If you read these pages regularly, you know that the General Data Protection Regulation (GDPR), a European law that governs the handling of European Union (EU) members’ data, will come into full force on May 25. But even with all the coverage — and there’s a lot — we’re still unclear as to how the law will be enforced in the United States.
I spoke with Kristina Podnar, a digital policy consultant who is a GDPR advisor to Third Door Media, to see if we could get some clarity. We got — well, some. Here’s what we learned.
Who regulates GDPR compliance for US companies?
Who regulates US companies depends on your definition of “US company.” If a US company is a multinational with local legal market presence in the EU (i.e., they are a company’s local business entity), then the EU Data Protection Act (DPA) regulations prevail and the company is subject to the local member state system.
If you are talking about a US company that does business in the EU but is not a multinational, then the Federal Trade Commission (FTC) regulates US companies. The FTC has made itself the de facto DPA under Section 5 of the FTC Act (invoking unfair or deceptive trade practices, they have been able to make proclamations such as [if] a company failed to adopt reasonable security measures). This FTC concept of a DPA has been challenged, of course (TJX, Google, etc.), but the FTC is looked to from an EU perspective for enforcement because of the tradition that was created pre-GDPR in the ePrivacy Directive era.
Who do US companies notify in case there’s a breach?
GDPR requires businesses to report a breach within 72 hours. Podnar says that companies need only notify data subjects if the breach is likely to result in high risk to the rights and freedoms of the individuals.
In terms of the company reporting, it depends on what data is breached and again, where the organization is operating in terms of its status. If it is a multinational, the organization ought to report the breach to the supervisory authority of the relevant EU member state (or multiple states, as the case may be). In the US, we now have data breach reporting requirements for all 50 states as well; the lowest thresholds are in California. Therefore, the US company would also need to comply with those requirements separately from GDPR obligations and report the breach domestically (FBI and FTC are notified as an extension of the state AG).
Who does a consumer report a data handling issue to?
Podnar said that if a consumer (or data subject) has an issue with a data processor or a controller, they should address the situation first with the controller.
The [European] member state DPA is the escalation point to report issues to with a controller or even with a processor who is unresponsive to the request made to the controller.
So, for example, if I live in London and make a request to a controller for data correction of an error, but the processor continues to retain the incorrect data, I could report the issue to the ICO for correction.
Getting enforcement of such on a US company with no regional legal business entity may be challenging, but … the arm of international business law is long and there are established protocols for enforcement of foreign judgements in the US (albeit they might be lengthy and impractical!).
So there you have it. What we know for certain is that on May 25, companies that handle EU residents’ data are legally required to be compliant with GDPR. If they aren’t compliant? Well, that’s anybody’s guess.
Questions about GDPR? Download our free guide, The General Data Protection Regulation: GDPR — A Guide for Marketers.