The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) turned one year old on May 25th. European data protection regulators celebrated by continuing to work through a rising number of complaints and infractions, and by stepping up their monitoring for violations. US companies are directly in the crosshairs. Whether based in the EU or not, a company is potentially subject to the GDPR (and its stiff fines up to 4% of annual global revenue) if it offers goods or services to data subjects located in the EU, or monitors individuals’ online behavior or personal information in the EU. This means that a US company engaged in the common business practice of collecting data from its EU customers must assess and implement business practices to ensure GDPR compliance.
The US and EU engaged in approximately $1.3 trillion dollars in trade last year. With that level of economic activity, and accompanying data flows, many US companies should already have in place the basic structures for GDPR compliance. However, recent surveys suggest that a significant number of companies impacted by the GDPR are still grappling with compliance. In a recent Forrester Research study, “Security Through Simplicity,” over half of the responding IT decision-makers revealed that their companies had not yet carried out even basic GDPR compliance steps such as vetting third-party vendors, hiring data protection officers, training employees, setting up mechanisms for the “72-hour data breach notification” requirement, and collecting evidence and documenting efforts to address GDPR compliance risks. Further, only about 4,650 US companies are currently registered and self-certified with the EU-US Privacy Shield framework (compared to the over 100,000 mid- to large-sized companies in the US, according to business census data). Such certification goes a long way toward permitting a US company to receive certain EU data in a GDPR compliant manner.
US companies unprepared to meet GDPR obligations when processing EU personal data are at risk. EU regulators reportedly are just getting warmed up; the European Data Protection Board, which is made up of regulators across the EU, reported that in the first nine months of the GDPR’s effectiveness, there were over 205,000 cases reported to EU supervisory authorities and other data protection watchdogs. About 65,000 of these concerned data breaches, which ranged from minor incidents (such as email messages being sent to the wrong recipients, telemarketing complaints, and promotional emails), to more significant claims such as major hacks that affected millions of individuals, improper consumer activity tracking, illegal video surveillance/CCTV data logging, and improper advertisement personalization.
There is a growing list of US companies already subjected to GDPR-related EU regulatory actions, including, Amazon, Apple, Facebook, Google, Netflix, Spotify and Twitter. Indeed, the French Data Protection Authority, CNIL, recently levied upon Google a record fine of approximately $57 million dollars for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.” The risks to US companies include measures taken to protect, process, and transfer personal data from the EU to the US in connection with regulatory investigations or litigation.
Taking meaningful steps now toward GDPR compliance is the best way for US companies doing business of any kind involving EU personal data—including those with no physical presence in the EU—to prepare for and mitigate their risk. CNIL’s $57 million dollar fine is instructive; it will not be the last significant penalty on US businesses for asserted GDPR violations. It accordingly is imperative that US companies (i) have a clear picture of the specific risks and potential penalties posed by GDPR; (ii) assess and plan for compliance well in advance of any complaint/investigation; and (iii) be prepared to defend and show evidence of good faith efforts toward compliance. The presence of even an imperfect, if well intentioned, compliance program may substantially reduce penalties for violations. In contrast, failing to consider and make informed decisions regarding GDPR and other data protection requirements risks serious consequences.
For additional information regarding GDPR readiness and compliance, please visit Crowell & Moring’s E-Discovery & Information Management and European General Data Protection Regulation webpages, or contact a Crowell & Moring attorney.