GDPR and the rights of EU private citizens before U.S. courts
One question I often get from my U.S. clients on privacy-related matters – who often (erroneously, I must say) argue that EU courts would not have jurisdiction over them if they have no physical presence in the EU – is whether EU individuals can really bring a claim for breach of privacy against them before U.S. courts.
Most companies that process personal data on a global basis know that not only privacy has a very different meaning in the U.S. and the EU, but also that consequently U.S. and EU laws in the area are quite different. Despite several attempts to implement a European-style omnibus data protection law in the U.S. the way the EU has it with the EU Privacy Directive 95/46/CE of 1995, soon to be replaced by the GDPR on 25 May 2018, the U.S. has instead favored numerous sector – and threat-specific laws at the Federal and State level to address specific concerns narrowly and without too much collateral damage to freedom of information and technological progress.
If, following the implementation of the U.S. Commerce Department’s now defunct Privacy Safe Harbor Program of 2000, since then replaced by the EU-U.S. Privacy Shield Framework on July 12, 2016, the FTC can bring actions at the federal level against U.S. companies based on Section 5 of the FTC Act, which declares unlawful “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce”, many U.S. states have also enacted similar unfair competition laws that can be enforced by State Attorneys General and private plaintiffs if a U.S. company commits to adhere to EU privacy principles and fails to live up to its promise. And as a matter of fact, rights and remedies under these laws are neither expressly nor impliedly limited to U.S. residents, and U.S. courts generally assume jurisdiction over U.S. companies regardless of where plaintiffs may reside.
A breach of tort law can also be alleged, either through privacy tort violations, or through claims of misrepresentation where the defendant can be found to have concealed a material fact about its compliance with privacy laws, or has made a misleading representation because of some material fact that wasn’t disclosed.
In summary, EU residents with no physical presence in the U.S. do have many individual rights and remedies they can pursue before U.S. courts. Therefore, U.S. companies, whether or not they do have an actual physical presence in the EU, are not immune from a claim by an individual in the EU, in addition to claims by the FTC and other U.S. Federal agencies under Federal law, as well as by State Attorneys General under State law.
We’ll remind the reader of the fact that, under the GDPR, U.S. companies acting as subcontractors to companies that are directly accountable to EU data protection authorities and EU individuals by virtue of their processing activities will also be liable under the law and may be subject to direct claims in connection with their sub processing activities.
Last but not least, the GDPR includes significantly increased penalties for violations: fines as high as Euro 10M or 2% of annual worldwide revenue in the preceding year, or Euro 20M or 4% of annual worldwide revenue, depending on the type of violation.
Oh, and yes, GDPR and the Privacy Shield are 2 very different things. Just because you have self-certified under the EU-U.S. Privacy Shield (the successor to the defunct Safe Harbor some of you may have heard of) will not make you GDPR-compliant.
So Contact Us Now! Admitted as lawyers in both the EU and the U.S., and well versed in privacy laws on both sides of the Atlantic Ocean, we are ideally positioned to assist you in complying with the GDPR!