Skip navigation

Exporters Must Comply with EU Reg by May 2018 or Face Fine

Non-compliance can be very expensive. There is a fine of 4% of the company’s global revenue.

There is a global conversation going on about the digital economy. The discussion centers around how these new technologies will be adapted and what the implications will be. One area of particular concern is that of privacy.

“How the U.S. and the EU view privacy is very similar,” explains Isabelle Roccia, a Commercial Specialist who serves as the U.S. Mission to the EU-Belgium, for the International Trade Administration-U.S. Department of Commerce.

And how these countries, which account for $4.5 trillion in two-way trade and generates more than 15 million jobs, approach privacy requirements will be essential to the continuation of the brisk trade.

In 2016 both the U.S. and the EU updated their approach to the issue. The International Trade Administration (ITA) of the U.S. Department of Commerce launched the EU-U.S. Privacy Shield Framework to provide U.S. companies with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the United States. 



And recently, The European Union adopted a new piece of data privacy legislation called the General Data Protection Regulation (GDPR). The GDPR replaces the previous data protection Directive 1995/46. The overall objectives of the legislation remain the same: Businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed.

 Some of the key principles of the GDPR are:

  • Transparency: Personal data must be processed lawfully, fairly and transparently;
  • Purpose limitation: the purpose for which data is collected must be specified, explicit and legitimate;
  • Data Minimization: only data relevant for the purpose laid out should be collected and processed;
  • Data Integrity: It must be adequate, relevant and limited to what is necessary, and it must be accurate and kept up to date;
  • Security: It must be processed in a way that ensures appropriate security of the personal data, and the data controller is responsible for showing their compliance

 “What companies need to know is that they must be compliant with GDPR by May 25, 2018,” said Roccia.

 Non-compliance can be very expensive. There is a fine of up to 4% of the company’s global revenue or up to 20 million euros (US $23 million),whichever is higher. 

“While many companies have already begun working to comply, our organization can help any size company and in particular small companies who might not have a physical presence in Europe, but sell into that market,” Roccia added.

The ITA’s Commercial Service has prepared an overview of the GDPR that companies can use to familiarize themselves with some of the basic requirements of the GDPR so that they can begin to assess whether the GDPR would apply to them.  

In addition, ITA has both documents available to help with compliance as well as a Digital Attache program that consists of 12 Digital Trade Officers that can provide assistance, free of charge.  

Future Trends

“The privacy landscape continues to evolve in Europe and the European Commission has proposed further legislation that may impose additional requirements on companies,” says Roccia.

 The proposed e-Privacy regulation seeks to extend telecoms regulations, to what Europeans term over the top (OTT) communications services. OTT’s include services such as Skype and Facetime but may also include chat functions on websites.

 In addition, the European courts have also been very active in shaping Europe’s privacy landscape so companies should be vigilant in their monitoring of European privacy requirements.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.