Do non-European companies have to comply with GDPR; “increased territorial scope” makes compliance a must for many companies
Awareness of the EU’s new privacy regulations is low amongst non-EU countries. Even within the EU, only 38% of companies were ready for the new rules. Outside of the EU, the number is much lower.
What many of these companies don’t realize is — they are liable for enforcement actions and fines if they do not comply. GDPR is framed around the subject of the data collection (EU citizen) and not where the company does business.
What is the GDPR?
First of all, some clarity:
- The General Data Protection Regulation, passed by European Parliament April 12, 2016, replaces the previous Data Protection Directive — with even tighter rules and more enforcement teeth.
- Scope: the rules include non-EU companies if those companies in any way collect information on EU residents. The focus is on the location of the subject, rather than where the company operates.
- The rules: GDPR sets out the acceptable ways in which you may collect information on an EU resident — which largely comes down to permission from the resident and control of their data by the resident. Explicit, recorded consent is required. Unintended collection of information is not an acceptable “excuse” for non-compliance.
- The teeth: non-compliance fines are up to Euro 20 million or 4% of global annual turnover.
Privacy advocates around the world have hailed the new rules as a breakthrough in privacy — and some groups have already launched complaints and actions against companies such as Facebook and Google.
Most non-EU companies still must comply with GDPR
The General Data Protection Regulation (GDPR) that went into effect in 2018 does not only regulate and police privacy for EU companies. Any company with a website viewable in the EU can be liable — and the EU has shown signs they intend to aggressively police it. Without question, if you have clients in the EU, provide a service or any kind of forum — you are subject to GDPR. In fact, if you actively do business in the EU, even if you have no office there, you are required to designate a representative in the EU who can “act on behalf of the controller or processor and may be addressed by any Data Protection Authority (DPA).”
But, what if you don’t actively pursue EU business? Unfortunately, you are still liable if you collect any private information on any EU citizen — even if you didn’t intend to do so. This is because the new rules are framed around the “location of the subject” not the company.
Location of the subject, not location of the company determines liability
It’s easy to brush the issue aside, with thoughts such as “We don’t sell in the EU” and “our customers are not in the EU” or even “they can’t fine us because we are not in the EU.” Article 3 (2) targets “the location of the subject” rather than the location of the company, data controller or processor. In other words, if the web visitor or customer is in the EU, liability is certain.
On the first day the GDPR took effect, various groups initiated suits against large U.S. companies, notably against Facebook, Google (for Android privacy issues) and many others. Again, it’s tempting to push this example aside with the argument, “Yes, but those are big social media companies that do have EU clients. We never sell to EU clients. We’ll never be a target of enforcement.”
However, the regulations also include agents, sub contractors and affiliates. For example, if your brand product or service is available in the EU through third parties, such as retailers, and if your website is viewable in the EU, it’s pretty certain you must comply with the rules. If you use a call centre in Asia, you’re liable for their marketing actions.
Even if you don’t sell a product or service, it still doesn’t matter, because the intention is to prevent the capture of private information on EU citizens without their explicit permission and control.
Unintentional exposure makes no difference
Unintentional exposure to EU citizens can have repercussions — often serious ones involving significant fines. Does your website load in EU? (It does if you don’t specifically block it.) Does your website collect cookies? (It does unless you disable cookies — which means no Google Analytics, no session cookies, no login for comments, etc.)
Article 3(2) applies to the processing of personal data of any individual “in the EU”. In other words, if you answered yes to these two simple questions — does your website load in the EU, and do you collect cookies — then, you are liable.
Will you be fined?
It’s too early to know who will end up being the targets of prosecution or fines. The scope of policing activity hasn’t been tested, and it’s fairly certain larger companies will be targeted first — to set an example for the rest of us. Already, several actions have been brought against the large IT companies and others.
However, your exposure could be immediate if there is a complaint from anyone who visited your website.
No good business argument for ignoring the GDPR
There’s no good business argument for ignoring the law. If your brand or company is certain they have no business interest in the EU, one quick fix is to entirely disable access to your site anywhere in the EU. Websites, for example, can block IPs and there are even plugins from WordPress designed to block the EU visitor. In particular, make sure your online shops are disabled anywhere in the EU.
Social media marketing is definitely questionable in light of the new rules — if you are not compliant. Since information has a “life of its own” once it’s on the internet — for example, someone on social media can quote and cite your blog posts or website (even if it’s blocked in the EU) — in which case, even the above solution may not be sufficient. Likely, it would be, as it shows the intention to comply. However, the argument can be made that, since you promote on social media, and that media company (who are your agents, in effect), are not compliant. Your agents (including media choices in marketing) could theoretically make your liable.
If you are contemplating non-compliance by non-EU business operations, it’s best to consult your lawyers first. Even if the opinion is “80% you are fine” — is it worth the risk when it’s not that difficult to make your sites and marketing compliant?
Best practices — it doesn’t have to be expensive
There are some ready-made tools that help you with compliance with the GDPR on websites. They won’t be helpful for your online marketing campaigns, social media advertising, or information marketing (for example, subscribed newsletters or email campaigns.) Unsolicited marketing online (websites that market or sell to groups, lists without explicit permission, email campaigns, social media campaigns) are especially vulnerable since these are the activities the GDPR is designed to prevent.
Here are some simple steps to help you comply:
- Add a cookie permissions plugin (many available) that specifically asks the visitor if they agree to session cookies on your website. If you aren’t sure you have sessions cookies on your website — then, you do. WordPress, your web host, and most plugins you might use are collecting data on visitors. Make sure it’s a plugin that also manages opt-out, opt-in data.
- Comments on your website: if you allow comments, you will need to provide opt-in (specifically agreed) login, to allow any EU visitors to later delete their own post and private information. Ideally, use a good GDPR plugin that adds not only the “explicit permission” question to the login request, but also manages their information — so that they can delete their private information. This is mandatory. Note: anonymous comments may not be sufficient, as most websites, record the IP address of the commenter. One quick fix: turn off comments on your posts and website.
- Contact forms: explicit permission and login to self-control data are important. If an EU visitor submits a contact form with their email (voluntarily), chances are good you are collecting that information: email lists for marketing, sales prospecting, and requests for quotes. In particular, if your contact forms automatically feed your CRM, you are non-compliant if you do not provide a way for them to remove their information (easily.)
- Public companies: are generally required to have a Public Information Officer. Even if your public company doesn’t operate in the EU, it’s best to assign, train and empower an officer.
- If you sell or do business in EU: if you do business in the EU, even if you have no locations there, you will require an agent — a “designated representative.” There are now companies in the EU that offer this service.
- Marketing campaigns: Advertising, social marketing, email-marketing and online marketing all must comply. Don’t add anyone to your list without explicit permission. Avoid social marketing campaigns — even if it’s backed by a social media player (such as Facebook) — unless your website is fully compliant, and you understand the risks. Customers in the EU are more likely to complain based on a social media campaign or an email campaign — they find it intrusive.
Make sure your subcontractors, agents and agencies are knowledgeable
Since the new rules specifically mention agents, agencies, contractors and subcontractors, it’s critical to choose your suppliers carefully. Are they compliant in their practices?
Specifically mentioned and targeted are call centres, who typically call from non-authorized (non opt-in) lists. EU has already stated its willingness to prosecute even call centres in Asia, India, Russia and elsewhere.
The rules that focus on call centres apply to all other types of marketing where there is no explicit (recorded) permission. This includes your company newsletter list, your email blasts with specials to your past customers — even where you think you have permission. If you do not have proof of their permission, you may have an issue.
Making your website compliant is fairly straight-forward, and should be considered a mandatory minimum implementation. More complicated will be your marketing and advertising campaigns. If you reach EU prospects — even unintentionally — you are liable for enforcement actions.
Your agency, and the media who carry your message, do not have the same onus as the company initiating the campaigns. For this critical reason, make sure your agencies understand all the rules and assure you of compliance.
Can GDPR be enforced outside EU?
Almost certainly. The ICO or European Data Protection Authority definitely has the teeth needed within the new rules. They can launch an action in the EU, which you might be required to defend. They could also sue in your native operation country. Everything from injunctions, trading sanctions, prevention of sales of goods, to fines are possible.
If you have questions about this article or the GDPR, please feel free to use our contact form>> (But make sure you give your “permission” as required by GDPR.)