Does the GDPR Apply to American Organisations?

Posted on

GDPR scope, applicability and key requirements

Does the EU GDPR (General Data Protection Regulation) apply in the US?

Yes, if your organisation offers goods or services to, or monitors the behaviour of, EU residents, irrespective of their citizenship.

Equally, the EU GDPR doesn’t apply to US residents or customers, even if they’re EU citizens.

The GDPR was introduced to, among other things, ensure a consistent approach to data protection across Europe. It also forces non-European organisations that do business in the EU to meet its high data protection standards.

So, can US companies ignore the GDPR? Not if you’re doing business in the EU.

Is the GDPR enforceable in the US?

The EU GDPR introduced significant maximum fines: up to the greater of €20 million (about $22 million) or 4% of global annual turnover.

But are US organisations receiving GDPR fines?

In a word: yes.

Various American companies have been fined under the GDPR, including a €91 million (about $97 million) fine to Meta, issued by the Irish Data Protection Commission in September 2024. This was a fine for infringements of multiple GDPR articles.

What countries are covered by the GDPR?

Although the primary scope is the EU, the GDPR can apply to American companies or sites. Indeed, it can apply to organisations based in any country around the world if they’re offering goods or services to, or monitoring the behaviour of, EU residents.

And if you are not processing the data of EU residents, it may still be worth complying with the GDPR.

As the Regulation is internationally acknowledged as the ‘gold standard’ when it comes to privacy legislation, many more laws like it have emerged since it took effect, including in the US.

Considering the EU GDPR’s scope, this shouldn’t be a surprise – the EU is a huge market and companies around the world want access.

It means that, if you’re meeting the GDPR requirements – if you’re GDPR compliant – you’ve met, or have the tools to meet, many other data privacy laws around the globe. This includes, of course, laws based on the EU GDPR, such as the UK GDPR, as well as state-level privacy laws.

Is there a GDPR equivalent in the US?

For the US version of the GDPR, many point to the CPRA (California Privacy Rights Act).

The US has also seen a proposed federal law: the APRA (American Privacy Rights Act). However, this is only a proposal – to date, the US lacks an enforced privacy law at federal level.

The US data privacy landscape is a complex and varied patchwork of laws.

That’s because data protection laws in the US are either sector-specific, such as HIPAA (Health Insurance Portability and Accountability Act), or state-specific, such as the CPRA.

Can you store data in the US under the GDPR?

One of the protections the EU GDPR offers personal data is that it may not be transferred outside the EU unless an appropriate safeguard is in place. This includes data transfers for storage purposes.

One such mechanism is the DPF (Data Privacy Framework). This allows US organisations that sign up to the programme to transfer PII (personally identifiable information) to the EU, the UK and Switzerland.

US organisations can also use SCCs (standard contractual clauses) or BCRs (binding corporate rules) for international transfers of personal data under the GDPR.

What are the key areas of the GDPR?

The six data processing principles are a good place to start. These lie at the heart of the GDPR:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality

In effect, these are telling you to look after the data belonging to natural, living persons. The principles demand that you think hard about:

  • What personal data do you collect?
  • For what purpose are you collecting it?
  • What lawful basis can you rely on to process data for that purpose?
  • Given that purpose, how long do you need to keep the data for? (Make this as short as possible.)
  • What processes or other measures are you putting in place to make sure the data remains accurate?
  • What appropriate technical and organizational measures are you implementing to keep the data you’re entrusted with safe?

This isn’t an exhaustive list but gives you a good sense of the types of questions to ask. Many of them aren’t unreasonable demands.

In fact, they reflect good business practices – you shouldn’t be collecting, storing or processing data you don’t need. This doesn’t just cost unnecessary time and money but exposes your organisation to significantly more risk of a data breach that damages your company financially and reputationally.

By limiting the data to what you need, you can operate more efficiently and cost-effectively as a business.

How do I comply with the GDPR?

To get more advice on how to comply with the data protection principles and other GDPR requirements subject to the maximum fines, download our free paper, The GDPR – Key Principles.

It covers:

  • The scope and applicability of the EU and UK GDPR.
  • The seven data processing principles and their practical implications.
  • The lawful bases for processing personal data.
  • Data subjects’ rights – and what they mean for your organisation.
  • International data transfers and adequacy decisions.
  • How to demonstrate compliance and build trust with customers and partners.
Download now

The post Does the GDPR Apply to American Organisations? appeared first on IT Governance Blog.

Leave a Reply

Related Posts