The United States don’t have unique data protection law- instead, a sectoral approach is used. There is a large number of laws pertaining to the different types of practices used to protect privacy, but there is no single legal framework for collecting, using, and disseminating data.

By adopting Directive 95/46/EC, US organizations could be limited to collecting personal information for cooperation and doing business with European organizations, as it is forbidden to disclose personal information to member states that do not meet the privacy standards. As a result, the US Department of Commerce has developed a Safe Harbor system in co-operation with the European Commission.

Safe Harbor Framework is no longer valid

On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the Safe Harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.” As a result of that decision, the U.S.-EU Safe Harbor Framework is not a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.’

On July 12, 2016, U.S. Secretary of Commerce announced the approval of the EU-U.S. Privacy Shield Framework as a valid legal mechanism to comply with EU requirements when transferring personal data from the European Union to the United States. The EU-U.S. Privacy Shield Framework replaces the U.S.-EU Safe Harbor Framework.

Application of GDPR in US

The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

Research has shown[RD(2] that a large number of US companies possess personal information of EU citizens, making them subject to the GDPR. Primary concerns for these companies are the ability to know where customer data is at all times, and proper concealment of customer data used in testing.

Shifting from EU Data Protection Directive

As of May 25, 2018, all companies that have operations in the European Union (EU), offer goods or services to EU residents, or monitor or profile EU residents (such as through online behavioral advertising) will be required to comply with the new EU General Data Protection Regulation (GDPR or EU GDPR).

US companies that currently have physical operations in the EU are bound by the EU Data Protection Directive, which will remain in effect until it is replaced by the GDPR. These companies are used to operating under EU data privacy law and understand the legal and cultural differences between the U.S. and EU approaches to privacy. To them, the GDPR will be familiar, even if it imposes onerous new requirements and significantly ups the ante for noncompliance.

New requirements for companies

The GDPR will expand the reach of EU data privacy law and will apply to a broader range of US companies than the current EU does. GDPR will require companies to obtain freely given, specific, informed, and unambiguous consent before collecting personal data (i.e., information relating to an identified or an identifiable natural person, including a unique device ID or location data) from an EU resident.

EU GDPR requires new mechanisms to give data subjects control over personal data. In addition, the GDPR will give EU residents certain rights, such as the right to request removal of personal data that they have posted online and the right to data portability. Specifically, a company will be required to remove, erase, or otherwise delete the personal data of an EU resident upon request, subject to some exceptions, if, among other things, the data are no longer necessary for the purpose for which they were collected; or the EU resident withdraws consent or objects to the processing, and there is no other legitimate basis to continue processing. In addition, a company will have to, at an EU resident’s request, transfer that resident’s personal data in a structured, machine-readable format to another company. U.S. companies will have to build this functionality into their systems and databases.

A breach of security

Companies that experience a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data will be required, subject to some exceptions, to notify (1) the relevant Data Protection Authority (i.e., the supervisory authority in the relevant EU Member State) within 72 hours of discovering the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals,” and (2) the data subject, “without undue delay,” if the breach is “likely to result in a high risk to the rights and freedoms of individuals.” In the U.S., data breach notification is governed by 48 different state laws , none of which imposes such a short time period within which notification must be made.

Aligning your business as soon as possible

GDPR imposes steep penalties for Non-Compliance. In terms of remedies and sanctions, the GDPR will up increase fines considerably for both controllers and processors of personal data. The GDPR will give the Data Protection Authorities “complete independence,” more resources, and greater powers. Moreover, the GDPR provides for potentially substantial fines for “infringements” of the GDPR’s provisions—in many cases, up to 20 million euro or 4% of a company’s total worldwide annual turnover, whichever is greater[RD(6] .

With rapidly approaching deadlines and facing the unprecedented potential financial penalties, it is time for all US companies selling goods and services to EU residents, or monitoring EU citizens online, to take care that their business is harmonized with GDPR.