Reading the news today, it would seem we have all fallen subject to European Union control. Why do I say this? On May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) took effect. (This has much to do with why we are all seeing several emails informing us of new privacy policies and pop-ups about cookies).
Many news outlets and cyber-pundits would have you panicking with the thought that “everyone who does business on the internet” is subject to the GDPR’s broad reach and stiff fines. In one podcast, a commentator from Europe suggested that European regulators may show up on the doorsteps of American companies to perform data privacy audits; and that he claimed several companies could be bankrupted by fines for non-compliance.
Indeed, the GDPR is broad in scope. It purports to apply to any company, throughout the world, that possesses, controls, or processes data of any EU citizen. The maximum fines are indeed stiff. Under Article 83, non-compliance can lead to fines of up to the greater of 20 Million Euros or 4% of a company’s annual worldwide revenue. But for U.S. business owners, particularly those of small and medium-sized companies (“SMEs”), before you panic (and putting aside, for now, the question of whether your company should come into compliance), the first question you need answered is whether you are required to comply.
The GDPR is set out in 99 separate Articles. Article 3 outlines the regulation’s territorial scope and describes three main categories of companies covered by the GDPR: (1) Any company in the EU that controls or processes data of anyone, anywhere; (2) Any company, anywhere in the world, that controls or processes data of anyone in the EU to offer goods or services; and (3) Any company, anywhere in the world that monitors individuals in the EU. On its face, Article 3 would purport to make the GDPR applicable to almost any company doing business on the internet. After all, the internet’s broad reach makes it possible for virtually any company to offer goods or services in the EU, even if that offer is incidental and not specifically intended. Most so-called experts want you to believe this broad reach obligates virtually every company with a website to comply with the GDPR. But, before we all start panicking, let’s take a closer look at trying to decipher Article 3.
Within the GDPR there are 173 paragraphs of “Recitals” which help to provide clarity to interpret the GDPR’s 99 Articles.
Recital 23 also speaks to the territorial reach and helps us add clarity to identify who is considered to “offer goods or services” to EU residents. To determine whether a company is offering goods or services to EU residents, you first must ascertain whether the company intends to offer the goods or services to EU residents. Recital 23 says the mere fact a website is accessible by EU residents is “insufficient to ascertain such intention.”
Recital 23 describes factors that might weigh in on the determination. Such factors may include whether a website: (i) uses the language of an EU Country; or (ii) allows purchases in the local currency of an EU Country; or mentions other customers or users who are in the EU. The list is likely not exhaustive. A company having a website domain suffix of an EU Country, for instance, is probably intending to reach EU residents.
As I read Recital 23 and Article 23 together, a company outside the EU only becomes subject to the GDPR if that company people in the EU. Broad internet marketing doesn’t suffice. Consider, for example, a company here in the U.S. that operates a website selling bar exam preparation courses for prospective U.S. attorneys. The company’s webpage is written in English, it only directs marketing and search optimization campaigns to U.S. residents, and only sells products in U.S. Dollars. I doubt that company falls under the GDPR, even if the occasional resident of Germany or Estonia finds the company through a Google search and makes a purchase on the company’s website. (This is especially so, given that the company sells courses to help customers obtain a U.S.-based professional designation.) Of course, the analysis totally changes if the company operates a German language website, has a “.de” domain suffix, sells products in Euros, and references the success of other German customers.
What if I’m wrong and EU regulators find companies like those in our fictitious example subject to the GDPR? Should companies worry about EU regulators showing up in their offices here in the U.S. or issuing multimillion dollar fines? First, there are serious questions to be sorted out as to whether the EU has any jurisdiction over any U.S. company that does not purposely avail itself of EU law by specifically targeting EU residents. There are certainly questions as to whether the EU has any authority to fine U.S.-based companies over which it has no jurisdiction.
In fact, EU member Countries are likely to struggle with this same issue. Recital 151 notes that “the legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation.” Competent national courts in those countries are admonished to “take into account the [GDPR’s supervisory authority’s] recommendation” to issue fines. How unlikely is the possibility that court in Denmark or Estonia may refuse to follow the recommendation of an overly zealous EU regulator from Italy, Lithuania, or some other EU Country to fine a local company into bankruptcy (as suggested by the podcaster that I referred to above)?
Regardless of the EU’s view, I’m certain U.S. Companies can find competent counsel to challenge the reach of the GDPR here in U.S. Courts. And, I doubt many U.S. Courts will blindly enforce foreign judgments from the EU which are excessive or which are entered without regard to proper jurisdiction and due process concerns.
The point is that there are many issues regarding territorial reach and enforcement that still need to be sorted out. I don’t think now is the time for U.S. based SMEs to panic. We already have plenty to worry about with U.S. regulations and the ever-changing threats presented by U.S. based litigation – such as the recent spate of ADA Website Compliance lawsuits. Instead, companies that are not targeting EU residents should take this opportunity to view the GDPR as an example of “best practices” for handling data and privacy issues. For many companies, who envision doing business with the EU market in the future or who do business with other companies who do business with the EU, compliance will ultimately be required. And, here in the U.S., we may very well see a U.S. regulation modeled on the GDPR. Making the effort and investment and effort to achieve compliance should be a goal, regardless of the requirements. But don’t expect any EU regulators to show up on your doorstep next month.
Have you read?