Data Privacy Detective Podcast - Episode 13 - Does the GDPR apply to a business outside the European Union?
How and When?
The General Data Protection Regulation – the GDPR - becomes law throughout the European Union on May 25, 2018, backed by substantial fines and criminal penalties for serious violations. The GDPR applies to the processing of personal data by a data controller or processor established in the EU. Should a business organized outside the EU be concerned? Yes, because the GDPR expressly applies to businesses throughout the world in specific instances.
If a business controls or processes personal data but has no EU presence of its own, it will be within the GDPR’s scope if it does either or both of the following – (1) if it offers goods or services to people within the EU or (2) if it monitors their EU behavior. Here’s the specific wording of GDPR Article 3:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processing not established in the Union, where the processing activities are related to:
b. the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
This language limits the extraterritorial reach of the GDPR but leaves a lot of questions. Does a website that does not specifically aim at EU consumers qualify as offering goods or services? What does it mean to “monitor … behaviour”?
How does a non-EU business know if it must comply with the GDPR? And what specific things are required if the answer is yes? This podcast explores these questions, detailing the specific activities that require a non-EU business to comply with this EU regulation.
Merely having a globally visible website is not enough. But what then requires compliance with GDPR? Tune into this podcast for an exploration of the GDPR’s reach beyond EU borders. Consider how a data inventory and data map are first steps to determine how a non-EU business can deal with the GDPR and comply with its requirements.
For more information, please contact Joe Dehner or any other attorney in Frost Brown Todd's Privacy and Information Security Law Practice Group.