I recently wrote about a series of incoming and existing California privacy laws that will require massive compliance shifts for companies across the globe. California has the most robust privacy law of any jurisdiction in the United States and second in scope only to the European Union’s General Data Protection Regulation (“GDPR”), a groundbreaking EU privacy and data security regulation that went into effect on May 25, 2018.
To an even greater extent than California’s laws, the GDPR has a truly global reach. Companies with absolutely zero footprint in the EU can be subject to compliance with this vast and complex law. I cannot emphasize this point enough. Even companies with only U.S. presences who only sell goods in the U.S. could be subject to the GDPR. The same goes for businesses in China.
What international companies need to be concerned about is whether they engage in conduct that triggers GDPR compliance, which according to GDPR Article 3(2) could happen even for companies with zero presence in the EU:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
This is a very broad jurisdictional “hook” and it means that a company offering goods or services—even for free—to EU residents can be subject to GDPR. Selling or even offering for sale any products in the EU—even from the U.S. or China—could subject an international operator to GDPR compliance. There is no threshold of goods that must be sold to trigger GDPR compliance, so even a few sales could theoretically require compliance.
The monitoring component is also important for companies to consider. Companies may use marketing tools to “profile” potential customers online. Applying these tools to EU residents could be another way to land yourself in GDPR compliance territory.
So, what if a U.S.-based company imports manufactured goods from China? That alone is probably not sufficient to require GDPR compliance. But if that same company wants to resell those goods into any EU member state, it should figure out whether it fundamentally needs to change how it operates and processes data. GDPR compliance can literally touch almost every aspect of operations.
If that same company fails to comply with the GDPR’s massive requirements, it can be subject to massive penalties. First, effected EU residents may bring actions against the companies. Second, the companies could be subject to fines (see Article 83(4)–(5)) as high as €20,000,000 or four percent of a company’s annual turnover (i.e., its gross revenues). As GDPR is so new, we don’t yet know what enforcement will look like against U.S. companies, but it’s probably safe to say that these high penalties will be reserved for the bigger and more egregious violations.
We also don’t yet know how foreign fines or judgments will be dealt with in the U.S. or other countries such as China. In other words, will a U.S. court enforce these fines or judgments against U.S. companies? But even if they do not, you and whatever assets you have in the EU will be at risk.
The bottom line is that doing business in the EU subjects international companies to onerous compliance requirements and though the full picture of exactly what enforcement will look like is not yet clear, we expect European regulators will take a hard line against U.S. companies that sell products in the EU or monitor their residents.