When the EU General Data Protection Regulation (GDPR) came into force in 2018, it brought many changes for businesses inside and outside of the EU.
Developments in 2020 have only increased the compliance challenges for non-EU businesses, particularly those in the United States.
This article will look at the main GDPR compliance requirements for U.S. businesses operating in the EU. We'll also consider the impact of a recent court case known as "Schrems II."
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Do U.S. Companies Need to Comply With the GDPR?
- 1.1. 1. Being Established in the EU
- 1.2. 2. Offering Goods and Services in the EU
- 1.3. 3. Monitoring the Behavior of People in the EU
- 2. Understand the GDPR
- 3. Determine What Personal Information You Need to Collect
- 5. Appoint an EU Representative
- 6. Appoint a Data Protection Officer (If Required)
- 7. Set Up International Data Transfer Safeguards
- 7.1. Privacy Shield (No Longer Valid) and the EU-U.S. Data Privacy Framework (2023)
- 7.2. Standard Contractual Clauses
- 7.3. Article 49 Derogations
- 7.3.1. Consent
- 7.3.2. Contract
- 8. Summary
Do U.S. Companies Need to Comply With the GDPR?
First, the basics: does your U.S.-based business actually need to comply with EU privacy rules?
Here's the relevant part of the GDPR, at Article 3:
So, for U.S. businesses, you need to comply with the GDPR if:
- Your company is established in the EU, or
- You offer goods and services in the EU, or
- You monitor the behavior of people in the EU
For this article's purposes, when we refer to "the EU," we include the UK and the countries in the European Economic Area: Iceland, Liechtenstein, and Norway.
1. Being Established in the EU
Being "established in the EU" is ultimately determined on a case-by-case basis, but we can draw some general insights from sources such as Recital 22 of the GDPR, the European Data Protection Board (EPDB), and the EU legal case of Weltimmo v NAIH.
Being established in the EU could mean having a branch, office, or subsidiary company in the EU, but this isn't necessary. It might just mean having an employee or agent based in the EU.
2. Offering Goods and Services in the EU
A company that offers goods or services in the EU (whether or not you charge for them) must comply with the GDPR. In short, if you want EU customers, you'll have to comply with the GDPR.
The following factors might indicate your company is offering goods and services in the EU:
- You use a language spoken in the EU
- You take payments in an EU currency
- You make reference to EU consumers on your website
- You pay a company to make your website more accessible to EU users
- You run ad campaigns that target EU consumers
- You offer international services that cover the EU
- You use a top-level domain associated with an EU country, like .fr or .pl
- You display testimonials from EU users on your website
3. Monitoring the Behavior of People in the EU
The GDPR applies to any company "monitoring the behavior of people in the EU," which is more common than it might initially sound.
Acts that could constitute the monitoring of people's behavior include:
- Personalized ad campaigns using tracking cookies
- Using geo-location
- Any type of online tracking such as fingerprinting
- Offering personalized diet or fitness analysis
- Monitoring CCTV
- Behavior-based market research
- Monitoring health status
Understand the GDPR
If you know you need to comply with the GDPR, you must comply with all of its requirements. There are no exemptions for non-EU businesses and very few for small companies.
We're not going to detail all of the GDPR's requirements here. However, here's an overview of some of the main concepts and responsibilities, with links to further resources:
- Determine whether you are a data controller or a data processor. Controllers decide how and why to process personal information. Processors process personal information on behalf of a controller.
- Ensure you have a lawful basis for processing personal information.
- Abide by the GDPR's data processing principles, including the requirement to only process the minimum amount of personal information necessary and delete personal information when you no longer need it.
- Facilitate users' data subject rights, including the right to access and delete their personal information.
Determine What Personal Information You Need to Collect
Your first step towards GDPR compliance is understanding the law's definition of "personal data" (personal information) and "special categories of personal data" (sensitive personal information).
The GDPR's concept of personal information covers many different types of data. The law features a broader dragnet than most US laws, except for the California Consumer Privacy Act (CCPA).
The GDPR defines "personal data" as "information relating to an identified or identifiable natural person," including:
- ID number (including "customer IDs" used for internal purposes)
- Location data
- Online identifier (including MAC ID, IP address, device ID, etc.)
- Factors relating to a person's physical, physiological, genetic, mental, economic, cultural, or social identity
There are some types of personal information, known as "special categories of personal information," that you may not process unless you comply with specific rules. These include information revealing a person's:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sex life or orientation
The GDPR's principle of "data minimization" requires that you only collect the personal information you need to fulfill a specific purpose. Keeping your data collection to a minimum also reduces the amount of work necessary to keep it secure.
Carefully record each type of personal information you collect. Consider:
- Whether you actually need it
- Whether you have a lawful basis for processing it
- Where and how you obtain it
- With whom you share it, and whether you have suitable arrangements in place for doing so (we'll look in more detail about this below)
- How you safeguard it during transmission and storage
- Contact information for your business (and its Data Protection Officer, if relevant)
- The types of personal information you process
- Your purposes for processing personal information
- The types of third parties with which you share personal information
- Your lawful basis for processing personal information
- Your international data transfer safeguards
- Your personal information retention periods
- How EU individuals can exercise their GDPR data rights
- Contact details for the relevant Data Protection Authority
Appoint an EU Representative
If your company has no establishment in the EU, you'll need to appoint someone to represent your company in the EU.
An EU representative:
- Acts as the point of contact for EU consumers and Data Protection Authorities
- Keeps records of certain data processing activities (if you're required to do so)
- Can represent your company in court if a data breach or GDPR violation occurs
You can choose whoever you want to be your EU representative, as long as:
- They have some legal presence in an EU country
- They speak one of the official languages of the EU
- They are not your Data Protection Officer
Your EU representative should be established in the EU country in which you do most of your business.
You don't need to appoint an EU representative if all of the following apply:
- You only process personal information occasionally
- You don't process personal information in a way that is likely to result in a risk to EU residents' "rights and freedoms"
- You don't process large amounts of special category data or criminal conviction data
Your EU representative doesn't need to work exclusively for your business. Some companies offer EU representation as a service.
Appoint a Data Protection Officer (If Required)
Under the GDPR, some organizations must appoint a Data Protection Officer (DPO). A DPO is a person with general responsibility for GDPR compliance within your company.
You only need to appoint a DPO if one or more of the following conditions apply:
- You are a public authority
- Your core activities involve processing personal information
- You process personal information on a large scale
- You engage in regular or systematic monitoring of people in the EU
- You process special category data or criminal conviction data
A DPO might be one of your existing employees. You can also hire an external contractor to be your DPO. The Article 29 Working Party recommends that your DPO is established in the EU, but this isn't a GDPR requirement.
The duties of a DPO include:
- Giving advice to staff about GDPR compliance
- Monitoring GDPR compliance within the organization
- Assigning data protection responsibilities to staff
- Providing data protection training
- Conducting data protection audits
- Carrying out of Data Protection Impact Assessments
- Cooperating with the Data Protection Authority
Some rules apply when appointing your DPO:
- You must choose your DPO on the basis of their "professional qualities"
- A DPO must have "expert knowledge" of data protection law
- A DPO must be capable of carrying out their duties
A DPO much also have a special status within your company:
- They must operate independently
- You must not discipline them for carrying out their duties
- They must report to the highest level of management
- They must have the necessary time and resources to carry out their duties
Set Up International Data Transfer Safeguards
The most complicated issue for U.S. companies attempting to comply with the GDPR is how to receive personal information from EU companies and individuals.
Before reading this section, please be aware that there are no easy answers to the question of how U.S. companies can transfer personal information from the EU to the U.S. at the time of writing. We recommend you seek legal advice on this matter if you are uncertain.
The GDPR contains strict rules about transferring personal information from the EU to "third countries" that do not have an "adequate" level of data protection. Owing to its weaker privacy regulations, the U.S. is one such "third country."
EU companies are forbidden from sending personal information to U.S. companies (even their own U.S. subsidiaries) unless certain safeguards are in place. These safeguards ensure that the personal information remains secure and that EU residents can still access it.
For example, let's say your company hosts websites for EU clients. The personal information collected by your clients is transferred to your company's servers. You need to ensure there is an arrangement between your company and its clients to safeguard this personal information.
Privacy Shield (No Longer Valid) and the EU-U.S. Data Privacy Framework (2023)
Previously, U.S. companies could certify with the Privacy Shield framework. Privacy Shield was an arrangement between the U.S. Department of Commerce and the EU, designed to ensure that U.S. companies took good care of EU individuals' personal information.
In July 2020, the Court of Justice of the European Union invalidated Privacy Shield as part of a case known as "Schrems II." The court cited issues with U.S. government surveillance affecting EU individuals' rights. For more information, see our article: Why the EU-U.S. Privacy Shield Was Invalidated.
This means that Privacy Shield is no longer an option for U.S. companies operating in the EU.
However, the EU-U.S. Data Privacy Framework is an acceptable replacement as of July 2023.
Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are legally binding terms requiring the safeguarding of personal information, adopted by the European Commission. EU companies can insert SCCs into contracts with non-EU companies to facilitate international data transfers.
There are three sets of SCCs: two for transferring data between two data controllers, and one for transferring data between a data controller and a data processor.
Here's an example of one of the SCCs from set 1:
As you can see, this clause requires data controllers to implement technical measures to keep personal information confidential. For example, the controller might encrypt the personal information during storage and transfer.
SCCs were initially considered by some observers to be "safe" following the Schrems II judgment that invalidated Privacy Shield. However, it is now clear that SCCs do not, in themselves, provide an appropriate level of protection over personal information.
In order to use SCCs to facilitate international data transfers, EU and U.S. businesses must determine whether they can implement additional safeguards alongside the SCCs that protect the personal information from U.S. government interception.
If you cannot find a way to safeguard EU consumers' personal information from U.S. government surveillance, you can't transfer personal information from the EU lawfully. For more information, see our article Using Standard Contractual Clauses.
You may also wish to consult the white paper from the U.S. Department of Commerce, published in September 2020. The white paper aims to advise U.S. companies using SCCs on how to continue to transfer personal information from the EU.
However, note that the Department of Commerce's white paper has not been well-received by many EU legal experts. It is questionable whether the white paper sets out a valid assessment of how US companies can continue using SCCs.
Article 49 Derogations
Article 49 of the GDPR contains several exceptions to the international data transfer rules. Note that these are exceptions, and they do not represent a viable long-term solution.
We're going to look at two of the Article 49 derogations: consent and contract.
You may be able to make a one-off personal information transfer if the individual has provided explicit, specific, and informed consent.
The GDPR's consent requirements are very rigorous. The "explicit" consent threshold under Article 49 is considered to be even higher than regular consent under the GDPR.
When asking for a person's consent for an international data transfer, you should inform them of:
- Who is receiving the personal information
- Where their personal information is being transferred (i.e. the U.S.)
- Why you need to make the transfer
- What types of personal information you're collecting
- How they can withdraw consent
- The risks involved in making the transfer
You may have grounds to make an international transfer if you need to do so in order to fulfill your obligations under a contract or enter into a contract with an EU individual.
Note that it must be necessary to make the transfer to fulfill the terms of the contract. This means that if you failed to make the transfer, you'd be failing to carry out your duties under a contract.
For example, if a travel agent needs to pass on an EU individual's personal information to a U.S. hotel, and they don't have any other safeguards in place, the "contract" derogation might be appropriate as a last resort.
GDPR compliance can be a big task for U.S. businesses, but it's well worth it to gain access to the huge market of EU consumers.
GDPR compliance requirements for U.S. companies include:
- Understanding all parts of the GDPR
- Determining what personal information you collect
- Appointing an EU representative
- Appointing a DPO (if required)
- Setting up international data transfer safeguards