How The EU Data Privacy Regulation Will Affect American Companies' Data Collection and Processing Practices – and Their Revenue

For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:

  1. access any personal data that has been collected,
  2. obtain confirmation about whether an individual's data is being processed, and
  3. require that the data be "erased" if the consumer withdraws consent.

Compliance with the GDPR is likely to affect the bottom line of American companies who process substantial amounts of data from EU residents, and not only because of the costs associated with GDPR-mandated data inventories, privacy assessments, data breach notification and documentation. GDPR's strict rules regarding consent to process personal data – which will require separate "opt-in" consent for each processing activity, and the destruction of data after the specific activity is completed – will mean that companies collecting data from EU residents can no longer rely on a consumer's agreement to a broad privacy policy that allows processing of data for purposes that go beyond the provision of the specific service in question. As a practical matter, compliance with these rules will almost inevitably mean that businesses will be able to collect and use far less customer data than they have been accustomed to collecting. For that reason, compliance is likely to affect the revenue that many companies have grown accustomed to generating by using and/or selling their customers' data.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.