The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Is a company that provides a product or a service to a person in Europe always subject to the GDPR?
While the GDPR purports to apply extraterritorially to a company that is not based in the European Union, but “offer[s] goods or services” to a person that is located in the European Union, the European Data Protection Board has emphasized that merely providing service to individuals that happen to be in Europe is not enough to trigger the GDPR. Instead the EDPB has implied that the subjective intent of a company to offer products to Europeans must be evaluated. Specifically, the EDPB has focused on whether a company was “targeting” Europeans when providing a service, or whether a company has “demonstrate[d] its intention to offer goods or services to a data subject located in the Union.”1 The EDPB’s interpretation of the extra-territorial reach of the GDPR relies on language within the recitals of the GDPR that suggests that a company must “envisage” the offering of services into the Union in order for the regulation to apply extra-territorially.2
In order to determine whether a company intends to offer goods or services into Europe, the EDPB has suggested that supervisory authorities consider the following non-exhaustive list of factors:
- Does the company reference the EU or a Member State by name in its marketing materials?
- Did the company pay a search engine in order to facilitate access to its site by consumers in the Union?
- Did the company launch marketing and advertisement campaigns directed at an EU country audience?
- Do the company’s goods or services have an inherently international nature (e.g., selling tourist activities)?
- Does the company provide dedicated addresses or phone numbers to be reached from an EU country?
- Does the company use EU-centric top-level domain names (e.g., ###.de or ###.eu)?
- Does the company provide travel instructions from the EU to the place where a service will be provided?
- Does the company use testimonials of customers domiciled in EU Member States?
- Does the company use a language or a currency other than that generally used in the company’s home country (e.g., an American company that has a Polish language website)?
- Does the company use an EU currency?
- Does the company offer to deliver goods in EU Member States?3
Based upon the guidance provided by the EDPB there are several situations in which an American company may physically provide a product or a service to individuals that are in Europe, but not be subject to the GDPR. For example, if a company markets an App only to Americans, but an individual uses the App while in Europe on vacation, the EDPB has made clear that the company would not be subject to the GDPR because it did not intend to target Europeans.4 This determination should not be impacted by the mere fact that if the company examined its web logs it might have knowledge that a user entered the App via Europe).