Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies
Forthcoming, 56 American Business Law Journal 287-344 (Summer 2019)
45 Pages Posted: 17 May 2019
Date Written: May 16, 2019
Abstract
The European Union’s General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR’s extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act (CaCPA), echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a world-wide compliance scheme.
Keywords: data protection, data privacy, compliance, privacy, extraterritoriality, general data protection regulation, GDPR, California Consumer Privacy Act, CaCPA, personal data, personal information, PII, European Union, EU law, comparative law, legal strategy
JEL Classification: K2, K19, K20, K29, K42, K39
Suggested Citation: Suggested Citation