In my first blog post on GDPR, I talked about why some U.S. businesses have an obligation to comply with the European Union’s General Data Protection Regulation (GDPR). This post expands on the territorial scope of GDPR. Which U.S. businesses have to comply with GDPR and which don’t?
Starting first with GDPR’s direct coverage, GDPR talks about businesses established in the EU. If a business has a division or office in the EU, then it has activities covered by GDPR. Also, if a business offers goods or services in the EU (even if free), the business must comply with GDPR. In addition, if a business is monitoring the behavior of EU residents, GDPR applies. Finally, if EU law applies because of public international law, then GDPR applies there as well. This last basis will not affect most U.S. businesses. These bases for GDPR’s coverage all appear in GDPR Article 3.
In addition to direct coverage, a U.S. business may have compliance obligations indirectly because it is processing data on behalf of a company that is covered by GDPR. The customer may be a controller collecting personal data from EU residents or may itself be a data processor receiving data from a controller covered by GDPR. In either case, a controller and any downstream processor have an obligation to protect personal data collected from EU residents. They will need to make sure any U.S. businesses providing data processing services meet the standards of the kind imposed by GDPR through an agreement or other mechanism. The two most common mechanisms are “standard contractual clauses” – essentially an addendum to a service agreement that impose data protection requirements – or a U.S. business’s self-certification under the EU-U.S. Privacy Shield program of the U.S. Department of Commerce. A U.S. business providing services for a European controller or processor can import EU personal data to the U.S. if it provides assurances of an adequate level of protection under either of these two mechanisms. These U.S. businesses, then, have an indirect obligation to comply with GDPR standards.
How does this analysis work in specific situations? Let’s imagine that you run a local health clinic in San Francisco, California and treat tourists from EU member states. Your clinic advertises locally with a simple website that does not monitor visitors’ behavior. The business has no locations in Europe and does not market its services in Europe. Is your clinic covered by GDPR?
Under the facts given, the clinic is not covered by GDPR. The clinic is located only in San Francisco. It has no European operations. It does not attempt to market its services in Europe. And it is not monitoring the behavior of residents of the EU.
If we change the facts, though, the result could be different. If the clinic has a branch in the EU, markets its services to EU residents, or monitors the behavior of website visitors, then GDPR applies to it. Any one of those factors would be sufficient to bring the clinic within GDPR. Indeed, any business globally with a website monitoring EU residents’ behavior is covered. Consequently, the long arm of the EU’s GDPR law potentially reaches everywhere.
Stephen Wu has written or co-written seven books on data security legal topics, and leads the International Network of Boutique and Independent Law Firms’ global GDPR working group. For assistance to determine if you must comply with GDPR or regarding your GDPR compliance program, please contact Stephen Wu by completing the web form here.