The EU’s New GDPR Rules: Impact on America

In May, the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect which has multiple implications for American corporations. The law protects EU residents from “data mining” the collection of data that may be useful to the company that collects it, but may violate the privacy rights of the individual whose data is now stored on a server to be used as the collecting company sees fit.

The law is sweeping: it applies automatically to all 28 EU states and could continue to apply to the United Kingdom when “Brexit,” the UK’s withdrawal from the EU, is fully implemented. It defines the personal data that is protected broadly as any information relating to an individual, whether it relates to his or her private, professional or public life. That information could be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” Perhaps most importantly to American businesses, it is enforced with very stiff fines of up to 20 million Euros.

Therefore, American companies that mine data from individuals in the EU must tread very carefully. The GDPR is very clear that individuals in the EU are protected from data mining by companies outside the EU, including the United States. Any American firm that suspects it may run afoul of the GDPR needs to seek legal advice as soon as possible.

Visit sujitchoudhry.com to learn more about Sujit Choudhry.

Complicating the matter is the fact that the EU states and the United States have very different views regarding the collection of individuals’ data. Europeans take protection of data very seriously. Two fundamental EU documents, the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union, enshrine the “right to the protection of personal data” into law. These provisions are of recent origin and were enacted when the internet, the primary source of data mining, already existed.

By contrast, the United States has no such sweeping laws; the Constitution contains no such protections and was — obviously — enacted without the internet in mind. The closest the Constitution comes to addressing this problem is the Fourth Amendment, which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” This right might protect consumers from data mining by the government but not by private entities.

In addition, Americans are used to data mining and some may see it as a convenience. For example, suppose an individual searches one of the well-known travel sites looking for information about resorts in Jamaica. The next time she logs on to her Facebook account a “sponsored” ad is waiting for her touting the benefits of a Jamaican resort that is currently offering a special discount. Would she view this as an unwarranted intrusion or a benefit?

It could be argued that United States consumers would not welcome a comprehensive, EU-style GDPR applied domestically. To be sure, data mining can be used for maleficent purposes, as the recent revelation that Facebook allowed three Chinese companies to data mine Facebook users.

There is very little legal precedent regarding how American courts would address issues raised by the GDPR or any domestic issues raised by the federal law known as the Stored Communications Act, which involves “stored wire and electronic communications and transactional records” collected on the internet, or by any future domestic law similar to the GDPR. However, the United States Supreme Court recently heard oral arguments in the case of United States v. Microsoft. The Supreme Court vacated the ruling on review and remanded it to the Second Circuit, instructing that court to remand the case to the district court and to dismiss the case as moot. In the case, the United States sought to obtain data mined from US consumers but held on a server in Ireland. Could a US-issued search warrant compel Microsoft to disclose data located in Ireland?

Technically, the case was narrowly focused on the question of whether the Stored Communications Act reaches outside the United States. But of interest, the European Parliament filed an amicus (friend of the Court) brief in the case arguing that the United States would have to negotiate a bilateral treaty to obtain the material because extraterritorial reach of the US warrant would undermine the protections provided by the GDPR.

Any firms that collect data from Americans or citizens of the EU need to monitor the issues raised here carefully.

Follow Sujit Choudhry on Facebook (@SujitChoudhryLaw), LinkedIn or Twitter (@sujit_choudhry) for the latest constitutional legal analysis.