On May 25, 2018, the European Union’s new data privacy regulation, known as the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), will become effective. Not only does the GDPR regulate processing personal data by an E.U. controller or processor, but also requires non-E.U. entities, such as non-E.U. companies, universities, investment funds and charities, to comply with the GDPR if they:
- Offer goods or services to individuals who are in the E.U., or
- Monitor their behavior, for example, through online tracking.
Failure to comply with the GDPR can lead to hefty fines (up to 20 million euros or 4% of global annual revenues, whichever is higher).
Accordingly, if an entity undertakes certain activities relating to personal data (e.g., collect, record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, disseminate or otherwise makes available, align or combine, restrict, erase or destruct personal data) as a controller or processor, it will need to comply with the GDPR in two instances: (1) in case personal data at stake refers to individuals in the E.U. and processing relates to offering goods or services to such individuals in the E.U.; and, (2) in case of monitoring of their behavior if such behavior takes place in the E.U.
In the case of offering of goods or services to individuals who are in the E.U., it does not matter if there is a payment involved. A data processor or controller that envisages offering services in more than one E.U. country is likely to be caught by this provision. Relevant factors include use of a language or a currency generally used in one or more E.U. countries with the possibility of ordering goods and services in that language.
Generally, however, merely having a website with an accessible email address or use of a foreign language or a language spoken in that E.U. country, without more, may not be enough to trigger the GDPR compliance requirements, but this should be carefully reviewed.
In the second case, involving monitoring behavior, the GDPR will apply when the monitoring consists of tracking individuals on the internet, including potential subsequent profiling, analyzing or predicting personal preferences, behaviors and attitudes. For example, this scenario could apply in cases where on-line providers and advertising networks place cookies or other tracking devices on the equipment of E.U. individuals for the purpose of tracking their online behavior.
Accordingly, if the non-E.U. entity is covered by the GDPR, it is required to comply with the regulation’s mandates. These include enacting or revising privacy policies and posting certain privacy notices as required by the GDPR, updating procedures for collecting, processing and storing data and establishing policies and procedures for data breaches. In certain instances, the non-E.U. entity may need to appoint a representative in the E.U. and a data protection officer.