EU Data Law Takes Effect

You may have read that a 2016 European Union law that goes into effect on May 25, 2018, could regulate companies doing business in the United States. Called the General Data Protection Regulation, or “GDPR,” the law is aimed at protecting the personal privacy rights of all EU residents. Here are some quick points to understand about this EU law.

What is GDPR?

GDPR creates rules for data protection for all EU member states and applies this law to any company that processes the personal data of individuals in the EU even if the company is not in the EU. That means businesses in the United States that have no offices in the EU can be subject to GDPR if personal data if an EU-residing individual is processed in the United States.

How can this law apply to businesses in the US?

If a US-based company sells goods or services to EU residents and collects data about those individuals, even if they are in the EU at the time, then the US-based company could be deemed by the EU to be subject to GDPR. That data can be as innocuous as e-mails or a home address. There will doubtless be litigation over the EU’s ability to enforce this EU law in the United States against US companies that do not intend to do business in the EU but still process personal information regarding EU residents.

Why should we care?

Importantly, an individual may request in certain circumstances that they be “forgotten”—meaning all of their personal information be deleted from servers, databases, etc. Compliance with this request is to be done “without undue delay” and specifically within a month of the request. This means that US companies should now know exactly what data is collected, where it is stored, and how it is used. Penalties for noncompliance are up to 4 percent of a company’s worldwide revenue or 20 million euros, whichever is higher.

What about business contacts?

GDPR does not extend to businesses. It only applies to real people and their personal information. If, as an example, a supplier in Germany sends a US company information about a product or service, then the identity of that German salesperson is not subject to GDPR. Similarly, business agreements with companies signed by officers who may be EU residents are not subject to GDPR because the US company has a reason to keep that information.

For more information regarding GDPR and how it may impact your business, please feel free to contact BrownWinick Law Firm at 515-242-2400 or visit, or consult with your attorney.