IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Will GDPR Rules Impact States and Localities?

The European Union's General Data Protection Regulation (GDPR) May 25 enforcement deadline is fast approaching, but state and local governments shouldn't worry, say experts.

When the May 25 enforcement deadline for Europe’s General Data Protection Regulation (GDPR) rolls around, U.S. companies, organizations and institutions that target their products and services to people living in Europe will be on the hook to comply or potentially face steep fines.

GDPR is a set of strict rules that give European Union (EU) citizens control over their personally identifiable information (PII).

The rules have instilled fear in a number of these entities, which may face fines of up to 4 percent of their annual global revenue or 20 million euros, whichever is greater, should they fail GDPR compliance. But what about state and local governments?

Regulators explain GDPR's impact on government

“If a third country processor like a U.S. government agency is not targeting the European market with goods and services, then they would not have to abide by GDPR,” said Dirk Hensel, a spokesman for Germany’s federal commissioner for Data Protection and Freedom of Information. “I don’t think we’ll see too many of these cases are relevant.”

For example, a resident in Germany may own property in Los Angeles County and pay the fee to access their records online through the county’s website. In this particular case, Los Angeles County is not “targeting” Germany’s residents or other European citizens to use the service. It just happens to have a website that can be accessed by German citizens and others throughout the globe, he noted.

However, if the state of Florida’s tourism department, for example, launches a promotional campaign to target residents living in Europe to come visit the Sunshine State, then any PII data collected on those German citizens by the state of Florida would likely fall under GDPR requirements, he explained.

One point Hensel noted, however, is if the Florida tourism department relied on an advertising agency to run its promotional campaign and interact with Germany’s citizens, then it is the advertising agency that needs to abide by GDPR.

Anya Burgess, a spokeswoman with the United Kingdom’s Information Commissioner’s Office, told Government Technology that GDPR only applies if individuals who receive the product or service reside in Europe. 

As a result, GDPR does not apply if a U.S. government agency collects PII data on a citizen of Europe who is visiting or living in the U.S. and uses that government agency’s services or products while in the U.S.

“If the processing is not going on in the EU to citizens in the EU, then it doesn’t apply,” Burgess said, noting, “U.S. government agencies provide their services in the U.S. and not the EU and would not be regulated by the GDPR.”

State and local government agencies are encouraged to contact EU data authorities if they have GDPR questions, Hensel advised.

GDPR defined

Under GDPR, all companies, institutions, organizations and government agencies that process PII on individuals residing in the European Union must abide by these privacy regulations, regardless of where the entity is located.

Overall, the goal of GDPR is to provide European residents with transparency of how their PII data is used, improve the level of control over their own data and increase the safeguards used to protect that data.

GDPR requires entities to request PII data in clear, simple language and attach the consent form to the information on why the data is needed. And before a government agency or other entities can use the PII data, users would need to opt in with their consent and be able to withdraw that consent just as easily, according to the GDPR. 

Holding EU citizen data not an option

Although the impact on state and local governments is expected to be minimal, government agencies are still taking stock of where they potentially stand when it comes to complying with GDPR and safeguarding PII data of EU citizens. 

The Washington state Office of Privacy and Data Protection (OPDP) held a staff meeting in March to discuss GDPR issues, according to Will Saunders, senior program manager for open data at Washington’s OPDP.

Alex Alben, Washington state chief privacy officer, led the discussion on how much risk Washington state faces under GDPR and one of the issues considered, for example, is the number of Europeans who receive services from the state and what potential risks that could mean to Washington state, Saunders recalled.

“The number of Europeans receiving state services is pretty minimal and the state is already taking efforts to keep its PII to a minimum,” said Saunders.

GDPR consultant Sheila FitzPatrick, founder of FitzPatrick & Associates, said state and local governments will not likely have a lot of PII data on European residents, compared to federal agencies.

“Governments tend to hold onto data, but under GDPR, in most circumstances, they won’t be able to do that,” she warned. “Federal, state and local governments are not exempt under GDPR.”