face fines up to 4% of annual global revenue, or €20M, whichever is greater. If your business collects data from just one customer while he or she is in the EU, you must be able to prove you are safeguarding data in the appropriate way. This means you must:

  • Ask permission to collect data
  • Disclose how data will be used
  • Collect no more data than is necessary
  • Provide a copy of data to individuals when asked
  • Destroy data that is no longer needed
  • Safeguard data

Individuals, in turn, must be able to:

  • Access their data
  • Correct their data
  • Delete their data
  • Restrict the processing of their data
  • Port their data
  • Object to automated decision-making (profiling)

These are strong restrictions for American businesses not accustomed to enforceable data protection laws and will likely cause confusion and fear as they begin to implement the necessary changes –– and learn about the ramifications should they fail. For instance, consider an EB5 lawyer with clients seeking to invest in U.S. businesses. Under GDPR regulations, U.S.-based attorneys handling these types of issues will now need to ensure that all their data is securely and appropriately maintained per its guidelines. Coupled with whatever restrictions local state laws impose, it will mean a major overhaul of existing data infrastructures, policies and procedures that will likely cost a substantial amount of money.

It will be interesting to see what this will mean for businesses that only marginally deal with European customers and/or suppliers. Will they choose to limit dealings with the European Union and its citizens to mitigate expenses they can’t afford? Only time will tell.