Explaining the territorial scope of the GDPR and the situations in which its obligations apply outside the European Union
With the introduction of the GDPR, European data protection law become applicable outside the borders of the European Union. In this blog we will give you an overview of the situations in which a non-EU organisation could fall within the scope of the GDPR when targeting or monitoring individuals in Europe.
A Wonderful Yet Strange Environment
The internet is a space where none of the conventional borders exist. This is one of its biggest advantages when you exchange data, buy or sell online, communicate, etc. It also presents one of its biggest challenges when it comes to the applicability of legislation. Because of this border-less characteristic of the internet, for a long time the question was how to deal with EU privacy rules when processing personal data in connection with online services.
Before the introduction of the GDPR it was hard to apply the obligations of privacy legislation to data controllers and processors outside the EU. The main reason for this was the lack of focus on the individuals whose data was being processed when the applicability of the legislation entered into law. The only way to make privacy legislation applicable to a controller outside the EU was if the processing by that controller was performed within the borders of the EU. However the GDPR introduced rigorous changes to that concept of territorial scope.
Scoping the territorial scope
Any organization – bar a few exceptions – that processes personal data within the European Union falls under the scope of the GDPR. Nothing has changed here when compared to the pre-GDPR situation. However, the territorial scope was broadened so that the EU privacy rules applied to data controllers outside the EU. The consequence of this expansion is that under the GDPR non-EU data controllers and processors must comply with the European Data Protection obligations when they process data from individuals in the EU for specific goals.
Targeting EU citizens
As a non-EU organisation organisations can fall in the scope of the GDPR when they are offering goods or services to individuals in the EU. Let’s say for example that you are a Chinese web shop with a website that is available in German, French and English as well. You also process multiple orders a day from individuals within the EU and ship your products to them. This makes you fall in the scope of the GDPR, even though you have no establishment in the EU and are not performing any data processing activities within the EU.
If you are a controller outside of the EU, such as in the example above, it doesn’t matter if the services that you offer are paid or for free, the GDPR does not consider this aspect to determine if you fall within the scope. As such an American free cloud storage service must comply with all the obligations of the GDPR if the service is also offered to users within the EU.
Remember when choosing US Cloud platforms such as AWS and other US owned CSP providers. The US Cloud Act of 2018 clashes with the GDPR as any US entity would have to comply with data access requests from a US court warrant wherever the data on their platform rests.
Another situation in which non-EU organisations fall within the scope of the GDPR is when they are monitoring the behaviour of individuals inside the Union. This means that if you are a provider of social networks and you allow users from within the EU to join, you fall within the scope of GDPR. The same goes for an app developer that decides to gather location data of EU citizens from their smartphones.
What’s your approach?
The GDPR offers a high level of protection to individuals in the EU whose data is processed by organisations that are established outside the Union. For companies it’s important to evaluate how GDPR obligations are applicable to them. If this is the case, taking action and ensuring you are compliant will be the best course of action. You’ll have to make your own bed, so be sure to lie comfortably!