By ERIC BOUGHMAN, Esq.
The European Union's General Data Protection Regulation (GDPR) recently took effect and this has businesses asking whether their own website and data procedures must comply with the comprehensive new data law. Several commentators have suggested that everyone who does business on the internet - including information gathering - is subject to the GDPR's broad reach and stiff fines. In one podcast, a European commentator suggested that GDPR regulators may show up on the doorsteps of American companies to perform data privacy audits; and he claimed several companies could be bankrupted by fines for non-compliance.
Medical providers are keenly aware of HIPAA's stringent protection of patient health data, but the GDPR is different. Of particular concern, is the treatment of non-patient information and other data that might be captured by a website or through internet marketing activities. This may include general personal information, such as names and email addresses, and metadata, such as the location of a website visitor's computer, the frequency of website visits, and the amount of time a website user spends on webpage.
The GDPR purports to apply to any company, anywhere in the world, that possesses, controls, or processes data of any EU citizen. If an EU citizen visits your website, whether you realize it or not, your website likely captures data about that person's visit. Non-compliance can result in stiff fines: up to the greater of 20 Million Euros or 4 per cent of a company's annual revenue. But a careful reading of the law, coupled with some practical knowledge, suggests that most U.S. medical providers, particularly those servicing mainly U.S. resident patients, have no need to worry.
A closer look at the GDPR's 99 Articles and 173 interpretive Recitals helps explain.
Territorial Scope
Article 3 describes three categories of companies covered by the GDPR:
(1) those located in the EU;
(2) those outside the EU that offer goods or services to anyone in the EU;
(3) those outside the EU that monitor individuals in the EU.
The internet's broad reach makes it possible for virtually any business here in the U.S. to "offer" goods or services to EU residents, even if that offer is merely incidental and not specifically intended. Consequently, some interpret this section to mean that virtually every company with a website must comply with the GDPR. A closer look at the regulation doesn't support this interpretation.
Recital 23 speaks further to the GDPR's territorial reach and says that a company is deemed to "offer goods or services" to EU residents only when it intends to do so. The mere fact a website is accessible by EU residents is "insufficient to ascertain such intention." Intent can be a murky question, but Recital 23 helpfully offers some factors for consideration. These include whether a company's website:
- uses the language of an EU Country;
- allows purchases in the local currency of an EU Country;
- mentions other customers or users who are in the EU.
Other factors may include whether a company has a website with a domain suffix of an EU Country, or whether a company routinely provides services for EU residents.
As I read Recital 23 and Article 23 together, a U.S.-based business only becomes subject to the GDPR if it targets EU residents. Having a web presence - or even broad internet marketing - doesn't suffice. Consider, for example, a medical provider here in the U.S. that operates a website through which prospective patients can review the biographies of physicians providing highly specialized cosmetic surgery. The webpages are written in English, marketing and search optimization campaigns are directed to U.S. residents, and the practice only accepts payment in U.S. Dollars. That practice would not fall under the GDPR, even if the occasional EU resident finds the practice through a Google search and completes a contact inquiry form to sign up for the practice's monthly newsletter. Of course, the analysis entirely changes if the practice operates a French language website, has a ".fr" domain suffix, and offers to reimburse travel expenses to Parisians who travel to the U.S. for cosmetic procedures.
Practical Considerations
What if I'm wrong and EU regulators find our fictional medical practice subject to the GDPR? Might EU regulators show up here in the U.S. and start issuing multimillion dollar fines? First, there are serious questions as to whether the EU has any jurisdiction over any U.S. business that does not purposely avail itself of EU law by specifically targeting EU residents. There are certainly questions as to whether the EU has any authority to fine U.S.-based companies over which it has no jurisdiction.
In fact, EU member countries struggled with these same issues in assembling the GDPR. Recital 151 notes that "the legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation." Competent national courts in those countries are admonished to "take into account the (GDPR's supervisory authority's) recommendation" to issue fines. But, will a court in Denmark or Estonia blindly follow the recommendation of an overly zealous EU regulator from Italy, Lithuania, or some other EU Country to fine a local merchant into bankruptcy (as suggested by the podcaster to whom I referred above)?
Regardless of the EU's view, I'm certain U.S. companies can find competent counsel to challenge the reach of the GDPR here in U.S. Courts. And, I doubt U.S. Courts will blindly enforce foreign judgments from the EU which are excessive or which are entered without proper regard for due process concerns.
Conclusion
There are many issues regarding the GDPR's territorial reach and enforcement that still need to be sorted out. U.S. based medical practices serving U.S. residents need not panic. We already have plenty to worry about with U.S. regulations, particularly those already imposed by HIPAA, and the ever-changing threats presented by U.S. based litigation - such as the recent spate of ADA Website Compliance lawsuits. Instead, take this opportunity to view the GDPR as an example of "best practices" for handling non-patient data and privacy issues (that may not be subject to HIPAA).
If you envision doing business with the EU market in the future, compliance will ultimately be required. Here in the U.S., we may very well see a local regulation modeled on the GDPR. Achieving GDPR compliance is therefore a worthy goal, regardless of whether it is required. But don't expect any EU regulators to show up on your doorstep next month. And, if they do, please contact me.
Eric Boughman is a founding partner of Forster Boughman Lefkowitz & Lowe.
Michael R. Lowe, Esquire is a board-certified health law attorney at Forster, Boughman, Lefkowitz & Lowe.
Mr. Lowe, Mr. Boughman and our law firm regularly represent providers, physicians and other licensed health care professionals, and facilities in a wide variety of health care law matters.
For more information please visit our website www.FBL-Law.com or call our office at (407) 255-2055.