Does the GDPR Apply to Companies Outside of the EU?
In 2018, the European Union (EU) launched the General Data Protection Regulation (GDPR). It governs the collection and usage of personal data by all private and public entities. The regulation exclusively applies to the personal data of EU citizens. That means that businesses outside the EU are not exempt. Rather, under certain circumstances, the GDPR applies to non-EU companies.
Below we’ll explain the conditions where companies outside the EU must follow the GDPR. And also, what happens if they do not.
Overview of the GDPR
The GDPR is a legal framework devised by the EU, which came into full effect in May 2018. Designed to provide EU citizens with greater control over the collection and use of their data online, it obligates companies to a set of principles and privacy rights enshrined in the regulation.
These include limiting data collection to essential purposes, storing data securely, and ensuring data collection is lawful, fair, and transparent. EU citizens must also actively consent to their data collection.
The regulation came following multiple high-profile leaks from major corporations. There were also privacy concerns voiced by EU citizens, who worried their personal data was being secretly collected without their consent.
That’s why the EU drafted the GDPR: currently, the most stringent data protection law worldwide.
The GDPR applies throughout the world
As the internet is a global entity, so too is the GDPR. By leveraging EU power, the GDPR legislates against the misuse of data belonging to EU citizens anywhere in the world. This is known as an “extra-territorial effect.”
To quote Article 3 of the GDPR (relevant sections are highlighted in bold):
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
When does the GDPR apply in non-EU territories?
As we can see in Article 3 of the GDPR, there are two primary occasions when the GDPR demonstrates an extra-territorial effect. These are:
Offering goods and services. With goods and services freely traded across territorial boundaries, the GDPR primarily concerns itself with how EU citizenry personal data is used in such transactions.
For instance, if an EU citizen in Denmark can purchase a product or service from a vendor in Chicago, then the vendor must accord with the GDPR. In short: any non-EU business that caters to EU customers should be GDPR compliant.
The keywords here are “can” and “cater.” Just because an EU citizen can purchase from a non-EU business does not mean the business caters to EU citizens. A restaurant in Tokyo may take orders via the internet. However, they do not market to EU citizens and are thus exempt from the GDPR.
Monitoring behavior. The most common instance of the GDPR affecting regular internet activity is through cookies. These are small pieces of software designed to track the usage of a website. That’s considered personal data under the GDPR. Therefore, any site open to EU citizens must follow the GDPR when collecting and using such data.
That means that almost every website on the internet must be GDPR-compliant. In a nutshell: yes. But that’s not necessarily how things function in practice. If a Dutch citizen uses a Vietnamese bookshop’s website that isn’t GDPR-compliant, it’s unlikely to have many ramifications. The GDPR is stringent – just not that stringent.
What are the exceptions to the extra-territorial effect?
There are two main exceptions to the extra-territorial effect of the GDPR:
- First, the GDPR does not apply to “purely personal or household activity”. Therefore, if you have a friend who writes to you from France, you’re not obligated to follow the strict privacy and consent rules. Rather, only organizations engaged in “professional or commercial activity” must routinely follow the GDPR. And even more, demonstrate that they do so regularly.
- The GDPR mostly applies to large businesses with more than 250 employees. Small and medium sized enterprises need to accord with the GDPR. Still, they are freed from most record-keeping obligations.
What happens if a non-EU country is GDPR non-compliant?
Should a non-EU business be GDPR non-compliant, it may face fines up to €20 million or 4% annual global turnover – whichever is highest.
That’s a significant sum for any business. It can even threaten bankruptcy. Following the GDPR is therefore not only an obligation; it’s a necessity.
If you run a business outside EU jurisdiction, please beware of the extra-territorial obligations your business is under. Ensure you follow the letter of the regulation when collecting and using the personal data of EU citizens.
There remains some scepticism about how fines will be levied against non-EU businesses. But it would be foolhardy to assume you can escape the consequences of non-compliance.
That’s the overview of when the GDPR is relevant to non-EU businesses. In short: the GDPR applies to non-EU organizations under two circumstances: when offering goods and services and when monitoring behavior.