Although the GDPR (General Data Protection Regulation) is rooted in EU law, organisations across the globe have been told that they must comply with its requirements.
This has been most prominent in the US, which is the EU’s biggest trading partner. Despite this, a 2019 study found that only 8% of US companies within the GDPR’s scope were compliant.
If you’re among the other 92%, you are at a much greater risk of data breaches, fines and unhappy customers.
In this blog, we help you avoid that, explaining when and why US organisations must comply with the GDPR and how you can meet its requirements.
Why does the GDPR apply to US organisations?
Article 3 of the GDPR states that the Regulation’s rules aren’t limited to organisations in the EU. They also apply to any organisation that offers goods or services to, or monitors the behaviour of, people in the EU.
As such, organisations in the US (or anywhere else in the world) are subject to the GDPR if they have EU users or customers.
That data must be protected in line with the GDPR’s requirements, and other relevant arrangements must be made, such as identifying a lead supervisory authority and appointing an EU representative (more on this later).
Does the GDPR apply to EU citizens in the US?
Many non-EU organisations will argue that they have no way of knowing whether a data subject is within the GDPR’s scope, particularly if they visit in-person or otherwise suggest that they reside locally.
Fortunately, the data subject’s current location takes precedence over their citizenship when determining whether the GDPR applies. That means EU citizens holidaying or living in the US aren’t subject to the Regulation’s rules.
You can think of it like the law of the land. If the individual is in your country, they are subject only to its laws. But if they are in the EU and provide their information remotely – online or over the phone – they are protected by the GDPR.
Personal data vs personally identifiable information
One of the pitfalls US organisations face regarding GDPR compliance is their understanding of personal data.
US law tends to use the phrase ‘personally identifiable information’, which is defined as an individual’s name alongside another type of identifying information, such as a social security number, bank account number or computer username and password.
The GDPR’s definition is much broader, encompassing any “information related to an identified or identifiable natural person”.
As such, any information that can be used to identify a living person is within the GDPR’s scope.
This includes the examples listed above as well as mobile phone location data, genetic and biometric data, and IP addresses.
It also includes information that can be used in conjunction with other data to gain a better understanding of that person, such as their religion, trade union association, ethnicity, marital status and social media posts.
Examples of GDPR compliance in the US
With the information outlined so far, let’s take a look at some examples of data processing by US companies and whether they are subject to the GDPR.
Example 1: A Chicago restaurant has a website that allows people to book a table or use its takeaway service.
The GDPR doesn’t apply in this case, because its service is only targeted at people living locally.
Although there’s nothing stopping people in the EU visiting its website, the chances are so remote that you wouldn’t reasonably expect the organisation to implement necessary measures.
Example 2: A software company in San Francisco has created a tourist app that tracks users’ locations and provides nearby points of interest. It has options for tourists in Paris, London and Rome.
In this case, the GDPR applies, because the organisation’s services are designed to be used by people in the EU, whether they are local or visiting from elsewhere.
Example 3: A US citizen is on a business trip to London. While there, he downloads a news app from his hometown.
In this case, the GDPR doesn’t apply, even though the individual was in the EU when their data was collected.
That’s because, for the Regulation to apply, the goods/services or monitoring must target people in the EU.
Unlike the second example, in which the software company must assume that its service will be used by people in the EU, that’s not the case here.
The news provider’s service is designed specifically for people in the US, and although some people may use its service in the EU, the organisation hasn’t done anything to promote this.
Why is GDPR compliance important for US companies?
If US organisations fail to meet their GDPR compliance requirements, they could face fines of up to €20 million (about $23.8 million) or 4% of their annual global turnover – whichever is greater.
Although penalties this severe are reserved for only the most egregious errors, even a comparatively lenient fine could be devastating.
Consider that, when you remove outliers, the average GDPR fine is about €66,000 ($78,500), according to a report by our sister company.
This sum may not be devastating but it will cause major problems. There will also be other costs, with non-compliant organisations being subjected to an investigation and required to address their compliance weaknesses.
EU supervisory authorities can enforce fines and other disciplinary actions against US organisations via the organisation’s EU representative.
This is a data protection expert in an EU member state who represents you when dealing with your relevant supervisory authority.
If organisations fail to appoint an EU representative, supervisory authorities can use international law to seek legal action.
How to comply with the GDPR
GRCI Law is dedicated to helping organisations meet their data protection compliance requirements. You can find advice on specific aspects of the GDPR below:
- How to handle data breaches according to the GDPR
- The GDPR and EU representatives
- What are the key provisions of the GDPR?
We can also help you fulfil your representative requirements via our EU GDPR Representative Service.
With this subscription service, our team of lawyers, barristers, and information and cyber security experts take the strain of GDPR compliance, acting as your representative for personal data processing activities.