The long arm of the GDPR
The GDPR will be significantly wider in scope than the existing Data Protection Directive. As explained in this post, this will result in numerous organisations across the globe having to comply with the provisions of the GDPR.
Who Must Comply With The GDPR?
Leaving aside public international law, the GDPR (like the Directive) distinguishes between organisations established within the EU and those not established within the EU.
For organisations established in the EU, the GDPR will apply to their data processing activities regardless of whether they act as controller or processor and whether their processing takes place within or outside the EU.
As regards to organisations not established in the EU, the GDPR will apply to their data processing activities (likely regardless of whether they act as controller or processor) to the extent the processing activities are related to the offering of goods or services to individuals residing in the EU or monitoring the behaviour of individuals in the EU.
What Is New?
The GDPR imposes direct obligations on data processors whereas data processors have no direct obligations under the Data Protection Directive (they only have limited indirect obligations required in controller/processor contracts).
Further, the GDPR applies to organisations that have no physical presence in the EU or any other geographic connection to the EU except that they process personal data of EU residents in connection with offering goods or services to them or monitoring their behaviour. Under the Directive, member states’ data protection laws only apply to organisations without a physical presence in the EU to the extent they use equipment located on EU territory for the purposes of processing personal data, and provided such equipment is not merely used for purposes of transit.
Let’s say a U.S. company without a subsidiary, local branch or other physical presence in Europe offers its goods or services online to residents in the UK and processes those residents’ personal data in the U.S. If that company does not use equipment located in the EU for the purposes of processing personal data (other than for purposes of transit), there is a good chance that it will not be subject to national data protection laws implementing the Directive. However, that same company would fall plainly within the scope of the GDPR.
It remains to be seen how these provisions will be applied and, importantly, enforced in practice. In many cases the question as to whether a company will be required to comply with the GDPR might not be so easy to answer. Nonetheless, it is clear that many non-EU organisations that target EU residents through websites and aim to sell goods or services to them or track their online behaviour will fall plainly within the scope of the GDPR.
What Should Businesses Do?
Businesses anywhere in the world that process personal data of EU residents would be prudent to assess whether those data processing activities will need to comply with the GDPR. This can be a tricky assessment given that it might not always be clear whether processing activities are related to the offering of goods or services or whether an activity could be considered monitoring and therefore caught by the GDPR. With privacy regulators and courts increasingly favouring a wide interpretation of the territorial scope of data protection laws, businesses will need to carefully consider if their activities fall within the scope of the GDPR and, where necessary, implement the right policies, processes and procedures to ensure compliance.