How Does the EU Data Privacy Regulation Affect U.S. Businesses? (Part 1)

EPGD Law Intellectual Property Law

What is the GDPR?

As opposed to the U.S., the European Union has a uniform data privacy law. The General Data Protection Regulation (GDPR) went into effect on May 25th of 2018, and has a broad cross-sector scope that affects many foreign companies, including U.S. companies.

This regulation relates to both data privacy and data security. Data privacy is the right to control how information is collected and used; focusing on the use and governance of data. Data security, on the other hand, is focused on protecting data from, for example, attacks and exploitation of stolen data.

The GDPR applies to:

  • Businesses established in the EU – which process personal data; and
  • Businesses outside the EU – if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.

Mere accessibility of a website by an EU member is insufficient alone to prove intention to offer goods or services. The GDPR requires intent to offer goods in the EU; not merely availability of, for example, a website. Just having an accessible site is not enough; intent to market is critical. Therefore, the GDP applies if: a business is located within territory; a business is marketing services in EU, and; regardless of the citizenship of user is irrelevant.

What is Personal Data?

Persona Data is any information relating to an identified or identifiable natural person (known as a “data subject”), it includes: name; identification number; location data; online identifier;  and one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR regulates several moments in the lifecycle of personal data, including: collection, processing, storage, transmission, and disposal.

Who must Comply with the law?

There are several types of parties who collect and use Personal Data, including “controllers” and “processors”.  Controllers are typically the persons or organization who collect the data. The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. Employees processing personal data within the organization do so to fulfil your tasks as data controller. Processors typically process the personal data only on behalf of the controller. The data processor is usually a third party external to the company. The relationship between controllers and processors is governed by data processing agreement.

How can Organizations Collect data?

In order to collect or process personal data, you need to have a legal basis for it. GDPR requires that any organization processing personal data must have a valid legal basis for that personal data processing activity. GDPR provides several legal bases for processing, including:

  • Consent;
  • Performance of a Contract;
  • Legitimate Interest;
  • Vital Interest;
  • Legal Requirement; or
  • Public Interest.

Consent occurs when the data subject has given permission for the organization to process his/her personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw. Therefore, organizations need to be careful when using consent as their legal basis. An example of consent is the age box that a user may check when accessing content that is age-restricted.

Performance of a Contract occurs when the data processing activity is necessary to enter into or perform a contract with the data subject. An example of this is when a user provides his/her mailing address for an e-commerce purchase.

Legitimate Interest occurs during the processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms?  If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.

Vital Interest is a rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.

Legal Requirement arises with a processing activity that is necessary for a legal obligation, such as information security, employment or consumer transaction law.

Public Interest is a processing activity that would occur by a government entity or an organization acting on behalf of a government entity.

If you would like to continue the next part of this blog click here.

EPGD Business Law is located in beautiful Coral Gables, West Palm Beach and historic Washington D.C. Call us at (786) 837-6787, or contact us through the website to schedule a consultation.

*Disclaimer: this blog post is not intended to be legal advice. We highly recommend speaking to an attorney if you have any legal concerns. Contacting us through our website does not establish an attorney-client relationship.*

Share this post

Silvino Diaz

Silvino E. Diaz’s practice ranges from Civil and Commercial Litigation to Entertainment and Intellectual Property Law. Silvino has earned a reputation as one of Puerto Rico’s foremost advocates for independent musicians and artists. As a result of his sustained commitment to creative industries, he was named Professor of Intellectual Property Law at Atlantic University College (Guaynabo, PR) – the Caribbean’s leading digital arts institution – where he spearheaded the “Introduction to IP” course for both the graduate and undergraduate programs, and was appointed by the Office of the President to develop an Intellectual Property graduate curriculum, where he served until moving to Miami in 2017. He is the founder of the service known as Starving Artists, where he offers innovative business and legal counsel for artists and creatives.


*The following comments are not intended to be treated as legal advice. The answer to your question is limited to the basic facts presented. Additional details may heavily alter our assessment and change the answer provided. For a more thorough review of your question please contact our office for a consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *



Contact Us

"*" indicates required fields