Can EEA authorities really enforce the new data protection law directly against US and other non-EEA companies?
The new European data protection law – the General Data Protection Regulation or “GDPR” – was officially approved by the European Parliament on 14 April 2016 and will now come into force throughout the EEA on 25 May 2018. The legislation will have far reaching implications for many, but one of its most intriguing aspects is its extra-territorial reach.
Those entities, wherever they may be based in the world, who offer goods or services to individuals in the EU or who monitor the behaviour of individuals in the EU will be directly caught by the legislation and will have to comply with it. That scope is tremendously broad and it captures a colossal group of entities globally, each of whom will need to observe the right to be forgotten, the data portability right, the right to object to profiling, the obligation to report certain data breaches within 72 hours and so on.
The authorities in Europe have been strident and uncompromising in their desire to ensure that European citizens' personal data are well protected in this increasingly digital and connected age. The unprecedented extra-territorial reach of the GDPR is perhaps the logical conclusion of that approach.
At a Westminster Forum conference last week, the message was crystal clear from Christopher Graham, the Information Commissioner himself (the UK data protection regulator). His office, the ICO, will have a remit to, and will, pursue companies outside as well as within the EEA.
There are, though, unanswered questions around resourcing and how much "overseas action" the ICO and its counterparts in other European countries will be able to take on. While the ICO does, and will continue to, work closely with the Federal Trade Commission and other non-European agencies, they and their counterparts in other EEA countries will inevitably have to pick their battles.
There is also the technical possibility that the US and other non-EEA countries may bring in legislation to blunt the impact of the GDPR within those countries. For example, such legislation could provide that data protection judgments issued by EEA courts will only be enforced if the “wrongdoing” to which the judgment relates would also be actionable under laws in the US (or other non-EEA country).
As things stand though, the position from the ICO is clear: (i) the GDPR will be effective in Spring 2018, (ii) you will have to be compliant, whether you are based in the EEA or not; (iii) you should act now if you want to avoid what Mr Graham calls a "nasty surprise".
Becoming compliant will require work and buy in at board level is essential. By starting now and following the three A’s approach (Audit what you have, Analyse against the legislation, Act so as to make the necessary changes), businesses can can stay out of the regulators' crosshairs.
Note: My thanks to Dan Svantesson for the very helpful and insightful work he has done in the area of data protection and extra-territoriality.