Brooklyn Journal of Corporate, Financial & Commercial Law


Fast-approaching changes to European data privacy law will have consequences around the globe. Historically, despite having dramatically different approaches to data privacy and data protection, the European Union and the United States developed a framework to ensure that the highspeed freeway that is transatlantic data transfer moved uninterrupted. That framework was overturned in the wake of revelations regarding U.S. surveillance practices, and amidst skepticism that the United States did not adequately protect personal data. Further, the European Union enacted the General Data Protection Regulation (GDPR), a sweeping overhaul of the legal data protection landscape that will take effect in May 2018. The law will impact all companies that process data relating to EU citizens, which will include many U.S.-based ventures, big and small. And while many of the world’s large technology companies will have feasible methods of quickly complying with the law, small ventures will not have it so easy. This Note explores the legal landscape of data privacy, discusses what led to the current dynamic between the European Union and the United States, and explains why the current methods for small, U.S.-based ventures attempting to comply with the GDPR are not operationally feasible. This Note then proposes both a short-term and long-term solution to address the significant challenge that small companies in the United States currently face.