TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

DPO Confessional | Explaining the GDPR to an American Related reading: The IAPP DPO: Countdown to May 2018


Law students at American law schools take property, torts, and contracts during their first year. It is difficult not to view consumer privacy interests through one or more of those lenses, particularly when U.S. consumer privacy law has been based on a notice and consent, enforced by principles of fairness and non-deception reflected in the Federal Trade Commission Act and state consumer protection laws. For the most part, being explicit in a privacy statement about how consumer data is used, shared, and kept secure, and then living up to those promises while not acting in a way that would surprise or be unfair to a consumer, sums up the basics of U.S. consumer privacy law (nuance notwithstanding).

Given the broad jurisdictional scope of the EU General Data Protection Regulation, many U.S. attorneys are now struggling to interpret and counsel their employers and clients in how to comply with the law. Indeed, the Regulation’s complexity has been cited by nearly one in four U.S. organizations as the biggest compliance barrier by the May 25, 2018 GDPR enforcement deadline.

One other reason complying with EU data protection law is difficult, from my perspective as the IAPP’s data protection officer and a U.S.-trained attorney, is that the notion of data protection from the consumer’s point of view does not fit neatly into property, contract, or tort law principles. Instead, the GDPR paradigm reflects consumer rights and freedoms, bundles of interests that the consumer owns when they arrive to purchase a company’s goods and services and that may not easily be negotiated away.

While working to prepare an updated internal privacy policy for the IAPP, then, I did what Eduardo Ustaran suggested in an early 2018 tweet about how to start off the new year: “Read the GDPR. Read it again (Recitals and all).” As I read, I kept notes of key provisions that — more than others — seemed to me to reflect the foundational elements of the GDPR. What follows here is my “letter to the staff,” which is an attempt to translate parts of the GDPR to an American audience who will need to understand the Regulation to do their jobs.

Perhaps you will find this useful as you go about trying to explain the GDPR to your own staffs in the United States and around the world. 

The nature of personal data

First, we need to get used to the term “personal data” instead of “PII” (personally identifiable information). Personal data is much broader than PII — it applies to anything that can be used to identify a person, including things that wouldn’t be PII such as an email address or even an IP address associated with a mobile device.

Next, it’s important to flip the view you might have of personal data the company collects as belonging to the company. Instead think of it as belonging to the person it identifies. You may then be ready to try to grasp a core value of the GDPR: “Natural persons should have control over their own personal data.”

This reflects a key public policy that data belongs to the person it identifies, and that the person has a right to control how it is processed. This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.

We can use that data to serve our customers and fulfill our business mission, of course, and by choosing to do business with us they are often giving us implicit permission to use it for legitimate business reasons. But there will be times when we must get the customer’s prior permission before we use their data, and this will mean more than just referring them to our privacy statement — we will need to get them to clearly express their interest in having us use their data in certain ways that we might tend to think should be entirely up to us, not them.

Restricted license

The customer is, you might say, giving us a license to use their personal data. This license is limited by some key things in the GDPR. For one, the person who provides their data may ask to see it at any time, may correct it if there are mistakes in our records, may ask us to stop using it, and may even ask us to erase it under certain circumstances. They can take our license away.

The license is ongoing because we do not know when we gather it when our relationship with the customer will end, or when we will otherwise no longer have a legitimate reason to keep the data. But it is not infinite. The GDPR expects us to stop processing the data and no longer retain it when we have fulfilled the person’s needs and we have no other legal obligation or other legitimate basis to keep it.

Furthermore, our permission to use our customers’ data is conditioned upon our using it lawfully, sometimes referred to in the GDPR as “legitimately.” This doesn’t mean that our business is legal and above-board; that is already presumed. It means that we are using the data to fulfill the consumer’s request for goods or services in a way that they would expect us to use it that wouldn’t surprise them or make them uncomfortable and is consistent with our privacy promises. It also means we have a good reason to use the data we collect from people, one we’ve established before we gather it for processing and that we’ve explained to the customers when they hand their data to us.

When we gather data from people, we are promising them that we’ll be careful with it, keep it secure, and only allow authorized people within the company to have access to it. One way to help protect our customers’ privacy is to use encryption whenever possible to protect access to their information by those who aren’t authorized to see it. We also need to be careful whenever we communicate by email that we aren’t sharing their data by accident with people who should not see it.

When we collect our customers’ personal data we are also promising not to share it with other people outside of the company without first telling our customers about it. This means we need to let them know when we are sending their information to any other person or company, perhaps a mailing house or even a database management service that stores their data in the cloud on our behalf.

We must work only with people whom we trust, and who have agreed in writing to comply with the law and be careful with our customers’ data as well. If you are thinking of using a new service that involves sharing our customers’ data you should tell your privacy or data protection officer (me!) right away and not start using that service until the proper agreements are in place.

Sometimes we’ll want to communicate with our customers about new products and services we’d like to offer them, and they won’t want to be bothered. We need to respect that. Consumers have the right to object to having their data used for direct marketing purposes, including having it used to “profile” them — analyzing their data to make decisions about them that might have a legal effect such as granting or denying them services. We need to tell our customers up front that they have the right to object to marketing and profiling.

Keeping data forever

It is tempting to keep information about customers for a long time because we never know what uses might be made of it later. After all, the largest and most successful technology companies (like Google, Facebook, and Amazon, for example) have built their fortunes on gathering and analyzing lots of data.

The GDPR doesn’t see it that way. One of the core principles of the law is that data should not be retained longer than necessary. Even though data subjects have a right to access their data, to correct it, and to have it transferred to others, data should not be kept in a form that permits a person to be identified just to fulfill these rights, if the original purposes for processing the data have been fulfilled.

As mentioned above, data subjects even have the right in some cases to ask that the company deletes all of their data — it’s called the “right to erasure” or the “right to be forgotten.” Although the right doesn’t apply in every case, it does when keeping the personal data is no longer necessary in relation to the purpose for which it was collected in the first place.

What’s the harm?

In the U.S., we are accustomed to worrying about data breaches, and the identity theft that might follow. We try to minimize the damage to people by offering them credit monitoring and limiting the amount of money they might lose if someone, say, uses their credit card illegally.

In Europe, data protection is much broader than preventing identity theft. Harm to data subjects includes non-material damage to a person. This “non-material” damage includes the mere loss of control over their personal data. All of which circles back to how this post began, namely, that it’s their data — not ours.


The GDPR — and many other countries’ data protection laws — challenges us to think of personal data differently than PII, or even than “privacy” rights under U.S. law. Its complexity extends beyond the high-level overview discussed here. But in general, if we begin to think of ourselves as stewards or guardians of our customers’ data, that will go a long way to helping us meet their privacy expectations and comply with the GDPR.


If you want to comment on this post, you need to login.

  • comment Stuart Thomas • Jan 30, 2018
    This is a great article, I like to explain to my US colleagues, Data Protection in Europe, is like your second amendment rights, it's that fundamental! ... although I did borrow that from Phil Lee at Fieldfisher...
  • comment Christoph Bausewein • Feb 2, 2018
    Very useful for business and, as an European attorney, taking the view of an US-American. I believe this is the key message:  “...the notion of (EU) data protection from the consumer’s point of view does not fit neatly into (US) property, contract, or tort law principles.” Thank you!
  • comment A. A. Jullien • Feb 2, 2018
    Why are we not thinking of applying GDPR to all customers regardless of non-EU origin?  If we consider data protection at design and by default we have embraced a reasonable methodology.  If not, how long will it take before the rest of the world aligns with these principles and practices ?
  • comment Andras Khan • Feb 3, 2018
    This is such a great article. Very helpful for helping US colleagues understanding the fundamental differences in their understanding of Privacy versus a european mindset. Thank you so much Rita for sharing your knowledge.
  • comment Thomas Rostrup • Feb 5, 2018
    A very useful article giving insights to Americans and Europeans alike. Even as a European working actively with GDPR preparation, I find the text helpful; we learn about ourselves through the eyes of others.
  • comment Leena Kuusniemi • Feb 5, 2018
    This is summarized beautifully, and great read for Europeans as well. Sometimes with long legal texts one gets tangled with details and forgets the fundamental principle : personal data belongs to that person. If it would be money or car-keys, nobody would claim that company could use it endlessly, or service-provider could bluntly say "I don't know where your stuff is".  I will surely share this article further!
  • comment Andreea Lisievici • Feb 6, 2018
    There is one other very important distinction to make, as far as I understand US laws, which focus on the relationship with a "consumer" as this article also points out. That means that there must be a contractual relationship towards the person having certain rights. So for example a company selling smart devices or apps has certain obligations towards the consumer that bought the device or app, but not also toward other persons whose data might be processed through the device or app. This is not the case under EU law. Individuals have the same rights in relation to their personal data irrespective of the relationship, contractual or not, their have with the controller. If an idividual's data is received by an entity through any means (legally or not), then that entity has the exact same obligations toward the individual due to their classification as controller. 
    TL;DR Under EU law (both current and GDPR) a data subject is not necessarily a consumer, and I think this is important to point out.
  • comment Julie Glover • Feb 6, 2018
    This is an excellent overview in really clear terms we can share with non-privacy professionals.  I always believe that those who can explain complex concepts in simple terms are the TRUE experts!  Thank you!
  • comment Lavinia Puflea • Feb 7, 2018
    Great article and I find it very useful to explain in simple and concise words to a non lawyer. I`ve always said privacy is a new legal system with new and very different challenges ahead.
  • comment George Rodriguez • Feb 7, 2018
    Great article!  Fundamental information.
  • comment Tonya Gisselberg • Feb 7, 2018
    This is a terrific explanation of data subject rights under the GDPR, Rita. An analogy to U.S. copyright law might also help U.S. attorneys understand data subject rights under the GDPR. Under the Copyright Act of 1976, U.S. copyright owners own a bundle of rights that can be sliced and diced in many creative ways. Those rights can be licensed out, but the copyright owner continues to own the underlying rights. The analogy ends when you look at the term of the license. The language in the license controls when the copyright owner can end the license, but the EU data subject can end the license at will, with certain exceptions.
  • comment Joseph Lamarche • Feb 8, 2018
    Great article, as it perfectly reflects the issues I had trying to explain the GDPR and its consequences for a US company that wants to process personal data of European citizen.....
  • comment Chris Butler • Feb 16, 2018
    Great article, thank you - as others have commented, it is always a pleasure to read complex issues clearly explained.
  • comment Bridget Ascenzo • Feb 23, 2018
    This article gets right to the essential mind-shift - and helpful reminders thereafter - that must occur for everyone involved in GDPR compliance initiatives. If you've been living and breathing GDPR for the past few months, you need this reminder to help distill and capture the spirit of all that tiny text you've been buried in. If you've been struggling with how to foster genuine understanding and cooperation amongst those less familiar with the GDPR, this article will likely prompt a very helpful "light bulb" moment for your colleagues. Thanks for sharing!