Ever since people have started putting information on social media, in the protection of companies, or on their own protected online server, there have been groups of people who attempt to hack this information and use it with ill intentions. Because of the great weight held by the United States and other nations towards personal privacy, companies are made or destroyed around the notion of information security. While companies are often victims of cyber attacks that jeopardize their customer’s information, in the past the customers were sometimes left in the dark.

How are consumers protected from these attacks?

Like many consumer protection actions done in the U.S., many states have implemented laws that require businesses to notify customers when their data may have been compromised. States like California and Michigan, among many others, have enacted laws that require companies that have clients within their state to notify consumers of the potential damage that was done along with resources to help protect the consumers against potential fraud. However, there is no current federal law providing a uniform baseline for all United States citizens.

The EU’s Answer: General Data Protection Regulation

Unlike the United States, the European Union (EU) has taken it upon itself to protect citizens of all member states via the General Data Protection Regulation (GDPR). The GDPR applies to all businesses that are based in the EU, intend to do services for people in the EU, and any company that monitors people in the EU. The GDPR applies to any company in which there has been a “personal data breach,” which is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Major Differences in the GDPR

Similar to many of the U.S.’s state laws, the GDPR requires disclosure to the consumers after an information breach has been realized. Once data processors notice the breach, they notify data controllers and the data controllers then notify the consumers and the government regulators. While much of the regulation is now considered standard, there are some major key points worth noting:

1. The GDPR governs all types of identifying information, not just sensitive materials like Social Security Numbers, driver’s license numbers, etc.
2. There are stricter requirements to notify if any evidence of breach, not just if there is a material threat to customers.
3. Companies that become aware of a breach are required to notify governing agencies in the EU within 72 hours of discovery.
4. Individual victims have the right to seek damages that they suffer if the company in question has not abided by the GDPR requirements.
5. Companies that do not abide by the GDPR may be fined up to 2% of the company’s annual revenue — or for the most serious violations, up to 4% of global annual turnover.

These key points highlight that the EU is not taking its citizens’ privacy lightly. Allowing for a major fine to companies in light of their GDPR infractions will hopefully spur companies to not only notify consumers when breaches occur but also ensure that they take information security with greater responsibility.

GDPR in Practice: What U.S. Businesses Need to Know

The GDPR has been fully in effect since May 25, 2018. For U.S.-based businesses that have customers or users in the European Union, the regulation creates binding legal obligations regardless of where the business is located. Understanding the GDPR’s scope, its enforcement record, and its key requirements is essential for any company with an international customer base.

Does the GDPR Apply to Your U.S. Business?

The GDPR’s territorial scope, established in Article 3, is notably broad. The regulation applies not only to businesses established in the EU but also to businesses outside the EU that offer goods or services to individuals in the EU, or that monitor the behavior of individuals in the EU. A U.S. e-commerce company that ships products to Germany, a U.S. SaaS company with paying subscribers in France, or a U.S. website that uses cookies to track the browsing behavior of visitors located in the EU — all of these businesses are subject to GDPR requirements with respect to the EU personal data they handle.

The key question is not whether a U.S. business intentionally targeted EU consumers, but whether it in fact processed EU personal data in connection with offering services or monitoring behavior. A U.S. business that discovers it has EU users must immediately assess whether it is subject to GDPR and, if so, what compliance obligations have been triggered.

Core GDPR Obligations

The GDPR imposes a broad set of obligations on data controllers (entities that determine how and why personal data is processed) and data processors (entities that process data on behalf of controllers). Key obligations include:

• Lawful basis for processing. Every processing activity requires a lawful basis under Article 6. Common lawful bases include consent, performance of a contract, compliance with a legal obligation, and legitimate interests of the controller. Processing personal data without a documented lawful basis is a GDPR violation.
• Data subject rights. The GDPR grants EU individuals the right to access their data (Article 15), to have inaccurate data corrected (Article 16), to have data erased under certain circumstances (Article 17, the “right to be forgotten”), to receive data in a portable format (Article 20), and to object to certain processing activities (Article 21). Businesses must be able to respond to these requests within 30 days.
• Privacy by design. Article 25 requires data controllers to implement appropriate technical and organizational measures to integrate data protection into processing activities from the design stage, not as an afterthought.
• Data protection impact assessments (DPIAs). Article 35 requires a DPIA before undertaking processing activities that are likely to result in high risk to individuals’ rights and freedoms, such as large-scale processing of sensitive data, systematic monitoring of public areas, or automated decision-making with significant legal effects.

GDPR Breach Notification Requirements

Article 33 of the GDPR requires data controllers to notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must describe the nature of the breach, the categories and approximate number of individuals affected, the categories and approximate number of data records involved, the likely consequences of the breach, and the measures taken or proposed to address it.

Article 34 requires direct notification to affected individuals when a breach is likely to result in a “high risk” to their rights and freedoms — for example, when sensitive categories of data such as health information, financial information, or data revealing racial or ethnic origin are exposed. The notification to individuals must be made “without undue delay,” which regulators have interpreted to mean as quickly as practicable after the 72-hour supervisory authority notification.

GDPR Enforcement: Real Fines Against U.S. Companies

European data protection authorities have demonstrated willingness to impose substantial fines against major companies. Meta (formerly Facebook) was fined $1.3 billion by Ireland’s Data Protection Commission in 2023 for unlawful transfers of EU personal data to the United States. Amazon was fined $877 million by Luxembourg’s CNPD for GDPR violations related to its advertising targeting practices. Google has faced multiple significant fines across EU jurisdictions for consent and transparency violations.

U.S. companies that operate internationally cannot treat GDPR as a European problem that does not affect them. European supervisory authorities have taken enforcement actions against U.S. entities, and the GDPR’s private right of action allows EU individuals to sue data controllers for compensation for material and non-material damage resulting from violations.

Talk to a Data Breach Lawyer

In a time where all of our information and customers are global, it is important that your company understands which laws could directly impact its business. Revision Legal consistently works to improve its clients’ legal protection in the wake of potential information breaches. If you have concerns about your exposure or have received notification that your company has been a victim of a security breach, contact our experienced data breach and internet attorneys. Contact us using the form on this page or call us at 855-473-8474.