Do I really have to worry about the new European privacy rules?

Is it finally time to pay attention to European efforts to regulate privacy? At least according to pwc, the answer is yes.

Let’s face it – many Europeans regarded the former “Safe Harbor” as a loophole big enough to drive a truck through, and many US companies quietly agreed by effectively ignoring it. The GDPR is an attempt to address that more effectively, at least with respect to American companies with assets in Europe, particularly behemoths like Google and Facebook. As of May 25, 2018 most processing of European personal data will have to comply with the GDPR (General Data Protection Regulation), including processing by US-based companies. There are a few reasons for US companies to be more concerned about the GDPR than previous efforts to regulate privacy:

  • The GDPR has the effect of law, without the need for individual (and often inconsistent) country legislation.
  • All businesses which “target” EU nationals are subject to the regulation, no matter where they are based.
  • The fines have been increased significantly and can be tied to worldwide revenue, to ensure that they are meaningful for even the largest of companies.

Of course, it’s easy for EU officials to threaten Google, which has at least four data centers located in the EU, each presumably worth many millions of dollars. It’s a little harder for them to penalize US companies which don’t have assets on the ground in the EU, particularly given that US courts are likely to be skeptical of attempts to enforce the regulation against companies with no offices in Europe. So, how do you know if you should be worried about the GDPR? If you answer yes to any of the following you need to start getting your privacy house in order:

  • Do you have assets in Europe? As already noted, you should be GDPR compliant unless you’re willing to kiss those assets goodbye without compensation.
  • Do you have personnel in Europe? Even with limited assets on the ground, you need to consider the risk to your employees, and the subsequent risk to your company if they are penalized and decided to sue.
  • Is the European market is important to you, or is it expected to be important to you in the future? Obviously, an adverse judgement in the EU could result in loss of any European-based revenue, to say nothing of the loss of customers due to bad publicity.

Notwithstanding the hype, companies with no footprint in Europe and minimal aspirations of success in the European market probably have little to fear from the GDPR. That being said, given increasing concern over privacy on this side of the ocean, even those companies may want to consider implementing some of the GDPR requirements, to minimize any penalties and to make compliance easier if and when it becomes necessary. Besides, better privacy practices may well make business sense for a lot of US companies.