As someone new to the US, it surprises me that lawyers and law students, even those interested in the technology sector or in privacy law, often have no reaction to the ‘GDPR’ or other aspects of EU privacy and data protection legislation. The purpose of this article is to convince you to care about this suite of EU legislation which has noticeable global implications.
Professor Anu Bradford noted the “unprecedented and deeply underestimated global power that the European Union is exercising through its legal institutions and standards, and how it successfully exports that influence to the rest of the world”. She calls this phenomenon the ‘Brussels Effect’.
The following laws are important manifestations of the ‘Brussels Effect’ phenomenon, and in particular, they will substantially affect the scope and contours of US technology companies’ legal obligations.
Key differences between EU and US privacy law
The major difference between the US regulatory regime and the EU’s is the scope of the law. As Professors Daniel Solove and Paul Schwartz observe, US privacy law is regulated “through narrow sectoral laws that focus on specific industries or specific contexts for the use of personal data”. For example, there are privacy laws that regulate medical information, collection use or disclosure of financial information by financial services providers and others.
By contrast, the EU conceives privacy law’s scope broadly, expressing their regulatory preferences with comprehensive “omnibus” laws that regulate personal data collection, use, storage, and disclosure. The General Data Protection Regulation, which will take effect by May 2018, applies to “all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location”. This means the likes of Facebook, Google, Twitter and any company with operations within the EU that processes personal data will be within the scope of the GDPR.
While the EU’s regulatory model brushes with broad strokes, as Solove and Schwartz point out, “hardly anything escapes EU privacy regulation. There are few gaps and inconsistencies under the EU approach, a stark contrast to the U.S. approach where such gaps and inconsistencies are legion”.
Fine for non-compliance
There is one further compelling reason to pay attention to EU privacy laws. This answers the obvious question in most people’s mind: so what if I just carry on as normal?
Article 83 of the EU GDPR is the single provision most likely to cause boardrooms across the country to take notice of the reach of EU law – it provides that non-compliance with the Regulations can cost a company up to 4% of annual global turnover or €20 Million (whichever is greater). For example, given Google’s 2016 Revenue (Turnover) of just under US$90 Billion, a 4% fine amounts to about US$3.6 Billion. Clearly, compliance with this law should not simply be regarded as a job for the ‘IT department’ as might be otherwise assumed, because a fine that high does noticeable damage to a firm’s balance sheet.
For example, it seems imperative that lawyers advising US companies on prospective mergers or acquisitions take note of the EU aspects of privacy due diligence for their transactions. Any dormant, undiscovered privacy issues can prove costly to a prospective acquirer.
Especially with subsidiaries of US companies incorporated within the EU like in Ireland, the prospect of the EU’s long regulatory arm reaching out to ‘touch’ a US company with a steep sanction – not unheard of given Google’s and Intel’s recent antitrust experience with the EU – requires US lawyers to get up to speed with EU privacy law.