New EU data protection laws affect overseas businesses

20 August 2018

On May 25 2018 the General Data Protection Regulation (GDPR) came into effect in all European Union member states. It has been welcomed by some as the most far-reaching data protection legislation in 20 years.

Unlike any previous privacy laws, the GDPR has global reach. Any entity anywhere in the world that stores or performs any operation with personal data of people situated in the European Union might be affected.

It goes without saying that a non-EU business that has a genuine presence somewhere in the EU will be subject to the GDPR. A more difficult question is the effect of the legislation on businesses that operate solely outside the EU but process data of “data subjects” situated within any EU country. The GDPR will affect a processor who is either offering goods or services to Europeans or is monitoring their behaviour. In the latter category, internet giants such as Google, Amazon or Facebook are very much the kind of business that EU regulators have in mind. Entities of this kind, but there will be others, remain the main targets for enforcement measures.

Small businesses whose websites are accessible in the EU but who are not actively looking for European customers need not be concerned. It should usually be obvious from the facts whether any sales are being targeted at Europeans.

The GDPR entails a high compliance burden. All aspects of a business’s data protection practice should be documented to show that data privacy measures have been considered and implemented in every case. Contractual arrangements or consent mechanisms need to be put in place where they are necessary to legitimate the transfer of data outside the EU. It is essential to have properly drafted contracts if a business subcontracts the processing of data to third parties. An organization will also need to put in place measures that enable data subject rights, such as the right to change inaccurate data, to have access to the data, to transfer the data to another provider and the so-called “right to be forgotten” if the retention of that person’s data is no longer appropriate.

The penalty that is most relevant to overseas entities is the ability of the enforcement authorities to restrict or prevent any data processing. This could seriously diminish a business’s ability to trade with EU citizens.

In terms of monetary penalties, a considerable amount of attention has been given to the fact that the maximum fine could be approximately $20,000,000 or 4% of worldwide turnover. Even for organisations that are not processing big data to discover consumer or political preferences, the risk of large penalties is relevant (maybe for those guilty of excessive spamming). The potential level of fines elevates data protection compliance measures to corporate board level concerns.

Matters awaiting clarification include the enforcement of the GDPR against overseas entities by investigatory actions and imposition of monetary penalties. Yet further EU legislation is awaited on marketing communications to existing and potential customers. It is not yet entirely clear whether there is any need to pay any registration fees to an EU data protection authority are matters that await clarification. In all cases, good practice standards need to be adopted which can be revised as case law and regulatory activity develops.

By Laurie Heizler

For further advice on the above topics, please call us on 01483 543210 or alternatively email