The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the European Union’s (EU) new privacy law set to go into effect on May 25, 2018. For the EU’s single market countries, the GDPR establishes protection for the privacy and security of an individuals’ personal data. However, because of extraterritorial jurisdiction, United States (US) organizations accessing and using EU citizen information could be subjected to the GDPR.
Controller vs. Processor
The GDPR has direct extraterritorial reach of a “controller” or “processor” organization located outside the European Union if the organization offers goods or services, even for free, to individuals in the EU. As defined by the GDPR, a “controller” is an organization that determines the purpose and means of processing information. A “processor” organization processes personal data on behalf of the controller under the controller’s instruction. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced by the bank.
GDPR Website Regulations
An organization using a website to offer goods and services to EU individuals also falls under GDPR regulations. These websites can be identified by their use of language, the ability to order goods and services in the currency of one or more EU member states, and the acknowledgment of consumers who live in the EU. Therefore, an English-language website marketed to US consumers or US business-to-business transactions in terms of American dollars only would not be subjected to the GDPR.
There are still many questions on how the EU will enforce actions against US organizations that do not follow the GDPR requirements, but it is important that you review by May 25th all aspects of your organization’s physical and digital data processing if you are accessing EU citizen information.
Author Scott Chase is a health law and corporate attorney at Farrow-Gillespie & Heath. Scott has been named to the lists of Best Lawyers in America, Texas Super Lawyers, and Best Lawyers in Dallas in every year for more than a decade.
Co-author Tahlia Clement is an intern at Farrow-Gillespie & Heath LLP. A second-year law student, she currently serves as Editor in Chief of the SMU Dedman School of Law’s Science and Technology Law Review.