The GDPR represents a complete overhaul to the EU’s current privacy framework. The GDPR is intended to have broader and more comprehensive rules regarding the processing, use, and storage of personal data than the EU’s prior Data Protection Directive 95/46/EC. More importantly, unlike the Data Protection Directive the GDPR will not require transposition into legislation at the national level and will be binding on any subjects that fall within its material and territorial scope.
For entities that process personal data, it is important to determine whether the GDPR’s rules regarding its territorial scope apply to their activities. The territorial scope of the GDPR is broadly outlined in Article 3. Under Article 3(1), the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the [European] Union, regardless of whether the processing takes place in the [European] Union or not.” The GDPR defines controllers as organizations or persons that determine the purposes and means of the processing of personal data, while processors are organizations or persons that process personal data on behalf of the controller. Therefore, organizations that are established in one or more EU member states and oversee or handle the processing of personal data in the context of the activities of that establishment fall within the scope of the GDPR.
While Article 3(1) is largely consistent with provisions of the Data Protection Directive, the GDPR has expressly broadened the EU’s jurisdiction to relevant activities that take place outside the EU. Under the Data Protection Directive, a non-EU organization would only be subject to the Directive’s provisions if they used data processing equipment, such as a server, that was physically located within the EU. Article 3(2) of the GDPR however clearly states that the GDPR applies to entities located outside the EU if their data processing activities relate to the “offering of goods and services” to data subjects in the EU or “the monitoring of their behavior.” In other words, the GDPR does not limit itself to where the data processing physically takes place.
This means that companies based in the US, but that market their products or services to individuals and companies within the EU and process data obtained from the EU, would be subject to the GDPR even if that data processing occurred wholly within the US. For example, a US retailer that operates a commercial website and advertises, sells, and ships its products to the EU would be required to comply with the GDPR. A US company would also be subject to the GDPR if it collects and processes data related to the purchasing behaviors of individuals based the EU, regardless of the location of its processing equipment.
Thus, territorial jurisdiction under the GDPR is determined less by the location or headquarters of a business but the direction and scope of their business activity. Although the GDPR does not lay down clear guidelines for what types of activities would constitute the “offering of goods and services,” Recital 23 of the GDPR states that the operation of a website that is accessible to individuals in the EU would not, by itself, subject the website’s operator to the GDPR. On the other hand, Recital 23 also explains that relevant factors in determining the applicability of the GDPR to a non-EU company include the use of the language or currency of a Member State, and mentions of customers that are based in the EU. The prevalence of those factors, among others, would be determinative of whether the GDPR applies to your business activities.