Government agencies in US could be affected by new EU privacy regulations

Starting May 25th, more than 500 million people who are residents of the European Union will be covered by stringent new internet privacy protections that could have significant impacts in the United States as well.

The General Data Protection Regulation, or GDPR, gives EU citizens many new rights, including the right to know who is keeping their data and how it’s being used. They also have the right to get a copy of any data kept about them, and to have it erased.

“A lot of people think this doesn’t apply to them because they don’t do business in Europe or they don’t have any ties to Europe. But it might surprise you the ties you have,” said Lynne Pizzini, the director of cybersecurity for Cerium Networks.

“This rule applies to all companies, government agencies, non-profits and any other organization that offers goods and services to people who are European citizens. It is applicable to any organization of any size,” she said, during a recent webinar presentation for MS-ISAC. “Each organization needs to consider and determine how GDPR affects their compliance requirements.”

Some of the questions Pizzini posed for government agencies to consider include:

• Do you sell hunting and fishing licenses online, or provide tourism information and collect name and addresses?
• Do you advertise job openings online, and could someone living in Europe apply?
• Do you have information stored on your computers for a former employee who now lives in Europe?
• Do you have any employees who are here on a work visa from Europe?

If the answer to any of those questions — and many others — is yes, then you should dig deeper into the GDPR to see if you have compliance requirements, she said.

Pizzini noted the new EU privacy regulations consider many different types of data to be “personally identifiable information,” or PII.

For example, IP addresses by themselves may be subject to the GDPR if an organization selling goods and services stores that information. That’s because the European Union has determined IP addresses can be tracked back to an individual.

It remains to be seen to what extent the GDPR can, or will, be enforced in the U.S., she said, but added, “Congress has been taking a very strong look at privacy and privacy law. This is just a precursor, I think, to what is to come and so it’s something we all need to consider.”