The European Union (EU) Parliament recently passed new EU-wide data protection legislation. In the EU, data protection is a fundamental human right, so it only seems fitting that the continent would work to create a single set of rules that would govern everyone instead of allowing the member states to have their own, separate laws. This is also great news for foreign companies doing business in the EU, because it now means data protection laws will be streamlined. Businesses will no longer have to tailor all of their internal data regulations to each individual country.

Unfortunately, Newton’s laws are proven right time and time again – for every action, there is an opposite reaction – and these new laws are no different. While the streamlined system will make things much easier for businesses entering the EU market, the associated penalties for non-compliance are that much stricter. Companies will need to report to both national officials and their users any time they experience a data breach. Users must be informed how the company will use their data and companies are expected to help create a system to enable “data portability.” Portability will enhance the user’s ability to move their data from one service to another.

Along with these stricter requirements come more aggressive sanctions for violators, too. An organization found to have broken any of these data protection laws can be fined up to 4% of global revenue. For multinational corporations such as Google, Amazon and Facebook, this figure could be in the billions.

The new laws will go into effect this summer, giving member states an opportunity to prepare their law enforcement systems and allow both citizens and foreign companies doing business in the EU to become knowledgeable and prepared for these new changes.

Europe’s “right to be forgotten” laws have also proven to be a challenge for multinational companies. Google had challenged this policy but has apparently lost that battle. The right to be forgotten law allows users to request some of their personal data be taken down or removed from the company’s servers. In the US, compliance with this kind of request is at the company’s discretion, and typically, US companies don’t comply with them. It isn’t hard to understand why they would be so strongly opposed to the implementation of this law in the EU; the international ramifications could be massive.

Whether Privacy Shield, the “Safe Harbor 2.0” that is being implemented in the wake of a ruling by the European Court that the safe harbor rules were insufficient to protect the personal data of EU citizens, will conflict with these new EU laws is yet to be determined. Both laws are still in the process of being finalized and implemented. Given the time it’s taken to create these laws though, hopefully some kind of even ground can be found and the laws will work together instead of sending parties back to the negotiation tables.

For more information on the new EU data protection laws or how they might impact your business contact Revision Legal’s Internet Privacy attorneys through the form on this page or call 855-473-8474.

Image credit to Flickr user Karen Rustad

The GDPR: What It Requires of US Companies

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, took effect on May 25, 2018 — the successor to the 1995 Directive referenced in the original post above. The GDPR did not merely update the prior framework; it fundamentally restructured data protection law in the EU and extended its reach to companies outside the EU in ways the 1995 Directive did not. Under Article 3(2), the GDPR applies to any company established outside the EU that either (a) offers goods or services to individuals in the EU, or (b) monitors the behavior of individuals in the EU. For US e-commerce companies, this typically means the GDPR applies whenever the company sells to EU customers, regardless of where the company is incorporated or where its servers are located.

The six lawful bases for processing personal data under Article 6 of the GDPR — consent, contract, legal obligation, vital interests, public task, and legitimate interests — replace the patchwork of national laws that previously governed data collection across EU member states. US companies that previously tailored their privacy practices to French, German, and Dutch law separately now face a single, stricter standard, with less flexibility to rely on implicit or inferred consent.

Key Obligations for US E-Commerce Businesses Under the GDPR

• Transparent privacy notices. Article 13 requires that companies provide detailed, plain-language information about data processing at the time personal data is collected. For e-commerce sites, this means checkout flows, account registration pages, and newsletter sign-ups must include clear disclosures about what data is collected, why it is collected, how long it will be retained, and with whom it will be shared.
• Lawful basis documentation. Companies must identify and document the lawful basis for each category of processing. Relying on consent means that consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes and silence do not constitute consent under the GDPR. Legitimate interests can serve as an alternative basis, but require a balancing test weighing the company’s interests against the individual’s rights.
• Data subject rights. Articles 15 through 22 grant EU individuals a suite of rights: access, rectification, erasure (the “right to be forgotten”), restriction of processing, data portability, and objection. Companies must build processes for responding to these requests within one month, with the possibility of a two-month extension for complex requests.
• Data breach notification. Under Article 33, companies must notify their lead supervisory authority of personal data breaches within 72 hours of becoming aware of the breach — unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. For high-risk breaches, Article 34 also requires notification to the affected individuals without undue delay.
• Data processing agreements. When a US company uses third-party processors — cloud hosting providers, payment processors, email marketing platforms, analytics vendors — Article 28 requires a written data processing agreement that specifies the scope, nature, and purpose of the processing, requires the processor to implement appropriate security measures, and restricts the processor from using the data for any purpose other than as instructed.
• EU representative. Companies outside the EU that are subject to the GDPR must, under Article 27, designate a representative in the EU — typically a service provider in one of the member states — unless the processing is occasional and unlikely to result in a high risk. The representative is a point of contact for supervisory authorities and data subjects.

GDPR Enforcement: Real Penalties for Real Violations

The 4% of global annual turnover penalty figure is not theoretical. EU data protection authorities have issued significant fines against US companies:

• The Irish Data Protection Commission fined Meta (Facebook) €1.2 billion in May 2023 for unlawful transfers of EU user data to the United States under Standard Contractual Clauses that failed to provide adequate protection.
• Amazon was fined €746 million by the Luxembourg DPA in 2021 for GDPR violations related to its behavioral advertising practices.
• Google LLC was fined €50 million by the French CNIL in 2019 for lack of transparency, inadequate information, and absence of valid consent for ads personalization.

While these cases involve large companies, the GDPR does not exempt small businesses. SMEs that collect EU consumer data are subject to the same substantive requirements, even if enforcement priorities tend to focus on larger actors. A mid-size US e-commerce company that suffers a data breach involving EU customer records faces a 72-hour notification clock and potential fines — and the size of the fine, while scaled to revenue, can still be crippling for a small company.

The Right to Be Forgotten and Its Practical Implications

Article 17 of the GDPR — the right to erasure — requires companies to delete personal data when an individual requests it, subject to several exceptions. For e-commerce companies, the most common exceptions are that erasure conflicts with a legal obligation to retain the data (e.g., tax and financial record-keeping requirements) or that the data is necessary for the establishment, exercise, or defense of legal claims. Outside those exceptions, a verified erasure request must be honored. This means US e-commerce companies need to build data inventories that are granular enough to identify and delete a specific customer’s data on request — a technically challenging requirement for companies with legacy database architectures.

Intersection with US Privacy Law

US companies subject to the GDPR may also face overlapping obligations under US law. The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), impose requirements that parallel but do not duplicate the GDPR. Companies that have built GDPR compliance programs often find that CCPA compliance requires additional work — particularly around the “sale” and “sharing” of personal information and the requirement to honor Global Privacy Control (GPC) opt-out signals. For companies with national or international customer bases, building a unified privacy compliance program that satisfies both the GDPR and major US state privacy laws is more efficient than addressing each regime separately.

Talk to an Attorney

GDPR compliance is not optional for US e-commerce companies that sell to EU customers, and the cost of non-compliance — fines, litigation, and reputational damage — vastly exceeds the cost of building a proper compliance program. Revision Legal’s internet privacy attorneys advise US businesses on GDPR obligations, data processing agreements, privacy policy drafting, and breach response. Contact us through the form on this page or call 855-473-8474.