When the May 25 enforcement deadline for Europe’s General Data Protection Regulation (GDPR) rolls around, U.S. companies, organizations and institutions that target their products and services to people living in Europe will be on the hook to comply or potentially face steep fines.
GDPR is a set of strict rules that give European Union (EU) citizens control over their personally identifiable information (PII).
“If a third country processor like a U.S. government agency is not targeting the European market with goods and services, then they would not have to abide by GDPR,” said Dirk Hensel, a spokesman for Germany’s federal commissioner for Data Protection and Freedom of Information. “I don’t think we’ll see too many of these cases are relevant.”
For example, a resident in Germany may own property in Los Angeles County and pay the fee to access their records online through the county’s website. In this particular case, Los Angeles County is not “targeting” Germany’s residents or other European citizens to use the service. It just happens to have a website that can be accessed by German citizens and others throughout the globe, he noted.
However, if the state of Florida’s tourism department, for example, launches a promotional campaign to target residents living in Europe to come visit the Sunshine State, then any PII data collected on those German citizens by the state of Florida would likely fall under GDPR requirements, he explained.
One point Hensel noted, however, is if the Florida tourism department relied on an advertising agency to run its promotional campaign and interact with Germany’s citizens, then it is the advertising agency that needs to abide by GDPR.
Anya Burgess, a spokeswoman with the United Kingdom’s Information Commissioner’s Office, told Government Technology that GDPR only applies if individuals who receive the product or service reside in Europe.
As a result, GDPR does not apply if a U.S. government agency collects PII data on a citizen of Europe who is visiting or living in the U.S. and uses that government agency’s services or products while in the U.S.
“If the processing is not going on in the EU to citizens in the EU, then it doesn’t apply,” Burgess said, noting, “U.S. government agencies provide their services in the U.S. and not the EU and would not be regulated by the GDPR.”
State and local government agencies are encouraged to contact EU data authorities if they have GDPR questions, Hensel advised.
Under GDPR, all companies, institutions, organizations and government agencies that process PII on individuals residing in the European Union must abide by these privacy regulations, regardless of where the entity is located.
Overall, the goal of GDPR is to provide European residents with transparency of how their PII data is used, improve the level of control over their own data and increase the safeguards used to protect that data.
GDPR requires entities to request PII data in clear, simple language and attach the consent form to the information on why the data is needed. And before a government agency or other entities can use the PII data, users would need to opt in with their consent and be able to withdraw that consent just as easily, according to the GDPR.
Although the impact on state and local governments is expected to be minimal, government agencies are still taking stock of where they potentially stand when it comes to complying with GDPR and safeguarding PII data of EU citizens.
The Washington state Office of Privacy and Data Protection (OPDP) held a staff meeting in March to discuss GDPR issues, according to Will Saunders, senior program manager for open data at Washington’s OPDP.
Alex Alben, Washington state chief privacy officer, led the discussion on how much risk Washington state faces under GDPR and one of the issues considered, for example, is the number of Europeans who receive services from the state and what potential risks that could mean to Washington state, Saunders recalled.
“The number of Europeans receiving state services is pretty minimal and the state is already taking efforts to keep its PII to a minimum,” said Saunders.
GDPR consultant Sheila FitzPatrick, founder of FitzPatrick & Associates, said state and local governments will not likely have a lot of PII data on European residents, compared to federal agencies.
“Governments tend to hold onto data, but under GDPR, in most circumstances, they won’t be able to do that,” she warned. “Federal, state and local governments are not exempt under GDPR.”