May 15, 2018

Breaking down five GDPR myths — Why your U.S.-based business may be subject to an EU reg

Written By

Sarah Sloan Reeves
Member, Stoll Keenon Ogden PLLC



By Sarah Sloan Reeves and Shannon Bishop Arvin

The European Union’s (EU) General Data Protection Regulation (aka GDPR) takes effect on May 25, 2018. GDPR has been characterized as “the most stringent data protection law in the world,”* and it targets three key areas of compliance:
•Use and storage of personal data;
•Record-keeping and accountability; and
•Rights of data subjects.

Many U.S.-based businesses may assume a European law won’t apply to their operations. This article challenges that often mistaken assumption and tackles five common GDPR myths:

“My U.S.-based business doesn’t have any offices overseas, so GDPR won’t apply.”

Wrong. You don’t have to have a physical office in the EU or even accept payment from an EU-based customer to be subject to GDPR. The GDPR applies to any business established outside the EU that targets its activities to an EU market. Some types of activities that may be found to be targeted at an EU market are: offering to ship products to EU countries, sending sales agents to EU countries, or representing that your company has EU clientele.

“My U.S.-based business doesn’t target an EU market, so GDPR won’t apply.”

Wrong again. Even if your U.S.-based business doesn’t directly target an EU market, GDPR may apply if your company monitors EU individuals, such as through Internet use profiling or collecting information from EU users online.

“My U.S.-based business only sells to Americans, so GDPR won’t apply.”

Not necessarily. You may be surprised to learn that GDPR applies its protections to any “data subject”, which includes any person who is “in” the EU. While the application of the term is not entirely clear, it is evident that a data subject doesn’t need to have an EU passport, or even be an EU resident. If your business collects the personal data of a person while he or she is on vacation in the EU, GDPR is potentially applicable.

“My U.S.-based business doesn’t use any personal data, so GDPR won’t apply.”

Are you sure? GDPR defines “personal data” to include any identifier that could, either alone or in conjunction with other information, identify a natural person. For example, guidance issued by the European Commission’s Article 29 Working Party suggests that a person’s IP address and cookie strings may constitute personal data. In addition, GDPR affords greater protections to “special categories of personal data”, such as data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, etc. Personal data related to criminal offenses is also provided similar extra safeguards.

“It’s too expensive to comply with GDPR, so I’ll just chance it.”

“Chancing it” isn’t an option. It is more expensive not to comply with GDPR. Fines may be imposed of up to $20 million or, in some cases, up to 4% of your business’s total annual global turnover. In addition, GDPR provides for other sanctions and even allows individuals to file class-action style suits against businesses who don’t comply.

What does all of this mean for your U.S.-based business? Chances are your U.S.-based business needs some compliance updates, whether that means revising current privacy policies, payment policies and terms of use, auditing high risk areas, implementing procedures to protect data subjects’ rights, or reviewing insurance policies and vendor and other supplier contracts that may process personal data, just to name a few. Contact SKO if you would like assistance or advice on whether GDPR might apply to your business and, if so, what steps your business should take as a result.

*DLA Piper, Data Protection Laws of the World.

Written By