In the world’s history of personal data protection, the adoption of the EU General Data Protection Regulation (GDPR) is likely to remain one of the most significant enactments of the past 20 years. The GDPR, which goes into effect May 25, 2018, attempts to define uniform rules for better interoperability between the current regimes in effect in member states hampered by diverse history, culture, or economic priorities. It also creates new obligations for companies that are established outside the European Union/European Economic Area and interact with individuals located in the EU/EEA.
The basic rule is that the GDPR applies to the processing of personal data in the context of the activities of an entity established in the EU/EEA, whether or not the processing takes place in the EU/EEA. In addition, under Article 3.2 it also applies to the processing, by an entity that is not established in the EU/EEA, of personal data of individuals who are in the EU/EEA, if the processing relates to: (1) the offering of goods or services to these individuals, whether payment is required or not; or (2) the monitoring of such individuals’ behavior, to the extent that such behavior takes place within the EU/EEA.
In the U.S. context, this means that when a U.S. company collects personal data relating to EU/EEA residents, its data collection or processing practices are likely to be subject to the GDPR. This would include, for example, a U.S. website that promotes goods or services priced in Euros, or a mobile application that monitors the behavior of EU/EEA visitors through code that allows the collection of data intended to be used for interest-based advertising.