GDPR Top Ten #3: Extraterritorial applicability of the GDPR

Explaining the territorial scope of the GDPR and the situations in which its obligations apply outside the European Union

With the introduction of the GDPR, European data protection law will become applicable outside the borders of the European Union. In this blog we will give you an overview of the situations in which a non-EU organisation could fall within the scope of the GDPR when targeting or monitoring individuals in Europe.

Author: Alexander Garrelfs

A peculiar environment

The internet is a space where none of the conventional borders exist. This is one of its biggest advantages when you exchange data, buy or sell online, communicate, etc. It also presents one of its biggest challenges when it comes to the applicability of legislation. Because of this borderless characteristic of the internet, for a long time the question was how to deal with EU privacy rules when processing personal data in connection with online services.

Before the introduction of the GDPR it was hard to apply the obligations of privacy legislation to data controllers and processors outside the EU. The main reason for this was the lack of focus on the individuals whose data was being processed when the applicability of the legislation was determined. The only way to make privacy legislation applicable to a controller outside the EU was if the processing by that controller was performed within the borders of the EU. However the GDPR brings rigorous changes to that concept of territorial scope.

Scoping the territorial scope

Any organisation – bar a few exceptions – that processes personal data within the European Union will fall under the scope of the GDPR. Nothing has changed here when compared to the pre-GDPR situation. However, the territorial scope has been broadened so that the EU privacy rules now also can apply to data controllers outside the EU. The consequence of this expansion is that under the GDPR non-EU data controllers and processors must comply with the European Data Protection obligations when they process data from individuals in the EU for specific goals.

Targeting EU citizens

As a non-EU organisation you can fall in the scope of the GDPR when you are offering goods or services to individuals in the EU. Let’s say for example that you are a Chinese web shop with a website that is available in German, French and English as well. You also process multiple orders a day from individuals within the EU and ship your products to them. This will make you fall in the scope of the GDPR, even though you have no establishment in the EU and are not performing any data processing activities within the EU.

If you are a controller outside of the EU, such as in the example above, it doesn’t matter if the services that you offer are paid or for free, the GDPR does not consider this aspect to determine if you fall within the scope. As such an American free cloud storage service must comply with all the obligations of the GDPR if the service is also offered to users within the EU.

Monitoring EU-citizens

Another situation in which non-EU organisations can fall within the scope of the GDPR is when they are monitoring the behavior of individuals inside the Union. This means that if you are a provider of social networks and you allow users from within the EU to join, that you fall within the scope of GDPR. The same goes for an app developer that decides to gather location data of EU citizens from their smartphones. 

What’s your approach?

The GDPR will offer a high level of protection to individuals in the EU whose data is processed by organisations that are established outside the Union. For companies it’s important to evaluate if these new obligations will be applicable to them. If this is the case, taking action and making sure you are compliant will be the best course of action. You’ll have to make your own bed, so be sure to lie comfortably!

Did you find this useful?