If you are a United States-based company that collects personal or personally identifiable information from residents of the European Union, maintains an office in the European Union, or processes data on servers in the European Union, then it is time to take data privacy compliance seriously. Though the United States has limited laws concerning data privacy, the EU has adopted the Data Protection Directive to standardize the data privacy regulations applicable to EU member states. While the US is an opt-out society, the EU is, in all means, an opt-in society.

In Europe, data protection is a fundamental human right. The EU Data Protection Directive requires that personal data be collected only for specified, explicit, and legitimate purposes. A company’s collection of data from a EU resident can only be maintained to the extent that the collected data is relevant to the purpose for which it was collected. If the data is no longer relevant, it must be purged. And all data must be maintained in an accurate and up to date form.

To consent to the collection of data, a EU resident must “opt-in,” meaning he or she must provide unambiguous consent to the collection and use of personal information. Further, the Data Protection Directive restricts the circumstances under which personal information can be transferred outside of the European Union. Transfers of personal or personally identifiable information outside of the European Union may take place only if the target country ensures an “adequate” level of protection.

Since the United States is an opt-out society and does not recognize data protection as a fundamental human right, the US has long been considered to lack “adequate” protection under EU standards. This created significant legal challenges for US companies processing EU personal data — challenges that have only grown more complex with the transition from the EU Data Protection Directive to the General Data Protection Regulation (GDPR).

From the Data Protection Directive to the GDPR

The EU Data Protection Directive (Directive 95/46/EC) was replaced by the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, which became directly applicable in all EU member states on May 25, 2018. The transition to GDPR significantly expanded the regulatory framework that US companies must understand and comply with when processing EU personal data.

Unlike the Directive, which required implementation by each EU member state and resulted in varying national laws, the GDPR is a directly applicable EU regulation that applies uniformly across all member states. It also has explicit extraterritorial reach: the GDPR applies to any company that processes the personal data of EU residents, regardless of where the company is located, if the company offers goods or services to EU residents or monitors the behavior of EU residents. This means that a US company with no European offices or employees may nonetheless be subject to the GDPR if it operates a website accessible to EU consumers.

Key GDPR Requirements for US Companies

Lawful Basis for Processing

Under the GDPR, every processing activity involving EU personal data must have a lawful basis. The six available lawful bases are: (1) consent of the data subject; (2) performance of a contract with the data subject; (3) compliance with a legal obligation; (4) protection of vital interests; (5) performance of a task in the public interest; and (6) legitimate interests of the controller or a third party. Most commercial data processing by US companies will rely on either consent or legitimate interests, each of which has specific requirements and limitations.

The consent standard under GDPR is significantly more demanding than the opt-out model common in US practice. GDPR consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, blanket consent buried in terms of service, and consent that is bundled as a condition of accessing a service do not satisfy the GDPR standard. This is a fundamental shift for US companies accustomed to relying on passive consent mechanisms.

Data Subject Rights

The GDPR grants EU residents a comprehensive set of rights regarding their personal data, including: the right to access their data; the right to rectification of inaccurate data; the right to erasure (the “right to be forgotten”) in certain circumstances; the right to restriction of processing; the right to data portability; and the right to object to processing. US companies subject to the GDPR must implement processes for receiving and responding to these requests within the GDPR’s prescribed timeframes — generally 30 days, extendable to 90 days for complex requests.

Data Breach Notification

The GDPR imposes a 72-hour data breach notification requirement. When a company becomes aware of a personal data breach, it must notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals. This timeline is considerably more demanding than most US state notification statutes, which typically allow 30 to 90 days. For US companies subject to the GDPR, a breach affecting EU residents triggers two parallel notification obligations — one under GDPR and one (or more) under applicable US state laws.

Cross-Border Data Transfers After Schrems II

The transfer of EU personal data to the United States has been the subject of intensive legal dispute. The EU-US Privacy Shield framework, which provided a mechanism for US companies to self-certify their compliance with EU data transfer requirements, was invalidated by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II), Case C-311/18 (July 2020). The court found that US intelligence surveillance laws — particularly Section 702 of FISA and Executive Order 12333 — did not provide EU residents with equivalent protections to those available under EU law.

The EU-US Data Privacy Framework, adopted in July 2023, provides a new mechanism for transatlantic data transfers. US companies can certify their participation in the framework through the US Department of Commerce. However, this framework has already faced legal challenges similar to those that led to Schrems II, and its long-term viability remains uncertain. US companies that rely on EU personal data should implement Standard Contractual Clauses (SCCs) as a backup transfer mechanism regardless of their Privacy Framework participation status.

GDPR Enforcement and Penalties

GDPR violations can result in administrative fines of up to €20 million or 4% of a company’s total worldwide annual turnover — whichever is higher — for the most serious infringements. EU data protection authorities have imposed substantial fines against US technology companies, including a €1.2 billion fine against Meta in May 2023 for GDPR-violating transfers of EU user data to the United States.

For smaller US companies, the practical risk of massive fines may be lower, but the reputational and operational disruption of a GDPR investigation can be significant. The more immediate concern for many US companies is the obligation to respond to data subject rights requests from EU residents — an obligation that requires systems, processes, and staff training that many companies have not yet implemented.

Contact Revision Legal for EU Data Privacy Compliance

Revision Legal advises US companies on GDPR compliance, EU data transfer mechanisms, privacy policy drafting, data subject rights processes, and breach notification obligations. If your business collects data from EU residents and you are not certain of your compliance status, contact us today for a comprehensive assessment.