By Marco Garbero
The GDPR, to be enforced in May 2018, is the European’s Union’s (EU) attempt to shore up its data control and protect EU citizens from inadequate data protection safeguards. While that may seem on the surface to be very specific, the GDPR is greatly increasing its scope to include entities that process or control the personal data of EU citizens everywhere. A popular e-mail service application such as Google’s Gmail, even with its headquarters located in the U.S., could potentially be liable for obligations under the GDPR. Simply because EU citizens use the service and may store data in the U.S. brings Gmail square within the regulations. These obligations imposed could include extensive breach notification protocols, necessitated specific consent for users, and thoroughly enhanced data subject rights.
In particular, the GDPR represents a further divergence in data protection for the United States and Europe. While the United States has become notorious for subjecting its own population to potential surveillance through the Patriot Act, the EU has practiced strong protection against the unauthorized use of the data of its citizens. This contrast is quite visible, as the EU and U.S. recently struggled to negotiate how personal data should be transferred between the two. A new act governing these specific transfers, the EU-US Data Privacy Shield, has faced much scrutiny, and many speculate that it will not hold up to the high standards of European courts.
Regardless of how well the privacy shield holds up, companies who process EU data or have EU users will need to check compliance under the new GDPR. When the day of enforcement comes, entities deemed as data controllers, or data processors, will be subjected to heavy fines if found to have misused or mishandled personal data. While there is some ambiguity to how these fines will be applied, the regulations hold that fines could be up to 4% of an entity’s annual global turnover, or up to €20 Million euro for each offense found. With the increased scope giving the regulation extra-territoriality, these fines are not something American companies can ignore.
One of the biggest problems in preparing to safeguard data under the GDPR is that there are many conflicting sources that differentiate on how the regulation will be interpreted by EU authorities. There is no precedent to go by, and it is difficult to predict how ambiguous terms will be applied in each context. Unfortunately, this grey area in interpretation means that the earmarking of funds for ensuring compliance is necessary for all types of organizations. These regulations will have an enormous impact on future business with the EU, and it is important that companies look ahead before it is too late to do so.
Student Bio: Marco is a staff member of the Journal of High Technology Law. He is currently a graduating 3L who is concentrating in intellectual property law, and conducting a semester in practice working for the legal department of Medicines for Malaria Venture, an NGO located in Geneva, Switzerland. Marco is also the Vice President of the Italian-American National Bar Association.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
