The European privacy law that may affect USA business
In early April, Italian government's privacy watchdog blocked the artificial intelligence (AI) software ChatGPT due to concerns about data privacy. After a few days, the AI platform became available again, but the company still have to face issues regarding the Data Protection of European citizens mandated by GDPR.
G.D.P.R. (General Data Protection Regulation) is the most stringent privacy and security law globally. Although it was drafted and passed by the European Union (EU), it imposes obligations on organizations worldwide as long as they target or collect data pertaining to individuals from EU. The regulation came into effect in May 2018 and carries severe fines for those who violate its standards. Penalties can reach into the tens of millions of euros. European privacy agencies may also impose restrictive measures on data processing, including an outright ban on its use.
In January 2019, the French Data Protection authority fined Google €50 million for violations related to transparency and consent, marking one of the largest fines issued under the GDPR at that time. British Airways and Marriott International also faced substantial fines—£20 million and £18.4 million respectively—from the UK Information Commissioner's Office for data breaches that exposed personal data of their clients.
Although it may be assumed that only multinational companies are at risk of incorrect GDPR application, even small companies, particularly in e-commerce, must consider to adapt to this legislation. While the GDPR does not directly apply to organizations outside the EU, many US websites and businesses with EU users or customers opt to comply with its principles and requirements to continue serving EU customers and avoid potential legal issues.
When GDPR came into force, US newspapers encountered visibility issues in Europe, and more recently, an American company developing game apps was banned from using data to protect minors. The European legislator pays significant attention to the personal data of its citizens and extends protection beyond the Union's borders.
So, what does the GDPR require of US companies seeking a presence in Europe, even if it's solely through a website? Even a website can collect vast amounts of information about visitors and create profiles through cookies, the first data collection tool. The GDPR does not impose specific obligations for compliance. Each company must ensure minimum standards in data processing.
In a global context where personal data is the "fuel" of internet and data theft is a prevalent crime, adherence to the GDPR can serve as an ethical and reputational tool for companies in caring for and protecting their customers. Therefore, US companies should apply the GDPR to maintain a good reputation, build trust with EU customers, and avoid legal issues. Additionally, GDPR standards can provide a competitive advantage, particularly in industries where data protection and privacy are important for customers. By demonstrating a commitment to safeguarding personal data, companies can attract privacy-conscious consumers and differentiate themselves from competitors.
Implementing a solid privacy and cookie policy is crucial for companies. However, it is essential to avoid copy-pasting forms. The GDPR is a tool that requires customization based on each company's specific data needs. A company selling clothes, for instance, has different data requirements than a company dealing in healthcare or food.
Some US states, such as California with the California Consumer Privacy Act (CCPA), have implemented their own data protection laws that share similarities with the GDPR. By adopting GDPR principles, US companies can streamline their compliance efforts and ensure consistency across multiple regulations, eliminating the need for separate compliance strategies and reducing the risk of warnings or fines from European authorities.
Gianni Dell’Aiuto – Lawyer
Privacy Advisor