The GDPR, which is Europe’s most comprehensive data privacy law, was enacted in 2016 but was only enforced starting in May 2018. Because both regulators and businesses are still in the process of solidifying its enforcement, there may be a lot of concerns over the requirements, especially for non-European businesses.
GDPR has far-reaching consequences. As a law, its applicability is not limited by the physical boundaries of the European Union (EU) or the European Economic Area (EEA). It has the power to influence companies based in the USA, which is the biggest trading partner of the EU, as well as in Canada and other parts of the world.
WHO NEEDS TO COMPLY WITH THE GDPR?
Broadly speaking, the GDPR applies to Canadian and USA companies because it is extra-territorial in scope.
Specifically, article 3 of the GDPR covers regulations over the “processing of personal data of data subjects who are in the union by a controller or processor not established in the Union”. The law clearly specifies that it applies to any controller or processor not established in the Union (or the EU), including those established in the USA and Canada.
Not all US and Canadian companies, however, need to know the GDPR back-to-back. The law is only applicable to companies dealing with information on certain “data subjects”. GDPR covers the processing of personal data of anyone who is in the EU or EEA, including citizens, residents, and even visitors.
Thus, any American or Canadian company needs to comply with the GDPR regardless of size or revenue as long as it involves data subjects who are in the union.
However, businesses with less than 250 employees are not required to keep a record of their data-processing activities if those activities are unlikely to pose a risk to the rights and freedom of data subjects and if no special categories of data are being processed.
WHAT IS CONSIDERED PERSONAL DATA & IT'S PROCESSING?
Processing of personal data of data subjects includes at least one of these two activities:
- The offering of goods or services to EU/EEA data subjects, whether or not a payment is required in the transaction.
- Monitoring of user behavior, as long as the behavior takes place within the EU/EEA.
Personal data is defined as any piece of information that can help identify an individual. This includes names, contact information, photographs, videos, as well as device details such as IP addresses, location data, and biometric information. A person’s e-mail address in a marketing list is considered personal data.
Special categories of personal data are mentioned in most privacy laws. That includes medical information and records, as well as children’s personal data.
Aside from these identifiers, the GDPR also covers the monitoring of user behavior. Among these are internet tracking by a website by using cookies and the use of algorithms that predict preferences for targeted advertising. Online businesses commonly use these strategies in boosting performance and website traffic.
Any online business or website that targets persons in the EU will need to comply with the GDPR if any of the conditions above are met.
The GDPR may apply to both the controller and the processor of personal data. As mentioned, the processing of personal data includes the collection, recording, organization, storage, retrieval, use, alteration, or disclosure of any data that can help identify an individual.
A collector, on the other hand, determines what to do with the data. A clothing business gathering email addresses for sales, and a marketing list is a collector. Shipping companies and third-party payment companies are processors of personal data.
Data processing also applies to internal company information. Large online businesses with agents or employees in the EU are also required to have measures for the handling, storage, transfer, and use of employee personal data.
Here are several scenarios to illustrate data processing activities and the GDPR:
- California-based specialty store ships electronics to Paris, Berlin, and other European cities. Because it is targeted to the EU, it must comply with GDPR.
- Montreal-based online tutoring service only caters to customers in the surrounding region. The personal data of individuals accessing the website from Europe is not covered by the GDPR as the website does not offer goods or services to EU/EEA data subjects.
- Canada-based freelance writer publishes in French and accepts commissions from French publishing houses. GDPR applies because the offer of service is made to data subjects in the union.
GDPR NON-COMPLIANCE PENALTIES AND CONSEQUENCES
Non-compliance with the GDPR comes with heavy consequences. Failure to meet requirements will lead to a fine of 4% of the annual global revenue or €20 million, whichever is higher.
For most purposes, the law mandates the appointment of a representative physically located within the EU/EEA to facilitate enforcement. In instances of non-compliance, any assets in the EU/EEA may be seized, including bank accounts and real estate.
For online businesses and websites that have no physical presence in the EU, international law will take effect. The European Union has mutual assistance treaties with many countries, including the US and Canada.
Always be congizant of data protection rules of the countries in which you are conduting business. Ignorance of the law is not an excuse when it applies to unsolicited online marketing.
For further information, please contact
Atlantic Online
and we would be pleased to provided further clarification.