By now, you have probably heard that the European Union (EU) has a new data protection law on the books, the General Data Protection Regulation (GDPR) – but what are the new rules, and how might they apply to broadcasters? Below we address these and other commonly asked questions about the GDPR.
What is the GDPR? The GDPR is a new European privacy law that, as of May 25, 2018, generally governs how organizations – including those EU-based and many that are not – collect, use, disclose, or otherwise “process” personal information. While some limited exceptions exist (e.g., businesses with fewer than 250 employees are exempt from some requirements), the GDPR imposes an array of obligations on companies subject to it.
Who does the GDPR apply to? The GDPR clearly applies to companies established in the EU that collect personal information about individuals in the EU, but it also claims a broad extraterritorial reach. Indeed, it can apply to organizations, including broadcasters, without an EU presence. For instance, it can apply to broadcasters who collect or use data to provide services like streaming TV or radio to individuals in the EU. It also can apply to broadcasters who use website cookies and other online tracking mechanisms to “monitor” individuals in the EU (e.g., profiling for behavioral advertising). That said, it remains to be seen whether regulators will enforce the GDPR against companies that for the most part are not serving EU citizens and do not have EU operations, but may occasionally and unknowingly acquire data of an individual in the EU or an EU citizen in the United States.