Cities in the United States that directly target European Union (EU) residents for tourism and education may be subject to GDPR, the EU's new privacy rules that will take effect on May 25.
Saad Gul and Mike Slipsky, partners at the North Carolina-based law firm Poyner Spruill, told Smart Cities Dive that any information cities collect on an EU resident will be subject to GDPR, if it is collected at an establishment or subsidiary located in an EU country, or if any customers are in the EU. But GDPR has a "fairly broad definition" of what personal data of EU residents is.
"Probably for any municipality of any size, they're going to have at least one EU resident's name, birth date, financial information on file for some reason or other if they've ever signed up for some municipal service or some educational program that was offered by that municipality or had to pay taxes or some other municipal fees," Slipsky said.
Any city that has a tourism office in the EU will likely have to comply, especially if they collect personal data like email addresses, dates of birth or home addresses through a sign-up mechanism at that office. Although if a city has a tourism website accessible from anywhere in the world that can collect such personal data, Slipsky said they may not need to worry about compliance but that the law is ambiguous.
"I think the way to think about it is a dual trigger, which is: does the municipality have that EU resident's personal data or control and is it processing it?" Slipsky said. "And the second one would be, has the municipality engaged in the kind of conduct that would be deemed to intentionally collect and process this kind of data from EU residents?"
But Gul said cities could also argue that since they are part of a state, which is a subdivision of the United States, they may not be subject at all as the EU and its laws may not supersede this country's laws. "Are you saying that a government entity is subject to a foreign government entity? I think there'd be all sorts of other sovereign immunity issues with that," Gul said.
If a city determines it is subject to GDPR — perhaps its tourism office's EU operations, or a community college that targets EU students — Gul said that decision is "fairly major."
Cities could take the lead from businesses like Microsoft, Google and Facebook that have been deliberate in separating out the data subject to GDPR, and put processes in place, perhaps led by a Data Protection Officer-type position as an ombudsman.
Slipsky said cities should give "real thought" to whether they are required to comply with GDPR at all, as the decision to comply could be expensive and create many new processes. "That's why the first question, 'Are we subject to GDPR?' is where I would spend a lot of energy," Slipsky said. "That's the one where, if you can come up with a plausible, reasonable argument for why you are not, that might be your saving grace."