The upcoming EU privacy regulation created an atmosphere of tension as to what shall be done NOW to be ready for the GDPR. And here I cover the extended scope of applicability.
The agreement reached at the European level on the new European General Data Protection Regulation (GDPR) is expected to lead to a revolution in the privacy world. It will come into force in 2 years, but most of our clients are not sure to be ready by that time, given the required amount of work.
For this purpose I launched a series of blog posts on the most relevant issues to consider in complying with the European Union (EU) privacy regulation and here I discuss why not only European companies should care about it.
Expanded concept of privacy establishment
The current EU Data Protection Directive 95/46 applies to data controllers that are established in the European Union with the consequence that for instance US companies with no EU establishment could be considered to be excluded, unless other criteria of applicability apply.
On the contrary, the GDPR refers not only to the establishment of data controllers, but also of data processors (i.e. of the entity that processes personal data on behalf of the data controller) which if located in the EU triggers the applicability of EU data protection laws, regardless of where the data processing (e.g. the servers) takes place.
Therefore, a US company with servers in the US, but with local subsidiaries in the EU shall comply with EU data protection law in the data processing activity performed by its subsidiaries relating to the service offered from the US.
Introduction of the targeting principle
The expanded concept of privacy establishment is a minor change if compared to the massive effects that can derive from the targeting principle. According to such rule, the General Data Protection Regulation applies to the processing of personal data of data subjects who are in the European Union performed by a data controller or a data processor not established in the EU where the processing activities are related to
the offering of goods or services – irrespective of whether they are free of charge or require a payment – to such data subjects in the EU
The rationale is to protect European citizens regardless of the place where the company offering the goods and services is located which in a global economy and with the ubiquity of the Internet might be everywhere in the world.
The consequence of the above is that a US or an Asian Internet company with no establishment in the European Union, but selling its products to EU customers is likely to be required to comply with EU data protection law. But, in order to prevent that companies with no relevant business in the EU from just stoping their sales in the EU, the GDPR clarifies that it should be assessed whether
“it is apparent that the controller is envisaging the offering of services to data subjects in one or more Member States in the Union“.
Criteria that can be used to trigger the targeting rule above are for instance the language of the website and the currency in which transactions are offered. However, an assessment shall be performed on a case by case basis.
Monitoring of users in the EU
The last criteria of applicability of the GDPR is
the monitoring of their behavior as far as their behavior takes places within the EU.
This criteria might have a quite disruptive effect on the Internet since cookies and fingerprinting technologies are used almost on any website. And if such technologies are used to track European users and profile them based on their preferences, the General Data Protection Regulation is likely to apply regardless of the place of establishment of the company. But this rule is likely to impact not only Internet companies as companies providing Internet of Things technologies might also have to deal with that.