Categories: General

European Union Privacy Policy Rules Changes

Hi –

 

Chris Craig, here. As you know, I like to keep friends and colleagues abreast of the latest and greatest in the world of non-profit entities and related organizations. Today I am providing a very brief note about a change that will affect many US-based entities starting tomorrow: the implementation of the European Union (EU) General Data Protection Regulation (GDPR). These new rules are designed to enable EU-based individuals to better control their personal data. Below is SUMMARY ONLY, and not a deep dive into the rules, requirements or otherwise, and is not legal advice. As I note below, if you have specific inquiries I strongly urge you to consult counsel.

 

Complying with the EU GDPR standards will require you to UPDATE YOUR CURRENT Privacy Policy for data collected (over the internet and otherwise). Don’t have a policy? If you collect data, PLEASE be sure to adopt a policy in conformity with your local, state and US rules, and possibly EU rules. Read on . . .

 

Under the GDPR, if you collect personal data or behavioural information from someone in an EU country, you are subject to the requirements of the GDPR. The law only applies if the consumer or user is in the EU when the data is collected. In addition, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization collects “personal data” (personally identifiable information or PII) as part of a marketing survey, then the data would have to be protected GDPR-style. The rules would apply, therefore, to a U.S. company with no physical presence in an EU country that collects personal data belonging to an EU user over the internet. However, such collection would have to target a user in an EU country. Say, for example, the outreach is written in the native language of an EU user. Other transactions such as accepting payment would also tip the balance in favour of coverage. Generic marketing doesn’t count.

 

For entities who fall into the “covered” category, it is imperative that they update their privacy policy and/or internet Terms of Use so that it either meets EU standards or excludes them in some fashion. Otherwise, such entities may be subject to EU enforcement.

 

Features of the new policy include requiring users to opt IN before collecting data, rather than opting out; requiring notification, within 72 hours, of any data breach; providing users with the right to have their data permanently removed (Right to be Forgotten). This is list not exhaustive.

 

Among practitioners, it is believe that there are several reasons to becoming compliant, even if you don’t think you are subject to the GDPR regulations. Such reasons include, but are not limited to:

 

  1. It protects the entity against risk that the entity is in fact holding data subject to the GDPR and does not know it.
  2. It is, theoretically, more secure.
  3. Some suggest that it is a “best practice” in that properly handling personal data instils trust and helps to prevent costly data breaches.
  4. It prepares the entity for the potential future of data collection if the EU standard migrates outside the EU to the US.

 

If you have any questions or require further information, please feel free to contact me.

 

Christopher T. Craig

Recent Posts

Personal Injury Contingency Lawyers in Virginia

If you have been injured in a workplace accident or a slip and fall, you…

2 weeks ago

When to Hire a Mediator in Fairfax, VA

Mediation is often a great tool for solving disputes in a timely and cost-effective manner,…

3 weeks ago

Trust Litigation in Virginia

If you or a loved one finds yourself in a dispute over the terms or…

4 weeks ago

Top Labor Lawyer in Manassas, VA

The terms “Labor lawyers” and “employment lawyers” are often used interchangeably, but they’re not quite…

1 month ago

Do I Need a Wrongful Termination Lawyer?

If you believe you have been wrongfully terminated, you need an attorney on your case.…

1 month ago

5 Reasons to Hire a Personal Injury Lawyer Arlington and Northern VA

A personal injury claim can be intimidating. Many people in this situation are often facing…

2 months ago