How does the GDPR apply to businesses outside the EU?

Organisations are still getting to grips with their obligations under the new General Data Protection Regulation. But if you operate outside the EU, that does not mean you're exempt from the new legislation, as Alice O'Donovan from McGuireWoods explains.

The new General Data Protection Regulation, or GDPR, has been designed to protect personal data in the face of increasing globalisation and rapid technological advances. As a result, its applicability is not just confined to businesses in the EU: it can apply to any organisation, anywhere in the world, in any sector.

The GDPR applies to organisations that have EU establishments, where personal data is processed in the context of the activities of such an establishment.

But it also applies to organisations outside the EU - even if they have no physical presence in the EU - if they process personal data in the course of:

  • offering goods or services to people (referred to as "data subjects" in the GDPR) in the EU; and/or
  • monitoring the behaviour of data subjects as far as their behaviour takes place in the EU.

What does offering goods or services mean?

The key question is whether the organisation "envisages" offering goods or services to data subjects in the EU.

Simply having a website that is accessible from the EU is insufficient to bring a business within scope. If, however, the website is available in European languages, offers prices in European currencies, and delivers products to the EU, the business will be within scope.

It does not matter whether the data subject needs to pay for the goods or services. Even if the goods or services are offered for free, the organisation will still be caught.

Monitoring behaviour

Your organisation might use online data processing techniques to make decisions about customers and to analyse/predict their personal preferences.

There are many technologies available for this: for example, the use of cookies. Their use can lead to organisations being caught by the GDPR.

Cookies that do not collect personal data or profile users, such as cookies used solely for website functionality, are unlikely to be caught by GDPR.

If, however, an organisation uses cookies to profile individuals in the EU by tracking online activity across websites, it is likely to be processing personal data to monitor behaviour.

In addition, websites that use tracking cookies or applications to track usage could be caught by the GDPR if the information they collect, taken together, renders an individual within the EU identifiable. (Note that the individual need only be identifiable, not necessarily identified.)

There are many other technologies that enable individuals to be tracked or monitored, such as recording and sharing of IP addresses, and apps that gather data about the user.

Non-EU businesses should therefore carefully evaluate the online tracking technologies they use in order to determine whether they fall within scope of the GDPR.

Why does it matter?

Failing to comply with the GDPR may result in a maximum fine of €20m or 4% of global turnover, whichever is higher. In addition, individuals have the right to bring claims for redress where they have suffered damage due to a breach of the GDPR.

Non-EU businesses should give careful consideration to whether they may be caught by the GDPR. If you think your business might be within scope, you should seek advice and take immediate steps towards compliance - or take steps to place your business outside scope (for example, blocking your website to individuals in the EU).

There are question marks over how, in practice, EU regulators will enforce fines against organisations outside the EU.

Nevertheless, non-EU organisations should not underestimate the EU's determination to protect its citizens' personal data. Moreover, irrespective of the risk of enforcement action, non-compliance could result in unwelcome reputational damage.

Does the GDPR apply?

A US retail business has a large store in Manhattan. It does not have any physical presence outside the US. Its website is accessible from the EU, but it does not deliver its products to the EU, its website prices are shown only in US dollars and the website is available only in English. However, EU tourists regularly visit the store and make purchases.

No. There is no indication that this business "envisages" offering its goods to data subjects in the EU. EU citizens may visit the store when in New York, but the GDPR only applies insofar as goods or services are offered to data subjects who are in the EU.

A hotel is located in Los Angeles. Its website is accessible from the EU but its prices are shown only in US dollars and its website is available only in English. However, the hotel has a contract with a travel agent to sell rooms in the hotel to individuals in the EU. Bookings are made via the travel agent, who then passes the individuals' personal data to the hotel.

Yes. Guests may make their bookings through an intermediary, but the hotel clearly still "envisages" that data subjects in the EU will use its services - it has contracted with the travel agent for that reason.

A US-based charity has a website available in English, French, Spanish, and German. It sends free literature to people who get in touch via its website, including people in the EU.

Yes. The charity clearly envisages offering services to individuals in the EU - it is irrelevant that their service is free.