Are you an American company? Does your online activity lead you to sell goods or services in the European Union? If your answer is ‘yes’ to both these questions, you are affected by new European regulations that come into force on May 25. Known as the GDPR, they apply to the European Union, but your company will have to abide by them if you want to continue to sell your goods or services legally in any of the 28 member states of the European Union.
Starting from this date, data protection regulations will be the same all over the EU (apart from a few small details). As a reminder, this means that data protection laws will be universal in the following countries: Germany. Austria. Belgium. Bulgaria. Cyprus. Croatia. Denmark, Spain. Estonia, Finland. France. Greece. Hungary, Ireland, Italy. Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal. Czech Republic, Romania, United Kingdom, Slovakia, Slovenia, Sweden.
A common misconception is that, if a business is based on American soil, the only laws it needs to obey are those of the USA. Until now, this was just an error of law with varying consequences. But with these new European regulations, this mistake could turn into a financial catastrophe.
The European Union envisages that any company found violating the GDPR, whether based on EU soil or otherwise, may incur a financial penalty of up to 4% of its annual turnover or a fine of 20 million euros (whichever amount is higher). And that is just the general administrative sanction, which may be accompanied by individual action from the parties concerned (especially through class action).
So, it is worth taking a moment to think about solutions that can avoid this kind of inconvenience.
Of course, our aim here is not to send business owners into a panic. We just want to open the eyes of American companies that do business with customers in the EU, as this information may not be easily accessible for some of them.
Let’s look at a more familiar example: the EU applies the concept of extraterritoriality to data protection, just like the USA does to taxes. All US nationals and green card holders are subject to American tax rules, wherever in the world they may live, under the Foreign Account Tax Compliance Act (FATCA).
The principle is similar (even though the reasoning is different) for data protection in the European Union: every individual, whatever their nationality, is protected by European law as soon as their data is collected by a company, based in any country, as a result of its presence or activity in an EU country.
In both cases, the idea is to cut loose from the issue of borders, which no longer constitute a protective barrier, as any failure to comply with sanctions could lead to a near-ban on trading with the EU, as demonstrated by the reciprocal sanctions imposed between countries for sensitive commercial sectors. The EU has decided to make data protection a sensitive economic activity. This is a formidable text that expresses the common desire of the 28 member states.
So, anyone who violates this legislation may face heavy sanctions.
The best way to avoid this pitfall? Put simply, you need your customers’ consent before processing their data. But you can’t do this in any way you want. The GDPR includes a number of legal conditions that center around this consent. This is why Axeptio has developed a solution in collaboration with a specialist lawyer: to help companies, particularly in the USA, comply with these conditions.
Consent is a key concept of the GDPR. By making an effort to support this idea, you can continue to sell in the EU with total peace of mind.
The infographic below explains the logistics of implementing this European legislation in your business and which measures to take to avoid getting into trouble. For example, you can choose the Axeptio solution, which, by offering a simple, personalized way to collect your users’ data processing consent in accordance with the GDPR, helps you to avoid the main sanctions for non-compliance.