In 2018, the European Union (EU) launched the General Data Protection Regulation (GDPR). It governs the collection and usage of personal data by all private and public entities. The regulation exclusively applies to the personal data of EU citizens. That means that businesses outside the EU are not exempt. Rather, under certain circumstances, the GDPR applies to non-EU companies.
Below we’ll explain the conditions where companies outside the EU must follow the GDPR. And also, what happens if they do not.
The GDPR is a legal framework devised by the EU, which came into full effect in May 2018. Designed to provide EU citizens with greater control over the collection and use of their data online, it obligates companies to a set of principles and privacy rights enshrined in the regulation.
These include limiting data collection to essential purposes, storing data securely, and ensuring data collection is lawful, fair, and transparent. EU citizens must also actively consent to their data collection.
The regulation came following multiple high-profile leaks from major corporations. There were also privacy concerns voiced by EU citizens, who worried their personal data was being secretly collected without their consent.
That’s why the EU drafted the GDPR: currently, the most stringent data protection law worldwide.
As the internet is a global entity, so too is the GDPR. By leveraging EU power, the GDPR legislates against the misuse of data belonging to EU citizens anywhere in the world. This is known as an “extra-territorial effect.”
To quote Article 3 of the GDPR (relevant sections are highlighted in bold):
As we can see in Article 3 of the GDPR, there are two primary occasions when the GDPR demonstrates an extra-territorial effect. These are:
Offering goods and services. With goods and services freely traded across territorial boundaries, the GDPR primarily concerns itself with how EU citizenry personal data is used in such transactions.
For instance, if an EU citizen in Denmark can purchase a product or service from a vendor in Chicago, then the vendor must accord with the GDPR. In short: any non-EU business that caters to EU customers should be GDPR compliant.
The keywords here are “can” and “cater.” Just because an EU citizen can purchase from a non-EU business does not mean the business caters to EU citizens. A restaurant in Tokyo may take orders via the internet. However, they do not market to EU citizens and are thus exempt from the GDPR.
Monitoring behavior. The most common instance of the GDPR affecting regular internet activity is through cookies. These are small pieces of software designed to track the usage of a website. That’s considered personal data under the GDPR. Therefore, any site open to EU citizens must follow the GDPR when collecting and using such data.
That means that almost every website on the internet must be GDPR-compliant. In a nutshell: yes. But that’s not necessarily how things function in practice. If a Dutch citizen uses a Vietnamese bookshop’s website that isn’t GDPR-compliant, it’s unlikely to have many ramifications. The GDPR is stringent – just not that stringent.
There are two main exceptions to the extra-territorial effect of the GDPR:
Should a non-EU business be GDPR non-compliant, it may face fines up to €20 million or 4% annual global turnover – whichever is highest.
That’s a significant sum for any business. It can even threaten bankruptcy. Following the GDPR is therefore not only an obligation; it’s a necessity.
If you run a business outside EU jurisdiction, please beware of the extra-territorial obligations your business is under. Ensure you follow the letter of the regulation when collecting and using the personal data of EU citizens.
There remains some scepticism about how fines will be levied against non-EU businesses. But it would be foolhardy to assume you can escape the consequences of non-compliance.
That’s the overview of when the GDPR is relevant to non-EU businesses. In short: the GDPR applies to non-EU organizations under two circumstances: when offering goods and services and when monitoring behavior.