What Challenges does GDPR Present to American Companies?

GDPR, the European Union’s signature data protection law that came into force in the spring of 2018 has been called by some experts one of ‘the biggest changes to US privacy law’. However, GDPR compliance challenges for US companies really derive from the fact that American companies don’t realize that GDPR applies to them! So, let’s look at some of the challenges thrown up by GDPR along with which US companies may be implicated. 

GDPR is extraterritorial and the EU is getting more aggressive

The first point that American companies need to know is that GDPR applies to companies outside of the EU even those who have no European presence and don’t sell their product in the eurozone. This is a major challenge for US companies since many think (wrongly) that since they aren’t in Europe, they don’t have to worry about GDPR. At the same time, the EU is getting more aggressive with over $400 million in fines against US companies in 2019. 

What triggers GDPR rules?

One of the biggest GDPR compliance challenges is knowing when GDPR is triggered. Some American GDPR experts have said that it only applies when processing data of EU citizens, which is not exactly true. In short, there is a lot of misinformation out there because like any law there is some room for interpretation of the text. However, what is clear is that GDPR is triggered when data is collected in Europe. 

Data collected from EU Data Subjects triggers GDPR

The full reach of GDPR is still being debated four years after it came into effect. However, one thing that is perfectly clear is that GDPR applies to the data of EU data subjects. This means both EU citizens and EU residents and it's not restricted to where the data is collected or processed.

This means if you, for example, have one EU citizen in your userbase GDPR applies to you even if your customer lives in the US. But it gets even more complicated. Firstly there is UK GDPR which is essentially a copy/paste of the EU law which applies to UK citizens no matter where they live. And, to make things even more complicated, there is an argument about what the term "data subjects" actually means given that there is no clear definition in the law. This means the definition will be established over time through court cases and fines.

Where do these GDPR Compliance Challenges leave US Companies?

American companies can’t know if their customers are EU data subjects because the definition is unclear. They can't even know if their customers are EU or UK citizens since that data is not normally shared in the onboarding process and it's even a challenge to get a simple number of Americans that hold EU passports.

However, changes closer to come could mean that GDPR compliance is critical even if you're sure you have no EU citizens as users. New privacy rules like CCPA in California mean that a GDPR-like regime is coming to the US anyway. Given the size of GDPR fines ($24 Million), it makes sense for most US companies to come into compliance. 

Turn Compliance into a Competitive Advantage  

By coming into compliance, US companies can open a new market, because once you are compliant you can go to Europe and future-proof your business since new initiatives like CCPA are based on GDPR.