On Jan. 21, French Data Protection Authority (CNIL) imposed a fine of $57 million on Google, Inc. for violations of the General Data Protection Regulation (GDPR), which was enacted on May 25, 2018. Examples of other fines imposed by member states in the European Union (EU) range from $5,500.00 in Austria to more than $450,000.00 in Portugal. With maximum allowable GDPR fines reaching to up $20 million or 4% of a violating party’s worldwide revenue, business decision makers are taking note.

What Does This Mean for US Businesses?

Could a European regulator reach a U.S. business under the purview of the GDPR, possibly imposing hefty fines? To date, there are still more questions than answers. The GDPR is drafted in generalized, vague language, and its provisions can be supplemented by local law in each member state. Since enforcement and fine setting are also done at the member state level, jurisdictional inconsistencies are inevitable. At this early stage of GDPR enforcement, even leading compliance advisers are reduced to some level of guesswork in providing guidance to those regulated by the GDPR. However, for U.S. businesses some useful guidelines are emerging.

Territorial Scope of the GDPR