By: Michael H. Gladstone, Esq.
On May 25, 2018, the European Union (EU) “General Data Protection Regulation” (GDPR) becomes effective. Many U.S. businesses are just waking up to the possibility that this regulation may pertain to them. For U.S. entities with any contact with EU subjects and their personal data, the question whether the GDPR applies to them is a serious one which should be carefully studied.
The GDPR imposes an extensive set of duties and burdens on “covered entities," and sets out breathtaking penalties for violation of the regulation. Breathtaking here means 4% of worldwide revenue, or 20 million Euros, not counting damages to the violated data subject. The scope of personal data covered by the regulation and utilized by data recipients and users (called “controllers” and “processors” of personal data) coupled with the GDPR’s expanded territorial reach (compared to the predecessor EU rules concerning protection of personal data) ensures a significant number of U.S. businesses, which might intuitively or superficially conclude otherwise, may be covered by the regulation. The GDPR presents an unprecedented effort by a governmental unit to protect the privacy of its subjects’ personal data.