The European Union's Global Data Protection Regulation (GDPR) applies to company processing of personal data of European Union (EU) citizens, regardless of the company's location. Mere accessibility of a controller's, processor's or intermediary's website in the EU, containing an email address or other contact details or the use of a language generally used in a third country where the controller is established, does not necessarily bring the data within GDPR jurisdiction.
But the intent to offer goods or services to EU citizens may be apparent if the controller: 1) works with a language or currency generally used in one or more EU member states with the potential for commerce involving goods and services; or 2) mentions customers or users who are physically in the EU. U.S. companies that solicit business or transfer the data of EU data subjects will have to examine their business models carefully to determine whether they have compliance issues.
One question remains unanswered at this time: The GDPR has no mechanism addressing how the EU will obtain jurisdiction. How does the EU enforce penalties against a U.S. company that has no presence in the EU, although it is soliciting EU clients?
The GDPR allows imposition of fines of up to 4 percent of a corporate group’s annual revenue, a formidable penalty. Of course, lesser penalties can be imposed. It is not clear that such fines would be insurable, at least in the EU. Cyber insurance for legal liabilities and business expenses is available.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Developments in the Data Privacy Regulatory Landscape (Introduction)
Regulatory Landscape Part I: The New Privacy Order Created by GDPR
Regulatory Landscape Part III: New York Department of Financial Services Regulation
Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers
Regulatory Landscape Part V: NAIC Model Law Regulatory Landscape Part VI: California Consumer Privacy Law