In Europe, an individual's right to the protection of his or her personal data is a fundamental right.1 The E.U. General Data Protection Regulation ("G.D.P.R."), which takes effect on May 25, 2018, is aimed at protecting that right.2

The G.D.P.R. is notable because it applies to all companies processing personal data of persons residing in the European Economic Area ("E.E.A.") (comprising E.U. Member States as well as Iceland, Liechtenstein, and Norway) regardless of the company's location and irrespective of whether the company has a physical presence in these countries.3

Since the G.D.P.R. was promulgated in the form of a "Regulation," and not a "Directive," it automatically becomes law in each E.U. Member State, without the need to pass transposing domestic legislation.4

The G.D.P.R. replaces Directive 95/46/EC, a 1995 Directive that, until now, constituted the European framework for personal data protection. Directive 95/46/EC did so mainly by placing a compliance burden on "Controllers" of personal data (i.e., legal persons requesting data processing services).5

Adding to the 1995 Directive, the G.D.P.R. also places a compliance burden on "Processors" (i.e., legal persons providing services to the Controllers). Its purpose is to increase E.U. citizens' control over their own data by, inter alia, providing for more transparency, stronger data security, and protection requirements on Controllers and Processors. G.D.P.R. also implements a mechanism that can result in penalties equal to the greater of €20 million or 4% of annual worldwide turnover.6

During an address in New York on March 28, Mrs. Isabelle Falque-Pierrotin, president of the French Data Protection Authority (the CNIL), stated that the G.D.P.R. constitutes a "legal framework for trust." She explained that data protection is no longer only a legal issue. It has now also become an operational issue and must thus be viewed in an interdisciplinary way.

Translated into plain English, it means that a U.S. company like Tumblr, which is owned by Oath, a subsidiary of Verizon Communications, and targets E.U. customers, may be liable to a penalty of 4% of Verizon Communications' worldwide turnover (notably not its taxable income) for violating the G.D.P.R. This monetary penality is also accompanied by damage to the company's reputation. U.S.-owned apps that are available to E.U. customers are similarly caught by the G.D.P.R. On a smaller scale, any U.S. business with an email list that includes European customers is affected by the G.D.P.R. As a result, E.U. Member State regulators are afforded the power to prosecute a breach of the G.D.P.R. beyond the borders of the E.U.

In order to achieve clarity, the balance of this article is written in question and answer format, laying out the fundamentals of the G.D.P.R. and its impact on U.S. businesses.

Footnotes

1 Article 8(1) of the Charter of Fundamental Rights of the European Union; Article 16(1) of the Treaty on the Functioning of the European Union.

2 Chapter 1, Article 1(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

3 Note that under Article 7(a) of the Main Part of the E.E.A. Agreement, all E.E.A. States are obliged to adopt the G.D.P.R. Hence, the G.D.P.R. also applies to E.F.T.A. Member States Iceland, Liechtenstein, and Norway. (While a member of the E.F.T.A., Switzerland did not join the E.E.A.)

4 This does, however, not apply to E.E.A. countries, where the procedure for incorporation into domestic law consists of five phases governed by Article 102 (1) to (6) of the E.E.A. Agreement in conjunction with Regulation (EC) No 2894/94 concerning arrangements for implementing the agreement in the E.E.A.

5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the procession of personal data and on the free movement of such data.

6 Article 83 of the G.D.P.R.; Clause 37 to the Preamble to the G.D.P.R.

To view the full article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.