European Union’s GDPR: One Year Later
By Justin M. Jacobson, Esq.
It has been one year since the European Union’s General Data Protection Regulation (GDPR) went into effect. There are several lessons that we have learned since the law’s implementation and now have further insight on how to effectively deal with the newly enacted regulations. First of all, GDPR is a European Union (E.U.) privacy regulation that protects the data of all E.U. citizens. In particular, the GDPR applies to companies that conduct business in the E.U. as well as foreign organizations who do business with E.U. organizations or citizens. The new regulation monitors and provides rules for companies that collect and process data and for those individuals whose data is collected. This means that the new GDPR provides E.U. citizens with new rights over the personal data collected about them by third-parties operating or formed in the E.U. Some of these rights include the right to access and object to the processing of an individual’s personal data, the right to have notice and consent of the user prior to the use of their personal data; and, in some circumstances, the right to have their data erased or otherwise blocked from further distribution or dissemination. The new regulation specifies a list of requirements for processing and collecting personal data by E.U.-based companies and those who operate in the E.U. For example, entities that process and document individual’s personal data must take greater security measures than previously required to protect the data that they have collected. These entities must also comply with strict guidelines in the event that there is a data breach and the collected information is somehow compromised. Additionally, these stringent regulations also mean that entities in the E.U. are now required to employ a data protection officer or other employee whose job it is to ensure the company is in compliance with the new GDPR data protection regulations.
Furthermore, while the GDPR applies to E.U. citizens and residents who are located within the E.U., if an E.U. citizen travels to the United States and makes a purchase at a store in the U.S. with a credit card, the U.S.-based company is not legally required to follow the consumer data protection regulations set out in GDPR.
As discussed earlier, it is important that any U.S. companies doing business with an entity or citizen within the E.U. is aware that they are required to comply with GDPR data protection regulations. Unlike their European-counterparts, many U.S. companies have struggled to effectively implement sufficient systems to fully comply with GDPR. In particular, this is due to the increased costs that the companies may incur by implementing stronger data protection technology and by employing a data protection officer. At this point, data subject requests from individual E.U. citizens have also proven exceptionally difficult to fulfill because the individual’s requested personal data still has to be reviewed manually by a person.
Going forward, U.S. companies doing business in the E.U. or selling products to consumers within the E.U. should continue to aim to comply with the new regulations. This could include attempting to implement new data protection software to help ease the collection process and in an effort to make the data collection and protection systems more automated. It is also crucial for U.S. companies to stay on top of the actions of the E.U. officials. In particular, many U.S. companies have enjoyed the fact that they have not yet been swept into compliance with GDPR; but, that is not likely to remain the case. As the language of GDPR continues to become less ambiguous, it is likely that more and more foreign entities from the E.U., including those in the U.S, will become subject to such regulations.
We would like to thank Hannah J. Harris, J.D. Candidate ’21 at Tulane University Law School and Junior Member of the Tulane Journal of Technology and Intellectual Property, for her assistance.
This article is not intended as legal advice, as an attorney specializing in the field should be consulted.
© 2019 The Jacobson Firm P.C.