In 2016, the European Union (“EU”) enacted the General Data Protection Regulation (“GDPR”), a sweeping privacy law granting individuals within the EU enhanced privacy protections. GDPR took effect on May 25, 2018. The mandates and scope of enforcement of GDPR, including imposition of severe monetary penalties, were written to apply beyond the geographical boundaries of the EU member countries. Its broad application extends to any company that controls and processes personal data of individuals in the EU or engages in profiling of those individuals.
Noteworthily, EU’s new privacy framework has quickly influenced U.S. Congress members to encourage U.S. companies to apply the GDPR privacy protections to the personal data of U.S. citizens. The law possibly also influenced the state of California’s recent passage of a sweeping privacy law which is like GDPR in various respects.
While the new California privacy law does not become effective until 2020, GDPR is currently in effect. Though, it is uncertain how and to what extent U.S. courts will apply GDPR. Nonetheless, practitioners should be ready to address GDPR issues as they arise. Failure to do so may prove costly. This article provides a general overview of GDPR, discusses its uncertain application and enforcement in the U.S. and highlights areas of the privacy law in which bankruptcy practitioners in the U.S. should be prepared to navigate.