The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner has published a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a US company that is not subject to the GDPR acquires a European company that is subject to the GDPR, does the acquisition "infect" the data of the US company?
Answer: Not necessarily.
The GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”
With regard to data that was processed by the United States parent prior to closing, there is a strong argument that such data should not be subject to the GDPR (unless of course it was subject to the GDPR independently before the transaction occurred) unless the transaction changes how the United States parent processes the data in a way that would bring the data within the scope of the GDPR. Put differently, the fact that the United States parent now owns a European company should not, in of itself, make the application of the GDPR more likely; there would need to be a change in the behavior and processing of the United States parent in addition to the acquisition. As the European Court of Justice has summarized the law that applies to data is “[not] where the controller is established,” but “where an establishment of the controller is involved in activities implying the processing personal data.”
As a result, if post-transaction the subsidiary is operated independently of the parent and there is no transfer of personal data or cross-marketing between the two operations, the GDPR would more than likely not apply to the activites of the parent. If, however, post-transaction the United States parent uses the European subsidiary to process personal data directly, or the European subsidiary contributes in some way to the context of why the United States parent is processing data, an argument may exist that such data has begun to be processed within the “context of” the activities of the European subsidiary and, as a result, falls within the GDPR.
The following are a few examples of situations where, post-closing, a United States parent’s data would be more likely to be considered within the scope of the GDPR:
- Post-closing the European subsidiary becomes a service provider / processor of the United States parent.
- Post-closing the United States parent centralizes global human resource functions in the European subsidiary (i.e., US employee data is sent to Europe for Human Resource management).
- Post-closing the United States parent centralizes some other common internal function that involves personal data within the European subsidiary. For example, the company centralizes global marketing efforts in Europe such that marketing communications are designed, and sent, from the European subsidiary.
- Post-closing the European subsidiary markets the products or services of the United States parent to European clients.
- Post-closing the European subsidiary promotes, or sells, a product that was created or offered by the United States parent.