GDPR Small Business Exemptions
The European Union’s General Data Protection Regulation (GDPR) becomes effective on May 25th. The GDPR regulates all personal data that is “processed” (i.e. data that is gathered, stored or used) from any “natural person” in the EU. The existing EU-US Privacy Shield only protects the flow of personal data in transatlantic data exchanges. So, any individual, business or organization that collects and processes the personal data of any person in the Union must comply with the GDPR with limited exceptions. This includes businesses located in the United States or anywhere else pursuant to the territorial scope under Article 3. The GDPR also states in the recitals that protection of personal data of natural persons should take place “whatever their nationality or residence”. So, the GDPR protects the data privacy rights of all persons in the EU. The previous EU data protection directive covered any organization/business processing personal data in the EU but did not protect every person in the EU when their data was processed by an organization outside the EU.
This post is the first in my GDPR compliance series that will attempt to answer some basic questions smaller U.S. businesses may have about the upcoming GDPR law and hopefully provide a compliance roadmap. This first post will attempt to answer the most basic question U.S. small businesses are asking ahead of May 25th: is my U.S. based small business regulated under the GDPR if it has minimal contacts/website visitors or sales to EU residents? The answer is that it depends.
First, let’s assume for the sake of this discussion that the U.S. company is not equipped to deal with VAT or other EU regulations. Clearly, with minimal EU contacts, U.S. based businesses will naturally feel inclined to avoid GDPR compliance if they can do so. But, any business online is accessible to EU citizens even when not directly targeting the EU market. Many U.S. businesses are starting to adopt GDPR compliance as a key supplier expectation by default and/or to avoid the risk of the EU’s regulatory reach. Most U.S. businesses don’t conduct targeted advertising anywhere in the EU market. Many online businesses conduct advertising through Google Adwords (search-driven ads) and these ads are set to run only in the U.S. and maybe Canada (or even Australia/New Zealand).
Despite the fact that a business does not target the EU market, occasionally someone from an EU country may visit a U.S. based website via organic search or somehow find corresponding ads (even though they don’t run there) and therefore would get tracked by google analytics at a minimum. They could also submit a contact-us form asking for some kind of information from the website/business. Naturally, many U.S. small businesses are wondering under these minimal circumstances whether the GDPR applies
There is no blanket GDPR exemption for small businesses
The frequency or volume (or type) of data collected is irrespective. Data collection includes customer, supplier, partner and employee personal data. Both the EU’s legislation and the Information Commissioner’s Office (the UK’s data watchdog responsible for enforcing GDPR) have clarified that the new data protection measures apply to every business. The only listed blanket exemptions are stated in Article 2. None are relevant to small businesses or website operators.
But, there may be an exemption for small businesses on a factual basis under Article 3
U.S. based businesses may actually be exempt based upon some interpretation of Article 3.2(a):
This Regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or…
The GDPR states that its territorial scope includes the processing of personal data of someone in the EU by organizations outside “where the processing activities are related to the offering of goods or services” to that person. The phrase “the offering of goods or services” is subject to different interpretations.
Recital 23 (recitals are the ‘contextual’ paragraphs before the main articles) interprets “offering goods or services” as follows:
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Accordingly, the test is based on whether the organization or business “envisages” offering goods and services, not on whether it does in fact offer or supply, or simply obtain personal data. It is hard to envision, then, that a U.S. company offering goods and services to primarily U.S. (or even Canadian) citizens with very infrequent sales to EU customers would not be exempt under this interpretation.
What about businesses that don’t offer goods or services?
U.S. businesses might still become subject to the GDPR due to Article 3.2(b) which covers when processing activities are related to “the monitoring of their behaviour as far as their behaviour takes place within the Union.” This covers tracking and profiling individuals in the EU. Thus, U.S. businesses should avoid such activities regarding persons in the EU to be able to rely on the interpretation presented by Recital 23.
Doesn’t the GDPR exempt small businesses with less than 250 employees?
There appears to be a misconception about whether the GDRP applies to businesses with less than 250 employees as a blanket statement. There is only an exception for individuals using data for purely personal or household activities. But, there is an important limitation. Article 30 requires people/businesses processing personal data to keep records of their processing activities and categories and to make those records available upon request. If your business employs fewer than 250 people, you do not have to create these records unless there could be a risk to the ‘rights and freedoms of data subjects (including trade secrets or intellectual property rights), the processing is not occasional, or your business processes any ‘special categories’ of data as referred to in Article 9(1) (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or personal data relating to criminal convictions and offences referred to in Article 10.)
Most small U.S. businesses will be exempt from these extra record keeping duties if they only process personal data of EU residents occasionally. Businesses with more than 250 employees must keep more detailed records, including the name and details of the business, the data protection officer, why personal data is being processed, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data, details of any foreign transfers of that data outside the EU including documentation proving that data will be safeguarded abroad, retention schedules, and a description of technical and security measures being used.
Keep in mind, under Article 7 where processing personal data is based on consent, website operators are still required to be able to demonstrate that the data subject has consented.
But, there is no exemption from responding to data subject access requests (SARs) by your EU users. In this sense, even though the more onerous Article 30 record-keeping requirements are not applicable to small businesses with less than 250 employees, the ability to respond and meet SARs is a form of record-keeping compliance.
2 Other Common GDPR Compliance Questions
With a grasp on how the GDPR may apply to your U.S. small business, here are a few other basic compliance questions many U.S. based website operators are probably wondering:
Q-Is there a path that would allow our company to disclaim to our EU citizen site visitors that we are not GDPR compliant and that he or she must accept that risk or elect not use our site or purchase our goods/services?
No, a foreign business cannot simply “disclaim” responsibility under the GDPR.
Q-Does GDPR specify how a business is to indicate or claim “compliance” to GDPR or to website visitors? Is it just a matter of self-declaring compliance based on our interpretation, or is there some objective “certification” or proof document required to back up such a claim for purposes of client review?
The GDPR does not specify how data collectors would indicate compliance via some symbol or certification, etc. Website operators don’t self-declare compliance to visitors and no special compliance certification is mentioned. No compliance reporting to the GDPR is required unless they knock on your door. Obligations are limited to ensuring that data management collection, user consent, and storage practices and data security are fully documented so that compliance can be demonstrated. The bottom line is that businesses must be in compliance in real time and be prepared to demonstrate such compliance to the appropriate EU authorities.
My next post will break-down the primary GDPR requirements for individual and small business website operators.