Emerging Markets Law

How New EU Data Privacy Rules May Apply to Your U.S. Business

Man looking at data

If you use any online services such as Facebook or Google, you may have seen new tools and products relating to your account privacy settings recently, along with a tweak to privacy policies and terms of use.

These changes are driven by new Europe-wide privacy regulations coming into effect in May.

It’s clear that the giants of the online world have to comply with those rules.

What has been less clear is that many, many companies that don’t focus their efforts online may also have to comply.

The new General Data Protection Regulation (“GDPR”) covers collection and processing of “personal data” of EU residents. The new rules replace a twenty-year-old privacy framework that launched at about the time the public Internet did.

The new law reflects the massive growth of online services since then, the growing use of personal consumer data across a wide variety of businesses, and the desire of European regulators to protect their citizens against these increased methods to access and use their data.


The rules apply to any information that identifies or can be used to identify a natural person.

Even if that information cannot identify someone on a standalone basis, it may be considered protected information if it could be used in combination with other information to identify someone.

This goes well beyond name, email address, and credit card number to capture cookie data, IP address, biometric information, location data, and other material not generally considered “personal” in the US.


If your business receives or performs any operations on “personal data” of EU citizens, you may be subject to the new laws, even if all your operations are in the US and even if your connection to the data is passive. (For example, exporting personal data by storing or transmitting it in the cloud on non-EU servers could trigger the law’s requirements.)

In addition, you may become subject to the requirements of the law if your suppliers or customers impose the law’s standards on you by contract in order to protect themselves. The rules impose numerous technical requirements regarding planning and assessment of data collection, security, and use; may require appointment of a Data Privacy Officer; give EU consumers a “bill of rights” regarding how their information is used; and require notice of data breaches within 72 hours.


The new rules are designed to increase the reach of the EU regulators, to protect a wider variety of information, and to make non-compliance hurt. The GDPR provides for penalties up to €20 million or 4 percent of global revenue (whichever is higher) for non-compliant handling of EU personal data.

The effort to achieve compliance will require legal, technical, and other resources.

If your company has a website, employs online or email marketing, deals with overseas partners or customers, uses cloud storage or transmission, or otherwise has access to EU personal data, you need to be aware of these rules and their potential impact for you.

Likewise, if your business partners have significant overseas operations such as those listed, you may become subject to the new rules through your relationships. Either way, the potential penalties are serious and the potential for disruption and embarrassment serious.

Proper planning can help you evaluate whether you are subject to the new rules and how to address any gaps in your company.


Stay Connected

Subscribe to blog updates via email