Discusses the General Data Protection Regulation covering new requirements for organizations that process EU individuals’ personal data.
Last Published: 8/15/2019
As of 25 May 2018, the General Data Protection Regulation (GDPR) applies in the EU. The GDPR is a horizontal privacy legislation that applies across sector and to companies of all sizes.  It replaces the previous data protection Directive 1995/46. The overall objectives and underlying principles of the legislation remain the same.  Businesses must inform consumers that they are collecting personal data, have a legal basis to process and retain the data. 

However, there are significant differences in definitions of key terminology.  The GDPR creates a number of new requirements for organizations that process EU individuals’ personal data.  Companies have an obligation to demonstrate their compliance, in part through a number of documentation obligations.  Data subjects have a number of rights which include access, correct, erasure of their personal data. 

The GDPR has extra-territorial reach, which means that it might be applicable to U.S. entities even if they do not have physical presence in Europe.  In that case, such organizations need to have a representative based in Europe, or in certain cases need to appoint a Data Protection Officer. 

Fines in case of non-compliance can reach up to 4% of the annual worldwide revenue or 20 million euros – whichever is higher.  Companies of all sizes and sectors should consider GDPR as part of their overall compliance effort with assistance of legal counsel.
 
The European Commission and Data Protection Authorities are releasing official guidelines to help companies with their compliance process (see resources below). Note: the EU is currently updating its e-privacy legislation governing confidentiality of communications.  This legislative instrument once enacted will add a number of requirements in addition to the GDPR.  We encourage U.S. exporters to monitor this situation as it evolves through the EU legislative process.

For more information:
Full GDPR text
Official Press Release

European Commission guidance:
http://ec.europa.eu/justice/smedataprotect/index_en.htm
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Transferring Customer Data to Countries outside the EU
The General Data Protection Regulation (GDPR) provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders.
 
The GDPR (Chapter 5 - Article 44 onwards) sets out obligations on data controllers (those in charge of deciding what personal data is collected and how/why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data, and were complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors or to third parties (e.g. subcontractors).  EU legislators put restrictions on transfers of personal data outside of the EU, specifying that such data could only be exported if “adequate protection” is provided.

The European Commission (EC) is responsible for assessing whether a country outside the EU has a legal framework that provides sufficient protection for it to issue an “adequacy finding” to that country. The U.S. has never sought to be found adequate by the EC. This means that U.S. companies can only receive personal data from the EU if they:
 
  • Join the EU-U.S. Privacy Shield program, or
  • Provide appropriate safeguards (e.g. contractual clauses, binding corporate rules), or,
  • Refer to one of the GDPR’s derogations,
European Commission’s webpage on transfers outside the EU and all mechanisms outlined below:

Data Transfers Outside of EU

Important note:
The legal environment for data transfers to the United States continues to evolve. Companies that transfer EU citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a particular transaction.

About the EU-U.S. Privacy Shield
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
For more information on the EU-U.S. Privacy Shield
For more information about other mechanisms of transfer, please refer to:
Transferring Personal Data from EU to U.S.
 

Prepared by the International Trade Administration. With its network of more than 100 offices across the United States and in more than 75 markets, the International Trade Administration of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the trade specialist in the U.S. nearest you by visiting http://export.gov/usoffices.