As we’ve mentioned, the General Data Protection Regulation (GDPR) covers companies operating within the EU. But what exactly does the regulation mean for businesses based outside the EU?
If you’re reading this from outside the EU, you’re probably thinking ‘big deal, this won’t affect my organization’. Think again, I have three words; increased territorial scope. The regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR. Even if a company does not have a European presence, it will still have to understand the impact of GDPR if it processes an EU resident’s personal data. This includes data collected in connection with goods and services offered to that person or the monitoring of their behavior as far as their behavior takes place within the EU.
The actual wording of Article 3 of the GDPR is wider than this as it does not actually make any reference to citizenship—it applies to any ‘data subject’ in the EU, i.e. a person living in the EU. Notably, Article 3(2) applies to the processing of personal data of any individual “in the EU.” The individual’s nationality or residence is irrelevant. The GDPR protects the personal data of citizens, residents, tourists, and other persons visiting the EU. So as long as an individual is in the EU, any personal information of that person collected by any controller or processor who meets the requirements of Article 3(2) is subject to the GDPR.
Where Article 3(2) applies, controllers or processors must appoint an EU-based representative. Basically, the GDPR reframed privacy regulations around the location of the data subject rather than the location of the data controller or processor. So if a business is trying to target its goods and services for sale within the EU, it will be caught by GDPR.
Businesses outside the EU will also need to designate a representative in the EU who will “act on behalf of the controller or processor and may be addressed by any Data Protection Authority (DPA)”. The representative can be subject to enforcement proceedings in the event of non-compliance by a non-EU controller or processor.
Government research has revealed that many UK organizations have not heard of the GDPR and will struggle to be on course in terms of compliance. Worryingly, only 38 percent of businesses responded “Yes” to the question, “Before this interview, had you heard of the General Data Protection Regulation, or GDPR?” The worrying part is this figure is almost certainly worse overseas where awareness is much lower. If an organization has not heard of GDPR at this stage, then there is little hope that they will be able to adequately prepare their organization for the new law before it goes into effect May 25, 2018.
Why the GDPR expands beyond the EU
The GDPR, like the past Data Protection Directive (Directive 95/46/EC), continues the ideals for protecting personal data and privacy of EU citizens when their data is being exported, shared, and processed outside of the EU. In other words, GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organizations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
GDPR does allow for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
How might GDPR be enforced outside the EU
So, the next question here is how will extended territorial reach of GDPR be enforced by the DPA in each of the EU member states? Our view is if a business is based outside the EU, and inadvertently fell foul of GDPR, the ICO or other European Data Protection Authority can go after them.
How would an EU DPA go about serving a formal enforcement notice on a US company? At present, there is no clear guidance on this, but it is plausible that DPAs could seek a court injunction to block a service if personal data is being unlawfully processed. But, if the personal data is processed illegally in relation to the sale of physical goods, it’s possible that these goods could be seized by trading standards or customs unions at the border or trade restrictions could prevent the business from selling their goods in the EU.
Currently, many organizations don’t even know if they do collect data on European customers and ask, “How do I know if I have any EU data subjects on my list?” Well, if you aren’t 100 percent sure, then you better work on the assumption that you do and prepare in that manner. We might be able to help here with the Return Path Email Client Monitor which can help you know how, where, when, and for how long your email messages are being viewed.
So it seems that every non-EU client will have to evaluate the specific details of their data processing activities in the light of these requirements and decide on the necessary steps to take. It also means that those directly involved in the execution of them must be aware of their responsibilities, and how they fit into the grander scheme of things. So the update to data protection regulation will reach far beyond EU borders.