By: James Duffy

The European Union’s General Data Protection Regulation (GDPR), approved in April 2016, was created to harmonize the numerous data protection plans across Europe and expand consumer protections.[1]  The GDPR redefines how data will be handled by expanding the definition of personal information from “information about any identified or identifiable natural person” to include any information about an individual’s “physical, physiological, genetic, mental, economic, cultural, or social identity.”[2]  Since the GDPR does not take effect until 2018, multinational businesses must use this year to bring their existing data policies in line with the regulation.

The E.U. wants to use the GDPR to give its citizens more control over how their personal information is used, maintained, and collected by companies both inside and outside its borders.  Additionally, by standardizing the plans companies must offer, the GDPR creates a fair playing field for companies collecting and managing peoples’ data.  However, the E.U.’s attempts at transparency and a level playing field come at the cost of a massive expansion of their claimed authority because it claims the GDPR applies to any company, anywhere, that handles the data of a European citizen.  The GDPR also has provisions that actively conflict with aspects of U.S. law, raising the issue that U.S. companies operating in Europe must balance conflicting laws and the stiff penalties violating the GDPR will place on them.

The GDPR bestows additional rights on data users and requirements on the companies who seek to use or store personal data who seek to use or store personal data. First, data subjects have the rights of portability and erasure.[3]  Second, the GDPR requires any company who suffers a security breach on their stored data to forward alerts to any users whose personal data was breached within 72 hours.[4]  Third, the companies must have “freely given, specific, informed, and unambiguous” consent to collect personal data.[5]

Under the GDPR, consumers may invoke the rights of portability and erasure at will.[6]  Companies that receive these requests must forward them to any companies they passed replicated personal data to.[7]  Companies are also required to erase all EU data they have collected after the specific reason for the data collection is completed.[8]   These rights radically expand transparency requirements and user access to their personal data.

The GDPR includes a radical claim of jurisdiction over all businesses that process European data regardless of where those companies are based or operate.[9]  This claim means that the GDPR’s rules and fines for violations could extend to businesses in the United States that handle European data but are not based or incorporated within the E.U.[10]  The GDPR provides for fines up to four percent of the violating companies global annual turnover, which could extend up to billions of euros for larger companies.[11]  U.S. businesses face a host of problems under the GDPR that need to be addressed before the GDPR comes into force in 2018.  The most pressing of these issues are the expanded definition of personal data, the requirement of explicit consent to collect information from a minor online, the GDPR’s expansive jurisdiction, and the difficulty to move data from countries within Europe to countries outside of Europe.[12]

The expansion of the personal data definitions under the GDPR is one of these ambiguous areas.  Prior to the GDPR, personal data had to be clearly related to an identifiable or identified person.[13]  However, the newly expanded definition raise the possibility that cookies, IP addresses, and anything having to do with the person’s identity can qualify as personal information.[14]  Moreover, the new definition of consent raises the question of how specific consent can be in an online setting.  The new parental consent requirements will ensure businesses have a harder time offering online services to minors because, under the GDPR, minors under 16 years old could be banned from Facebook, Instagram, Snapchat, and other social media platforms without explicit parental permission.[15]

Finally, the requirement to dispose of EU data directly conflicts with the concepts of a legal hold.[16]  Unlike the U.S., the concept of a legal hold has virtually no place in the E.U. legal system.[17]  Because a legal hold can be triggered at the moment a company anticipates a suit, as well as when given a court order, the GDPR is unlikely to grant a reprieve from sanctions.[18]  Additionally, it is possible that an employee in Europe, with no concept of a legal hold, will just start erasing data.  This then places the company in trouble with both the U.S. and E.U. legal systems.

The GDPR means to allow European users vast control over their own personal data, and instill greater transparency within companies holding or using that data.  While it certainly grants European citizens greater control over their data, the GDPR enforces its provisions through punitive fines and intrusive claims of authority over businesses based in foreign countries.  The GDPR forces companies operating in Europe, in any capacity, to grant greater protections and priority to data coming from Europe; companies may choose to let their protections elsewhere slip to ensure that they comply with the GDPR and won’t have to deal with huge fines from Europe.

However, the first real challenge the GDPR will face is how foreign courts choose to address its jurisdictional claims.  For example, a country’s judicial system may have to decide if it accepts and will enforce the GDPR’s rulings against that country’s national businesses despite that company having only limited contact with European data or consumers.  Until the GDPR is fully implemented in 2018, its actual enforceability will be in doubt.  Only time will tell of just how extensive and widespread the institutional, and international law, repercussions resulting from the GDPR will be.

[1] See Kevin Townsend, New EU General Data Protection Regulation Affects Multinational Companies, security week (Apr. 15, 2016),

[2] See Umair Javed, EU Finalizes General Data Protection Regulation: Implications for U.S. Businesses, wiley rein LLP (Jan. 2016),

[3] See id. (noting that the right to portability allows users to transfer all their personal data from one company to another upon request, and the right to erasure allows users erase their personal information upon request).

[4] Id. (detailing that notification is required in the event of any breach of personal data, not only, per U.S. law, data that could be used for fraud or identify theft).

[5] Id. (explaining that “[Q]uestions remain about the feasibility of the GDPR’s emphasis on clear, explicit consent in a regulatory environment where a broad range of data can be considered personal data, including potentially cookies, IP addresses, and the like.”).

[6] Id. (noting that the GDPR allows E.U. citizens to invoke the rights of portability and erasure at their own discretion, and instructs companies to accept these requests).

[7] Id. (explaining that if a data controller, who has received a request from an E.U. citizen for either portability or erasure, has replicated a citizen’s personal data with another entity, then that controller must forward the citizen’s request to this entity).

[8] See Ricci Dipshan, The Storm on the Horizon: 4 Things to Know in Prepping for General Data Protection Regulation, LAW.COM (Feb. 6, 2017), (detailing that the GDPR makes it illegal to hold any European citizens’ personal data for any period past when the purpose for which the data was collected finishes).

[9] Id. (explaining that the GDPR provisions apply to EU citizen data that any entity, located anywhere in the world, is processing and, under the GDPR, this citizen data could be nearly all data storage or handling processes).

[10] Kevin Townsend, supra note 1 (noting that a company with a server in America, using a website that accepts European data, is exporting European data under the GDPR definition.  However, it is unlikely the GDPR will be enforced against a company without a physical presence in Europe).

[11] Id. (noting that this is a massive increase over previous maximum fines of Ł500,000, which larger companies like Google and Facebook could easily pay).

[12] Umair Javed, supra note 2 (Explaining that the expanded definition of personal data ensures that U.S. companies must use more resources to establish which data falls under the GDPR protections, the requirements of explicit consent for minors using social media may make it more difficult for companies to offer them online services, the expansive jurisdiction claimed by the GDPR makes it difficult for U.S. companies to comply with both U.S. and E.U. law without suffering punitive fines from the GDPR, and expanded personal data protections makes it more difficult for multinational companies to transfer data outside the E.U.).

[13] Id. (“Under the old Directive, “personal data” is information about any “identified or identifiable natural person.”).

[14] Id. (explaining that the vast jurisdiction claimed by the GDPR raises the possibility that U.S.-based businesses possessing European data without a physical presence in Europe could be fined, or that U.S. businesses operating in the E.U. could be fined for maintaining IP addresses or cookies for a lawsuit taking place in the U.S.).

[15] Id. (explaining that the GDPR’s unambiguous consent requirement ensures that without explicit parental permission to an online company, minors cannot use internet sites or applications that gather any form of personal data from them).

[16] Chapter 4: Legal Hold, exterro (2017), (defining a legal hold as “[A] notification sent from the legal team to employees instructing them not to delete electronically stored information (ESI) or paper documents that may be relevant to a new or imminent legal matter.”).

[17] Compare Id. (explaining that a legal hold requires parties to a suit to store and turn over relevant ESI to the opposing party), with Al Lindsay, U.S. Litigators Hit Brick Wall With European Discovery, if insurance (Nov. 3, 2014), (explaining that the European focus on individual privacy rights ensures that European authorities are more likely to view holding data past its immediate utility as violating that right to privacy, or will only provide relevant ESI if all names attached to the ESI are removed).

[18] Ricci Dipshan, supra note 6 (explaining that while European courts may grant a reprieve from GDPR regulations if the parties received a court order or were subject to a U.S. regulation, it is unlikely these courts would allow a deviation from the GDPR based on a party merely anticipating a suit that may never come).

Share this post