The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does the GDPR apply if my company has no employees or offices in the EU?
Answer: Maybe. Unlike the EU Data Protection Directive of 1995 which did not apply to businesses outside the EU, there are two situations in which the GDPR purports to apply extraterritorially to companies that have no physical contact to the Union.
The first situation occurs when a company that is not based in the EU “offer[s] goods or services” to a person that is located in the EU. According to the GDPR, the regulation would attach even if the offer did not involve a financial transaction or payment.1 In other words, theoretically if a company offers a free service to people that are in the EU, the GDPR might attach. That said, the regulation makes clear that merely having an internet website that is accessible to EU residents is not enough for the GDPR to attach.2 Something more must be present that demonstrates that a company “envisages” the offering of services into the Union.3
The second situation is where a company “monitor[s]” the “behavior” of someone “as far as their behavior takes place within the Union.”4 Although little administrative guidance exists concerning the scope of this extraterritorial “hook,” the EU Commission has suggested that the “monitoring” about which the regulation is concerned involves the behavior of individuals on the internet. Specifically the Commission has stated that “[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”5
The questions that remains to be answered are (1) whether European data protection authorities will attempt to bring enforcement actions against companies that have few if any EU contacts, (2) whether European courts will find that the extraterritorial application of the regulation conflicts with principles of personal and subject matter jurisdiction, or exceeds the authority of the Commission, and (3) if an enforcement action is successful whether a judgment can be collected.