The European Union May Change the Way in which U.S. Companies Must Protect Personal Data


Practice Areas

Bob Bryan
Robinson Bradshaw Publication
April 12, 2017

The United States has always viewed the protection of personal data as a commercial issue and has tried to draw a reasonable balance between the use and protection of personal data. The EU views the protection of personal data as a fundamental human right. It is willing to place a heavier burden on companies with respect to their commercial use of data and to provide individuals with greater rights to control and restrict the use of their personal data. Over the last few years, the EU has become more aggressive in seeking to ensure EU-type protection for the personal data of EU residents collected by U.S. companies.

Sweeping changes are now on the horizon. In 2016, the EU adopted a new regulation on personal data that will become effective in May 2018 - the General Data Protection Regulation. Under existing law, which will remain until the effective date of the new GDPR, EU law does not generally apply to the typical small U.S. business that operates solely in the United States but accepts online orders from EU residents. The GDPR purports to extend its coverage to any company that processes the personal data of EU residents if the processing is related to the offering of goods or services to EU residents or monitoring the behavior of EU residents in the EU, even if the U.S. company has no office in the EU and does not process data using equipment located in the EU.

If the GDPR applies to a U.S. company, that company will be subject to new requirements that will change the way in which it handles the personal data of EU residents. As a starting point, the EU will require “fair processing” of such personal data, which will generally impose obligations on the collection, storage and use of personal data that are slightly more stringent than the current best practices in the United States. Among other things, the fair processing requirement will require companies to have more detailed privacy policies and new and more cumbersome user registration procedures to ensure that users provide “freely given, specific, informed and unambiguous” consent to many of the common uses of personal data.

A more troubling aspect of the GDPR relates to new rights granted to EU residents to control, limit and prohibit the processing of their personal data. If these requirements apply to a U.S. company, they will fundamentally change the way in which the U.S. company uses such personal data and will impose material new costs and burdens. The most significant rights are discussed below:

Finally, the GDPR will strictly control any covered company’s collection and use of sensitive types of personal data, such as data concerning racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, genetic or biometric data, and data concerning a person’s health, sex life or sexual orientation. This type of data cannot be processed without explicit consent, and a company has very limited rights to use sensitive data to make automated (that is, profiling-based) decisions that would have a significant legal impact on the individual.

Many companies will have already had a glimpse of this new legal landscape by taking the required steps to comply with the new Privacy Shield when they transfer personal data from the EU to the United States. To qualify for the Privacy Shield under the rules adopted by the U.S. Department of Commerce, a company must adopt some of the general EU principles of “fair processing” of personal data, including an expanded privacy policy, limitations on the onward transfer of personal data to any company with less stringent protections, and the ready availability of an independent third party to resolve disputes. To qualify for the Privacy Shield, a company must grant the data subject some, but not all, of the rights that will be required by the GDPR. The data subject must have a limited version of the right to review and correct the data discussed above and must have the right to limit the use of provided personal data, but the Privacy Shield does not require a company to extend the right to be forgotten or the right to data portability as discussed above.

Companies trying to cope with these changes will face a fluid situation over the next year for several reasons. First, while the purported scope of the GDPR is expansive, many observers question whether the EU will really try to enforce the GDPR against U.S. companies with no physical presence or assets in the EU. Second, the EU is only slowly releasing guidance, so many of the high-level requirements are still unclear in application. Finally, even recently negotiated mechanisms such as the Privacy Shield continue to be under legal attack in the EU because of widespread skepticism about the adequacy of personal data protection in the United States. It is entirely unclear how the new U.S. administration will respond to demands that the Privacy Shield be strengthened, or what options would be available to U.S. companies if the EU courts were to hold it invalid.

We will update you as these developments unfold over the next year. In addition, when the implementation date for the GDPR gets a little closer, we will provide you with more detailed guidance on the changes you should expect and your options for dealing with those changes.

Main Menu