Top Three Reasons Why GDPR Is Over-Hyped

We’ve all seen the plethora of emails flooding into our inboxes about companies updating their privacy policies in the past several weeks.  Why? The primary reasons is the European Union (“EU”) adopted a sweeping (and massively overbroad) privacy regulation that allegedly applies to companies internationally, including those not located in the EU.

The new regulation, the General Data Protection Regulation, or “GDPR” went into effect on May 25, 2018.  Many U.S.-based companies are scrambling to determine what the new regulation means and what, if anything, they need to do about it.

An overwhelming slew of U.S.-based attorneys and compliance personnel have crowed about the dooms day-like nature of GDPR.  Specifically, these individuals leverage GDPR as a mechanism to promote the idea that U.S. companies must implement expensive and immensely time-consuming compliance processes to comply with GDPR.  The reality is that GDPR will likely be similar to the Y2K bug: completely overblown. Most U.S. businesses with nominal EU ties have little to worry about.

Admittedly, GDPR compliance programs for many businesses are prudent and necessary.  This is particularly the case for companies with significant EU presences and assets, for companies seeking an EU presence in the near future, and for companies that routinely use/store/process EU consumer data.  However, the problem with all of this hype is that it has blown out of proportion the true risk of GDPR for U.S. based businesses that have little to no EU ties.

Here are the top three reasons why GDPR is over-hyped: 

1)         GDPR does not affect all businesses

Contrary to popular belief, GDPR does not apply to all U.S. businesses. In order for GDPR to apply to a U.S. business that does not have any physical presence in the EU (e.g., office location), the U.S. company must offer goods/services to, or monitor, control or possess the behavior/data of, EU citizens.  The recitals to the GDPR explain that merely having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services in the EU.  Accordingly, GDPR does not apply to companies that do not market in the EU, nor possess any personal data about EU citizens.

2)         Businesses with nominal EU-ties have relatively small risk

While GDPR is very broad and allegedly applies to many U.S. businesses, including those with nominal ties to the EU, the risk to such businesses related to GDPR is relatively low.  While EU regulators are expected to vigorously enforce GDPR, and have the ability to enact large fines for non-compliance, the expectation is that large, multi-national companies with significant assets—Microsoft, Google, Facebook, etc.—are expected to draw the primary focus of regulators.  Accordingly, smaller U.S. companies with no EU assets that are doing business in good faith are unlikely targets of regulatory scrutiny, especially given the scant history of governmental regulatory action against such U.S. companies.

3)         It is debatable whether U.S. courts would enforce EU sanctions

Even assuming EU regulators put their crosshairs on a U.S. company that has no EU assets or “boots on the ground” in the EU, and even assuming the EU regulators monetarily fine such a U.S. company, it is debatable whether such fine would be enforced in the U.S.  To do so, the EU regulators would need to try to take their judgment from Europe and implement it in the state(s) where the U.S. company had assets.  As an initial matter, the EU’s attempt to do so may cause a political backlash from Washington.  However, judges may also not enforce any such judgment given constitutional and jurisdictional concerns.

So Why Should You Care About GDPR?

GDPR is a far-reaching new EU regulation that potentially affects businesses in the U.S., including those without any assets or formal business operations in the EU.  U.S. companies with EU assets and formal operations would be wise to implement GDPR compliance procedures immediately if they have not already done so.  However, there is relatively low risk of GDPR enforceable against U.S. companies with:

  • no EU assets,
  • no formal operations in the EU,
  • no future intentions of moving formal operations into the EU,
  • little to no business with EU citizens, and
  • reasonable policies and procedures (including a website privacy policy).

While this is a non-exhaustive list, companies that fall in these categories should still consult with an experienced attorney. After such consultation, companies will be better able to understand the true risk factors involved and then perform a cost/benefit analysis of whether to implement a GDPR compliance program.

Jon Farnsworth is a shareholder at Felhaber Larson.  People refer to Jon “as the attorney for people who don’t like attorneys” largely because he gives straight-forward, practical legal and business advice.  Jon utilizes his MBA to counsel many entrepreneurs and tech companies, including those with international operations.  He can be reached at 612-373-8455 and jfarnsworth@felhaber.com

This article contains the author’s opinion and does not constitute legal advice.  Jon thanks summer associate, Reid Shepard, for his research and assistance with this article.