Transatlantic trade is vital for the global economy, but the developing framework of international data privacy legislation is having a real impact on how companies can operate on both sides of the pond.
This article provides information for US companies that want to adapt their policies and procedures to respect GDPR’s strict data privacy laws, and illustrates why this process is so important.
It also looks at the territorial scope of GDPR, discusses which US companies are implicated, and outlines how they can meet GDPR requirements.
Let’s jump right in.
GDPR is the European Union’s data privacy act that protects the personal data of EU residents from being misused commercially.
So, if it’s an EU law, why should US companies care?
In short, because the law has “extraterritorial” scope, meaning that it affects companies all around the world.
Crucially, the US does not have a data privacy agreement with the EU, which would prevent its companies from having to address GDPR compliance directly.
The US-EU Privacy Shield was struck down by the European Commission, after the Schrems II ruling determined that US privacy laws did not adequately protect the personal data of EU citizens from governmental intrusion.
However, compliance with GDPR is no bad thing - not least because it can build trust with customers, who are increasingly concerned by what happens to their personal information online.
New data privacy laws modeled on GDPR are being introduced all around the world, and compliance with the European framework basically means compliance with all of them – enabling your company to operate internationally without falling foul of the data privacy police.
In the US itself, the California Consumer Privacy Act (CCPA) is widely known as “America’s GDPR”, and its replacement – the California Privacy Rights Act (CPRA) – will bring data privacy laws in the federation’s most populous state even closer to the EU standard.
And, with more than 30 other states in the process of drafting bills, data privacy compliance will soon become the new normal for US companies.
According to Article 3, GDPR affects any US business that meets one or more of the following:
In practice, what this means is that it affects any US business – even if they do not operate within the EU – that holds the personal data of even one person that lives in Europe.
What’s more, it affects every type of company – public and private alike.
It’s also important to remember that the definition of personal data under GDPR is broader than under many of the data compliance laws in the US, which generally only protect data that can be used to commit fraud.
Under GDPR, personal data is anything that can be used to identify someone – we’ve written about this subject before, and understanding what information is and isn’t covered is a great starting point for meeting the law’s requirements.
GDPR has a bite as well as a bark, and companies deemed to have misused EU personal data can be fined up to €20 million, or 4% of their annual global revenue from the last year – whichever is higher.
US companies have not been spared and stories about the huge fines handed out to them make for regular news. Indeed, most of the largest fines handed out so far have been to US tech giants like Amazon, Meta (Facebook), and Alphabet (Google).
And beyond financial penalties, sanctioned companies will also worry about regular data protection audits in the future and even the risk of being blocked from collecting any EU personal data in the future – with huge implications on a company’s revenue and reputation.
US companies need to meet a wide range of standards regarding how they handle EU personal data. These include:
Obviously, full GDPR compliance goes much deeper than the points mentioned above.
For, while it has been great for EU citizens and their sensitive personal information, meeting GDPR requirements has been a nightmare for companies – with most of the work falling onto the lap of marketers.
If you’re looking for more detailed information about compliance, why not look at our in-depth GDPR hub – where you can find everything you need to know.
Alternatively, we’ve created a GDPR compliance checklist that provides information on all the practical steps a company needs to follow to ensure they stick to the letter of the law.
Gain World-Class Insights & Offer Innovative Privacy & Security
Sign up to Our Newsletter for Regular Nuggets. And don’t worry, we won’t tell sales.