30 October 2020
When the EU General Data Protection Regulation (GDPR) came into force in 2018, it brought many changes for businesses inside and outside of the EU.
Developments in 2020 have only increased the compliance challenges for non-EU businesses, particularly those in the United States.
This article will look at the main GDPR compliance requirements for U.S. businesses operating in the EU. We'll also consider the impact of a recent court case known as "Schrems II."
First, the basics: does your U.S.-based business actually need to comply with EU privacy rules?
Here's the relevant part of the GDPR, at Article 3:
So, for U.S. businesses, you need to comply with the GDPR if:
For this article's purposes, when we refer to "the EU," we include the UK and the countries in the European Economic Area: Iceland, Liechtenstein, and Norway.
Being "established in the EU" is ultimately determined on a case-by-case basis, but we can draw some general insights from sources such as Recital 22 of the GDPR, the European Data Protection Board (EPDB), and the EU legal case of Weltimmo v NAIH.
Being established in the EU could mean having a branch, office, or subsidiary company in the EU, but this isn't necessary. It might just mean having an employee or agent based in the EU.
A company that offers goods or services in the EU (whether or not you charge for them) must comply with the GDPR. In short, if you want EU customers, you'll have to comply with the GDPR.
The following factors might indicate your company is offering goods and services in the EU:
The GDPR applies to any company "monitoring the behavior of people in the EU," which is more common than it might initially sound.
Acts that could constitute the monitoring of people's behavior include:
If you know you need to comply with the GDPR, you must comply with all of its requirements. There are no exemptions for non-EU businesses and very few for small companies.
We're not going to detail all of the GDPR's requirements here. However, here's an overview of some of the main concepts and responsibilities, with links to further resources:
Your first step towards GDPR compliance is understanding the law's definition of "personal data" (personal information) and "special categories of personal data" (sensitive personal information).
The GDPR's concept of personal information covers many different types of data. The law features a broader dragnet than most US laws, except for the California Consumer Privacy Act (CCPA).
The GDPR defines "personal data" as "information relating to an identified or identifiable natural person," including:
There are some types of personal information, known as "special categories of personal information," that you may not process unless you comply with specific rules. These include information revealing a person's:
The GDPR's principle of "data minimization" requires that you only collect the personal information you need to fulfill a specific purpose. Keeping your data collection to a minimum also reduces the amount of work necessary to keep it secure.
Carefully record each type of personal information you collect. Consider:
If your company has no establishment in the EU, you'll need to appoint someone to represent your company in the EU.
An EU representative:
You can choose whoever you want to be your EU representative, as long as:
Your EU representative should be established in the EU country in which you do most of your business.
You don't need to appoint an EU representative if all of the following apply:
Your EU representative doesn't need to work exclusively for your business. Some companies offer EU representation as a service.
Under the GDPR, some organizations must appoint a Data Protection Officer (DPO). A DPO is a person with general responsibility for GDPR compliance within your company.
You only need to appoint a DPO if one or more of the following conditions apply:
A DPO might be one of your existing employees. You can also hire an external contractor to be your DPO. The Article 29 Working Party recommends that your DPO is established in the EU, but this isn't a GDPR requirement.
The duties of a DPO include:
Some rules apply when appointing your DPO:
A DPO much also have a special status within your company:
The most complicated issue for U.S. companies attempting to comply with the GDPR is how to receive personal information from EU companies and individuals.
Before reading this section, please be aware that there are no easy answers to the question of how U.S. companies can transfer personal information from the EU to the U.S. at the time of writing. We recommend you seek legal advice on this matter if you are uncertain.
The GDPR contains strict rules about transferring personal information from the EU to "third countries" that do not have an "adequate" level of data protection. Owing to its weaker privacy regulations, the U.S. is one such "third country."
EU companies are forbidden from sending personal information to U.S. companies (even their own U.S. subsidiaries) unless certain safeguards are in place. These safeguards ensure that the personal information remains secure and that EU residents can still access it.
For example, let's say your company hosts websites for EU clients. The personal information collected by your clients is transferred to your company's servers. You need to ensure there is an arrangement between your company and its clients to safeguard this personal information.
Previously, U.S. companies could certify with the "Privacy Shield" framework. Privacy Shield was an arrangement between the U.S. Department of Commerce and the EU, designed to ensure that US companies took good care of EU individuals' personal information.
In July 2020, the Court of Justice of the European Union invalidated Privacy Shield as part of a case known as "Schrems II." The court cited issues with US government surveillance affecting EU individuals' rights. For more information, see our article: Why the EU-U.S. Privacy Shield Was Invalidated.
This means that Privacy Shield is no longer an option for U.S. companies operating in the EU.
Standard Contractual Clauses (SCCs) are legally binding terms requiring the safeguarding of personal information, adopted by the European Commission. EU companies can insert SCCs into contracts with non-EU companies to facilitate international data transfers.
There are three sets of SCCs: two for transferring data between two data controllers, and one for transferring data between a data controller and a data processor.
Here's an example of one of the SCCs from set 1:
As you can see, this clause requires data controllers to implement technical measures to keep personal information confidential. For example, the controller might encrypt the personal information during storage and transfer.
SCCs were initially considered by some observers to be "safe" following the Schrems II judgment that invalidated Privacy Shield. However, it is now clear that SCCs do not, in themselves, provide an appropriate level of protection over personal information.
In order to use SCCs to facilitate international data transfers, EU and U.S. businesses must determine whether they can implement additional safeguards alongside the SCCs that protect the personal information from U.S. government interception.
If you cannot find a way to safeguard EU consumers' personal information from U.S. government surveillance, you can't transfer personal information from the EU lawfully. For more information, see our article Using Standard Contractual Clauses.
You may also wish to consult the white paper from the U.S. Department of Commerce, published in September 2020. The white paper aims to advise U.S. companies using SCCs on how to continue to transfer personal information from the EU.
However, note that the Department of Commerce's white paper has not been well-received by many EU legal experts. It is questionable whether the white paper sets out a valid assessment of how US companies can continue using SCCs.
Article 49 of the GDPR contains several exceptions to the international data transfer rules. Note that these are exceptions, and they do not represent a viable long-term solution.
We're going to look at two of the Article 49 derogations: consent and contract.
You may be able to make a one-off personal information transfer if the individual has provided explicit, specific, and informed consent.
The GDPR's consent requirements are very rigorous. The "explicit" consent threshold under Article 49 is considered to be even higher than regular consent under the GDPR.
When asking for a person's consent for an international data transfer, you should inform them of:
You may have grounds to make an international transfer if you need to do so in order to fulfill your obligations under a contract or enter into a contract with an EU individual.
Note that it must be necessary to make the transfer to fulfill the terms of the contract. This means that if you failed to make the transfer, you'd be failing to carry out your duties under a contract.
For example, if a travel agent needs to pass on an EU individual's personal information to a U.S. hotel, and they don't have any other safeguards in place, the "contract" derogation might be appropriate as a last resort.
GDPR compliance can be a big task for U.S. businesses, but it's well worth it to gain access to the huge market of EU consumers.
GDPR compliance requirements for U.S. companies include:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.