August 16, 2017

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

August 14, 2017

Subscribe to Latest Legal News and Analysis

General Data Protection Regulation: Looking to the Future of EU Data Privacy

As the New Year approaches, it is a good time for companies of all sizes to review their data privacy and cybersecurity strategies. Are you meeting your requirements? Do you have the right partners? Are you preparing for the future?

That last question is especially important this year for companies that interact with European Union citizens. As of May 25, 2018, organizations that collect, process, or transfer EU personal data will have to be in compliance with the new General Data Protection Regulation (GDPR), which will replace the EU’s current comprehensive data regulation, Directive 95/46EC (Directive). Although the GDPR is similar in many respects to the Directive, there are several key differences that companies should understand.

Extraterritorial Reach?

The text of the GDPR makes it clear that the EU intends it to have greater extraterritorial effect than the Directive, which, if enforceable, could alter data privacy practices around the globe. It also could subject many more U.S.-based companies to EU privacy law.

Under the Directive, the vast majority of privacy regulations applied directly only to entities established in the EU or that used equipment in the EU. Under the GDPR, key regulations would apply to any business, regardless of which region of the world it calls home, that offer goods or services (even for free) to individuals in the EU or that monitors individuals located in the EU.

To put that in real-world terms, that means a company with a US-hosted website that offers free services worldwide and collects personal information will potentially be subject to the GDPR. Companies in the IT, marketing, and SaaS spaces especially should evaluate in advance whether they might be subject to the new law.


Another key difference between the Directive and the GDPR is the substantial penalties expected to be imposed for non-compliance with the GDPR. Most notably, the GDPR authorizes supervisory authorities to levy fines of up to 4 percent of an organization’s annual worldwide turnover or 20 million Euros, whichever is higher. The possibility of such a massive financial penalty makes it clear that, as of 2018, a company will only be able to ignore EU privacy law at great risk.

Other Differences

There are several other important, but less dramatic, differences in the regulations. The GDPR:

  • Establishes a new right of data portability, which allows data subjects to receive personal data they provided to a data controller;

  • Codifies a 2014 European Court of Justice ruling recognizing the right to be forgotten, which allows individuals to request the erasure of personal data;

  • Requires organizations that process large quantities of EU sensitive information to employ a data protection officer;

  • Requires notice of data breaches to regulators within 72 hours of the breach, where feasible, and to consumers “without undue delay;” and

  • Establishes 16 as the default age of consent for child data processing.

What Next?

Organizations should immediately take inventory of their data practices to determine whether they might be subject to the GDPR. This even applies to businesses that are not currently subject to the Directive.

Although May 2018 seems far away, the comprehensive nature of the GDPR may require significant changes to an organization’s collection, use and processing of data, and such changes may require a great deal of time to finalize and implement. Any company that discovers they collect or transfer EU residents’ personal data in the course of their business should immediately consult with legal counsel to evaluate the steps necessary to ensure compliance with the GDPR.

© 2017 Dinsmore & Shohl LLP. All rights reserved.


About this Author

Kurt R. Hunt, Dinsmore Shohl, Regulatory Compliance Attorney, Corporate Transactions Lawyer, Ohio,

Kurt focuses his practice on telecommunications and public utilities law, advising clients on general corporate and administrative issues, regulatory compliance, transactions, privacy obligations, and intellectual property matters. He is also an experienced litigator, and routinely represents clients in state and federal courts, as well as before administrative agencies and public utility commissions.

Knowing that public utilities operate inside a highly-regulated and specialized environment, Kurt is adept at tailoring his approach to fit each...

(513) 977-8101
Leanthony Edwards, Dinsmore Law Firm, Intellectual Property Attorney

Leanthony is a member of our Intellectual Property Department, where he focuses on trademarks, technology transactions/licensing and privacy. His experience includes assisting clients with social media, trademarks and contract matters dealing with technology.

He has knowledge and experience in the area of privacy law and obtained Certified Information Privacy Professional U.S. certification through the International Association of Privacy Professionals.

Leanthony earned his J.D. from the University of Cincinnati College of Law and his B.A. in Political Science from California State University San Bernardino. His prior work experience includes interning for State Assemblyman Mike Morrel’s office in California.