GDPR: Is the Data Protection Regulation applicable to US companies not based in the EU?
The EU General Data Protection Regulation (GDPR) will enter in force on May 25, 2018 and will bring about the greatest change in European data protection and data security. The GDPR is an EU regulation regarding processing, storage, and use of personal data.[1]
The GDPR was designed to harmonize data privacy laws across the European Union and lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data according to Article 1 sec. 1 of the GDPR.[2] The purpose is to ensure that data subjects have greater control over their personal information.[3] Data subjects especially have the right to actively consent to every use of personal data, as well as a right to be forgotten and the right to have their data be portable.[4]
Whereas the territorial scope of EU-Regulations usually applies to controllers who are based in the European Union or who have a subdivision in the European Union, the GDPR has expanded its territorial scope. The territorial scope of the GDPR differs from the previous directive regarding data protection since the territorial scope is increased to an extra-territorial applicability.[5] The GDPR applies to companies based in the European Union and multinational corporations that do business in the European Union. The GDPR can also apply to U.S. companies that have no direct business operations in one of the 28 member states of the European Union.[6]
The GDPR protects the rights of European citizens residing in the European Union.[7] According to Article 3 section 1 GDPR the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.[8] Article 3 section 2 of the GDPR provides that the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union. The GDPR also applies to the monitoring of behavior as far as the data subject’s behavior takes place within the Union.[9] According to Art. 3 GDPR, the GDPR applies to all companies based in the European Union, irrespective of the place of processing. In addition, the GDPR will also apply if companies located in the United States only offer goods or services (also free of charge) to European residents or observe their behavior.[10] For example, if a US-based provider creates profiles of consumers residing in the European Union for sales promotion purposes, he must comply with the GDPR. The application of the GDPR does not require a financial transaction.[11]
The GDPR is not applicable for every company that offers online services like homepages. The scope of application requires that a U.S.-based company targets data subjects residing in the European Union. Targeted marketing can be conducted by offering goods or services in a language spoken in a member state, offering shipping to member states or offering a payment in Euro.[12] U.S. businesses that aren’t based in a member state of the European Union have to review if the GDPR will apply to them according to Article 3 GDPR.
Footnotes