How the EU’s New Privacy Law Affects You

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the European Union’s (EU) new privacy law set to go into effect on May 25, 2018. For the EU’s single market countries, the GDPR establishes protection for the privacy and security of an individuals’ personal data. However, because of extraterritorial jurisdiction, United States (US) organizations accessing and using EU citizen information could be subjected to the GDPR.

Controller vs. Processor

The GDPR has direct extraterritorial reach of a “controller” or “processor” organization located outside the European Union if the organization offers goods or services, even for free, to individuals in the EU. As defined by the GDPR, a “controller” is an organization that determines the purpose and means of processing information. A “processor” organization processes personal data on behalf of the controller under the controller’s instruction. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced by the bank.

GDPR Website Regulations

An organization using a website to offer goods and services to EU individuals also falls under GDPR regulations. These websites can be identified by their use of language, the ability to order goods and services in the currency of one or more EU member states, and the acknowledgment of consumers who live in the EU. Therefore, an English-language website marketed to US consumers or US business-to-business transactions in terms of American dollars only would not be subjected to the GDPR.

A website can circumvent the GDPR by avoiding the collection of “identifiable” personal information of EU citizens. Identifiable information is information that can be used to identify any individual, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or two one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Therefore, a website needs to have access to more than an individual’s email address. Websites often collect identifiable information through the use of cookies and/or sign-up forms. If an organization’s website uses cookies to collect information from an EU citizen, even if the organization is not doing anything with the information, the organization will be subject to the GDPR.

There are still many questions on how the EU will enforce actions against US organizations that do not follow the GDPR requirements, but it is important that you review by May 25th all aspects of your organization’s physical and digital data processing if you are accessing EU citizen information.

Scott Chase | Farrow-Gillespie & Heath LLP | Health LawAuthor Scott Chase is a health law and corporate attorney at Farrow-Gillespie & Heath.  Scott has been named to the lists of Best Lawyers in America, Texas Super Lawyers, and Best Lawyers in Dallas in every year for more than a decade.


Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXCo-author Tahlia Clement is an intern at Farrow-Gillespie & Heath LLP.  A second-year law student, she currently serves as Editor in Chief of the SMU Dedman School of Law’s Science and Technology Law Review.