skip navigation

EU’s General Data Protection Regulation: Does It Apply to Your Agency?


May 29, 2018 by Jim Doherty
Category: Public Records Act

EU’s General Data Protection Regulation: Does It Apply to Your Agency?

Two years ago the European Union (EU) adopted General Data Protection Regulation (GDPR), with an effective date of May, 25, 2018 — last Friday. In response, MRSC has received several calls from jurisdictions asking if the regulations applied to Washington local governments.

Is the GDPR applicable to my local government?

Local governments should not be concerned about the GDPR — except if you offer goods or services to residents of the EU.

Does your jurisdiction do any direct tourism marketing to EU residents or are you somehow involved directly with EU projects? It is not likely that local government agencies in Washington would be involved in activities that would bring them within the scope of this EU regulatory scheme. If you disagree, please contact MRSC. If we obtain information that calls this conclusion into question, we will provide an update.

There are relatively few situations where a public agency in Washington would gather data from EU residents. Here are some possible examples:

  • an EU resident is involved in a vehicle accident and police respond to the scene
  • an EU resident obtains services from a public hospital district while visiting the Northwest

In such situations the public agency is not offering services to EU residents, it is responding to an emergency or providing services at the request of the EU resident. Such tangential contacts and data involvement would seem to be beyond the scope of the regulations, and the EU would seem to have no jurisdiction to enforce compliance if the public agency has no general business involvement or offices within the EU.

Data protection and privacy across organizations

Because of the global reach of many corporations and companies that utilize the web to conduct business and market products, these regulations will impact a significant number of US-based businesses, including some that you use as vendors or contractors, such as Microsoft, Facebook, Amazon, etc. It will be the responsibility of these businesses to comply with GDPR, since, in the course of conducting business, they collect data from EU individuals.

There is a growing concern over the privacy of data that is collected from individuals by private businesses and public agencies, for a wide range of uses. The intent of the EU regulations is to enable EU residents to have more control over the personal data that companies obtain. If similar US regulations are adopted in the future, you will receive information regarding compliance from MRSC, your statewide professional associations, and your insurer.

On the topic of data privacy, here are two instances that do apply to local government agencies. When individuals provide their email address and request to be added to a list for communications from your agency, do you inform them that their email address may be required to be disclosed to the public pursuant to the PRA? Do you have an easy process for people to unsubscribe from your agency newsletters or other communications?

These are just a few best practices that help local governments ensure data privacy for individuals and helps constituents better manage how and when to share their personal data.

Questions? Comments?

If you have questions about this or any other local government issues, please use our Ask MRSC form or call us at (206) 625-1300 or (800) 933-6772. If you have comments about this blog post or other topics you would like us to write about, please email me jdoherty@mrsc.org.

About Jim Doherty

Jim has over 24 years of experience researching and responding to varied legal questions at MRSC. He is the lead attorney consultant and has special expertise in transmission pipeline planning issues, as well as the issues surrounding medical and recreational marijuana.

VIEW ALL POSTS BY Jim Doherty

Leave a Comment

* Required field

Security code

Comments

"Another possible point of contact would be EU residents that own real property in Washington and then receive notices for adjacent development projects etc."

Michael MacSems on May 30, 2018 11:31 AM

1 comment on EU’s General Data Protection Regulation: Does It Apply to Your Agency?

 more

Blog Archives

GO

Follow Our Blog