US businesses and GDPR
Privacy for Europeans is a big issue, and their concerns are expressed in the forthcoming General Data Protection Regulation (GDPR) in Europe. The GDPR should be adopted by the middle of 2016, and enforcement is scheduled to begin two years later -- by Spring 2018. US businesses without a European presence could collect data about European residents because the old Data Protection Directive was limited to businesses with a European presence. The new GDPR is not so limited. It specifically covers data controllers (which are entities that "determine the purposes, conditions and means of the processing of personal data", see GPDR Article 4(5) at page 41) based outside of the EU that (1) offers goods or services to EU residents or (2) monitors the behavior of EU residents. See GPDR Article 3(2) at page 41. What does this mean? It means that US businesses that collect information about EU residents need to start considering how to comply with the terms of the GDPR. Among the options are: (1) compliance with the Privacy Shield, (2) binding corporate rules, and (3) standard contractual clauses.