Once the United Kingdom finally parts ways with the European Union, it still won’t be completely clear of the governing General Data Protection Regulation (GDPR). Generally, the GDPR is meant to strengthen and unify data protection for European Union (EU) citizens and residing companies. However, the GDPR still controls fines and regulations of non-EU companies if the data comes from EU citizens. The reform first passed on April 14, 2016, but it won’t go in effect until 2018.

What does the GDPR govern?

While most of the reform pertains to privacy for European Union citizens and companies, non-EU companies can still be charged hefty fines. Failure to notify consumers of data security breaches, failure to implement preventative measures, failure to correctly maintain records, and breaches over obtaining consent for the processing of children’s data all fall under the standard. While the GDPR is a EU governing document, actual enforcement will happen on an individual nation level. Each company will be governed by the rules of the country where it’s mainly established. While the actual finable actions haven’t changed, the new system gives much greater room for financial punishment.

What are the new fines?

With the new regulations, fines for the previously stated infractions have increased dramatically. The new GDPR allows for fines up to €20,000,000 or 4% of the company’s global revenue, whichever is higher. For example, 4% of Apple’s revenue is approximately $9.3 billion. While these fines may seem small in the grand scheme of overall worth and cash flow, this major hit for large infractions could topple even a massive company. These new caps are greater, on average, than the current EU countries’ own privacy infraction fining systems. While the individual countries prosecute each company residing in their lands, EU rules now leave more room for increased fines for almost every nation.

Will nations actually use this new fining system? 

Because the bill doesn’t take effect until 2018, it’s hard to say for certain how much the nations will actually fine infracting companies. However, it’s unlikely that a country like Bulgaria, which currently sets a max fine of roughly 100,000 euros, will suddenly increase its own punishment standard because of this new freedom from the governing GDPR. Because of global pressures to show that each nation or union is taking privacy seriously, there has been a slight flexing by governing bodies to increase financial penalty caps.

Currently, there is no explicit guidance for companies to traverse these new rules and fines. Companies worried about potential liability should obtain legal advice. For more information regarding the new agreement and its increasing fine caps, contact Revision Legal’s Internet attorneys through our contact form or by calling 855-473-8474.

Image Credit: Rob Pongsajapan

GDPR Enforcement: What U.S. Businesses Need to Know

The General Data Protection Regulation took effect on May 25, 2018. European Data Protection Authorities have since issued billions of euros in fines — and U.S. businesses have been squarely in the enforcement crosshairs. Understanding the GDPR’s jurisdictional reach, its substantive requirements, and the record of enforcement is essential for any American business that handles data originating from EU residents.

Jurisdictional Reach: The GDPR Applies Even If You Have No EU Office

Article 3 of the GDPR establishes that the regulation applies to any organization — regardless of where it is established — that offers goods or services to individuals in the EU, or that monitors the behavior of individuals in the EU. A U.S. e-commerce store that ships to France, a U.S. software company whose app is used by German citizens, or a U.S. content publisher whose website accepts EU visitors is subject to the GDPR. A website accessible to EU users, particularly one that uses cookies or tracking pixels, likely meets the monitoring criterion. U.S. businesses cannot simply disclaim GDPR applicability because they are incorporated in Delaware.

Core GDPR Obligations for U.S. Businesses

Every processing activity must rest on one of six lawful bases enumerated in Article 6 — consent, contract necessity, legal obligation, vital interests, public task, or legitimate interests. Article 13 requires a detailed privacy notice at the time of data collection disclosing the purposes, legal basis, retention periods, and data subjects’ rights. Articles 15-22 establish rights to access, rectification, erasure, restriction of processing, data portability, and objection, with requests due within one month. Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Article 28 requires written data processing agreements with every vendor that handles EU personal data on your behalf.

Record Enforcement Actions

European regulators have issued more than 1,700 GDPR fines totaling over four and a half billion euros. Meta Ireland was fined 1.2 billion euros by the Irish Data Protection Commission in 2023 for unlawful transfers of EU user data to the United States. Amazon was fined 746 million euros by Luxembourg’s regulator in 2021 for consent-related violations in its advertising targeting practices. Google has faced multiple nine-figure fines across France, Spain, and Ireland. These cases share common threads: unlawful cross-border data transfers, inadequate consent mechanisms for advertising cookies, and failure to honor data subject access requests. U.S. businesses whose EU operations involve any of these activities face similar risks.

International Data Transfers: The Post-Schrems II Landscape

The Court of Justice of the European Union’s 2020 decision in Data Protection Commissioner v. Facebook Ireland (Schrems II) invalidated the EU-U.S. Privacy Shield framework, leaving Standard Contractual Clauses (SCCs) as the primary mechanism for lawful data transfers from the EU to the United States. The EU-U.S. Data Privacy Framework, adopted in July 2023, currently provides an alternative adequacy-based transfer mechanism for U.S. organizations that self-certify with the Department of Commerce — but this framework faces legal challenges. Any U.S. business that transfers EU personal data to the United States should review its transfer mechanism and maintain SCCs as a backstop.

If your business processes personal data of EU residents and you need to assess your GDPR compliance obligations or respond to a regulatory inquiry, Revision Legal’s internet attorneys can help. Contact us through the form on this page or call 855-473-8474.

Preparing Your U.S. Business for GDPR Compliance

U.S. businesses that have historically ignored GDPR compliance because they lacked a physical EU presence are increasingly finding that enforcement actions reach them anyway — particularly as EU supervisory authorities become more aggressive in exercising jurisdiction over digital businesses. A practical GDPR compliance project for a U.S. business that processes EU personal data typically involves: conducting a data mapping exercise to identify what personal data is collected from EU users, how it is used, and where it flows; reviewing and updating your privacy notice to satisfy GDPR’s Article 13 disclosure requirements; implementing a consent management platform for cookie consent and marketing opt-ins; entering into data processing agreements with vendors who handle EU personal data; implementing procedures for responding to data subject rights requests within the one-month statutory deadline; and developing a 72-hour breach notification protocol for EU incidents. Businesses that complete these steps are not only more compliant — they typically have better data governance practices overall, which reduces risk under U.S. state privacy laws as well. Revision Legal assists U.S. businesses in developing GDPR compliance programs that are proportionate to their size, the volume of EU data they process, and their risk tolerance. Contact us through the form on this page or call 855-473-8474.