- Does the EU’s GDPR affect organizations outside the EU?
- The GDPR’s extraterritorial scope likely includes many organizations outside the EU.
- Such organizations would do well to review their digital activities to determine whether they are subject to the GDPR and initiate compliance measures.
The European Union’s General Data Protection Regulation (GDPR) will come into effect on May 25th of this year. Although the GDPR has been a hot topic for some time in Europe, it has only recently received attention from companies outside the European Union (EU).
As the implementation date nears, many organizations outside the EU are wondering whether they are required to comply with the GDPR if they do not have a physical presence within the EU. Although the answer will largely depend on the specific activities of each organization, there are good reasons to believe that compliance with the GDPR may be required for many.
Territorial Scope of GDPR
Article 3(1) of the GDPR applies to EU-based organizations engaged in the processing of personal data (i.e., any information relating to an identified or identifiable natural person) belonging to EU data subjects. However, Article 3(2) goes a step further by extending the territorial scope of GDPR to organizations that are not physically established in the EU. The GDPR provides that the rules apply to a “controller” or “processor” who is not established in the EU and is engaged in processing of personal data of EU subjects. (A “controller” is an entity that, alone or jointly with others, determines the purposes and means for the processing of personal data. On the other hand, a “processor” is an entity that processes personal data on behalf of the controller. In some countries, such as the United States and Canada, local privacy laws do not make the same distinction between a controllers and processors.) Specifically, the GDPR will apply:
- where the processing relates to the “offering of goods or services” to European data subjects regardless of whether payment is required), or
- where the behavior of European data subjects within the EU is monitored.
There is no clear guidance as to what constitutes an “offering of goods or services” under Article 3. According to Recital 23, a case-by-case analysis must be conducted in order to determine whether a given activity can be deemed to be an offering of goods or services. Ultimately, the key is to determine whether the data controller or the processor intends to offer goods or services in the EU.
With respect to the second part of the test, behavior monitoring occurs when a natural person is “tracked on the Internet.” This includes the use of personal data to profile a natural person, particularly in order to inform decisions an organization makes about a particular individual by analyzing or predicting her or his personal preferences, behaviors, and attitudes.
Where an organization not based in the EU—acting either as a data controller or processor—is subject to the GDPR, it will be required under Article 27 to designate a European representative. This representative is meant to receive communications addressed to the controller by the EU data-protection supervisory authorities and by data subjects.
It is noteworthy that Article 25 exempts controllers from this obligation under certain circumstances: if the processing is occasional, does not include the large-scale processing of “special categories of data,” and is “unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of processing.” Within this framework, “special categories of data” include those that reveal racial or ethnic origin, political or religious beliefs, or genetic, biometric, or health data.
The GDPR was intentionally drafted to ensure that it applies not only to EU-based organizations, but also to organizations based outside of the EU that handle the personal data of EU data subjects. Given the ubiquity of digital commerce, many organizations outside the EU—acting as a controller or processor—are likely subject to the GDPR as a result of the expanded territorial scope under Article 3.
If they have not already done so, organizations outside the EU should review their digital activities to determine whether they are actually subject to the GDPR and, if so, develop and begin the implementation of a GDPR compliance roadmap.