Does the GDPR apply to companies outside of the EU?
Under certain conditions, the GDPR applies to companies that are not in Europe. In this article, we’ll explain when and how the GDPR applies outside the EU.
The European Union’s new General Data Protection Regulation is peculiar in the fact that it applies to organizations that may have little to do with the EU. You may be a US web development company based in Denver, Colorado, selling websites mainly to Colorado businesses. But if you track and analyze EU visitors to your company’s website, then you are probably subject to the provisions of the GDPR.
Here we’ll take a detailed look at the geographical scope of the GDPR, including what the regulation actually says and how you might be affected. You shouldn’t take this as personal legal advice, of course. We recommend speaking with an attorney to determine whether the GDPR applies to your organization’s specific case.
The GDPR in a nutshell
The GDPR is an EU data privacy law that goes into effect May 25, 2018. It is designed to give individuals more control over how their data are collected, used, and protected online. It also binds organizations to strict new rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection. Organizations that don’t comply will face heavy penalties of up to 4 percent of their global annual revenue or €20 million, whichever is higher.
For an overview of the GDPR, check out our article “What is the GDPR?” And you can read the full text here.
The GDPR does apply outside Europe
The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”
The GDPR spells out in Article 3 the territorial scope of the law:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Article 3.1 states that the GDPR applies to organizations that are based in the EU even if the data are being stored or used outside of the EU. Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior. (Article 3.3 refers to more unusual scenarios, such as in EU embassies.)
When does the GDPR apply outside Europe?
As we just mentioned, there are two scenarios in which a non-EU organization might have to comply with the GDPR. Let’s take a closer look at each of these.
Offering goods or services
The Internet makes goods and services in far-flung places accessible anywhere in the world. A teenager in Cyprus could easily order a pizza online from a local pizza shop in Miami and have it delivered to a friend’s house there. But the GDPR does not apply to occasional instances. Rather, regulators look for other clues to determine whether the organization set out to offer goods and services to people in the EU. To do so, they’ll look for things like whether, for example, a Canadian company created ads in German or included pricing in euros on its website. To be on the safe side, if your company is not in the EU but you want EU customers, then you should strive to be GDPR compliant.
Monitoring their behavior
Technically, if your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
Exceptions to the rule
There are two important exceptions we should note here. First, the GDPR does not apply to “purely personal or household activity.” So if you’ve collected email addresses to organize a picnic with friends from work, rest assured you will not have to encrypt their contact info to comply with the GDPR (though you ought to anyway!). The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you’re collecting email addresses from friends to fundraise a project, then the GDPR may apply to you.
The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not totally exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30.5).
If you’re pretty sure the GDPR applies to you, it’s a good idea to look over some of the articles and analysis on this website to familiarize yourself with the law. It’s also a good idea to peruse the text of the regulation itself. And if you have any specific questions, you’re welcome to post them in the comments.