The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018.
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (including IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
While the United States may seemingly not have much to worry about what is happening in Europe, we are certain that over the past several weeks, you have all received a swarm of messages from various service providers asking from you to read and confirm your acceptance of their revised Privacy Policies. You may have also noticed all the pop-ups asking you to accept website cookies. This is because, even though GDPR is a European regulation, it applies to any organizations outside of the EU which offer goods or services to customers or businesses in the EU. This means that you can still be liable if an EU citizen accesses your website and you collect their personal data. More importantly, as the internationalization of commercial activities continues to expand, it is inevitable that companies will gradually need to adapt new measures to protect personal data, keep users informed what, when and how their personal data is being used, and allow them to withdraw their consent at any time.
One part of the GDPR references how natural persons may be associated with online identifiers including but not limited to Internet protocol addresses and cookie identifiers. Essentially, when cookies can actually identify an individual through their respective device, it will be considered personal data and subject to GDPR. What this means is that websites need to comply with the following regulations:
GDPR cookies regulations apply to all member states of the European Union and websites outside of the EU that target people within EU member states. However, in accordance with Article 3 of the GDPR, if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. In other words, even if you do not directly target an EU citizen, collecting personal identifiable information of an EU citizen makes you liable under GDPR regulations. Therefore, the sensible approach for US companies that operate websites in the US and other countries outside the EU is to ensure that they have an appropriate cookies policy and a mechanism to enforce it.
In accordance with Chapter 5 of the GDPR, non-EU enforcement is supposed to be the result of steps taken by the European Commission and supervisory authorities to:
While there are ways to enforce EU-judgements in the US, this depends on a number of factors, including the degree each member state enforces GDPR regulations that may have been violated, whether a US entity has EU presence or not, or whether reciprocity will allow US judges to enforce EU- judgments. Since this is an area that has not been tested yet, the sensible approach for website operators in the US and other countries outside the EU that target EU customers are to take their own legal advice and to keep that advice under review as the implementation of the directive progresses.
In an effort to ensure that you are compliant with data privacy regulations in relation to the services that Global Reach provides to you, we have taken the following pro-active measures: