US companies may need to provide GDPR rights to all, not just EU citizens
With GDPR implementation just over a week away, a report from US law firm Attorney.IO suggests that rights under the legislation may be available to others besides EU citizens.
Based on the answers 129 law professors gave to questions on the GDPR, it points out that GDPR doesn't just apply to citizens of an EU country. It applies to anyone who at any time set foot in an EU country and transmitted their data to a covered internet company.
So, for example, a US tourist who visits Germany for one day and returns to the US has rights under the law if that person used, say, Facebook while on the trip.
More controversial is that it could be illegal 'national origin discrimination' under US law to give GDPR rights to immigrants from the EU and not to everyone else. The Civil Rights Act of 1964 outlaws discrimination on the basis of race, color, religion, sex, or national origin. It applies in several contexts such as employment and in 'any place of public accommodation.' Few if any internet companies have triggered lawsuits under this public accommodation clause. It has, up to now, been very rare for such organizations to discriminate on such bases.
However, the Americans with Disabilities Act (ADA) includes very similar language. And here there have been high profile cases alleging internet organizations have discriminated against disabled persons by making inaccessible websites and services. If they want to avoid being seen as discriminating against their customers therefore, businesses may need to apply GDPR rules to everyone.
"Silicon Valley is seriously underestimating the GDPR," says Alex Stern, CEO of Attorney.io. "I've been studying it for years, starting while I was earning my Doctor of Law degree at UC Berkeley. Many wrongly assume they don't need to provide GDPR rights to most US persons."
The report recommends that businesses take a conservative attitude to GDPR as fines of up to four percent of worldwide turnover could bankrupt companies that have high turnover relative to profit. Four percent of Amazon's turnover for example would represent over two years of the company's profit.
You can find out more about the report and what companies need to consider in the light of GDPR on the Attorney.io blog.