Most businesses the world over have adjusted data policies for GDPR, the General Data Protection RegulationOpens a new window put forth in 2018 by the European Union. GDPR brought stringent requirements for how personal data must be handled for European Union citizens. Even businesses that don’t operate in the EU adjusted to the requirements rather than inadvertently getting caught by the regulations.
Well, the rules have changed a little. That’s because late last year, the European Data Protection Board that oversees the consistent application of GDPR clarified the rules with guidelines for the extraterritorial application of GDPROpens a new window .
“The guidelines specify what types of relationships or data processing activities could trigger GDPR for the non-EU entity,†says Odia Kagan, partner and chair of law firm Fox Rothschild LLPOpens a new window ‘s GDPR Compliance & International Privacy Practice.
That’s of particular interest for businesses in the U.S., which in most cases are non-EU entities that nonetheless often engage with European Union citizens. These guidelines matter.
With that in mind, here’s the skinny on how these guidelines might impact your business.
When GDPR Applies to Your Business
The new guidelines don’t change the substance of GDPR regulation; all the good stuff around data privacy and the right to be forgotten still apply. Where the guidelines change things is by clarifying which businesses must follow these rules. There’s more clarity since the final guidelines were released.
If You’re a Data Processor
Cloud platforms and service providers often argue that they are exempt from certain regulations because they don’t create or control the data. The EU says that these cloud platforms must conform to GDPR rules, however.
“One important addition in the guidelines is clarifying that non-EU service providers are also subject to GDPR and should implement compliance procedures,†says Kagan.
So if you run a platform that includes EU citizens, GDPR rules are in full effect even if your servers live in Texas and your business is incorporated in Delaware.
If You Intentionally Sell to EU Citizens
Businesses that sell goods or service in the U.S. but don’t follow GDPR are not necessarily in the firing line if one of their products or services ends up being used by an EU citizen. The new guidelines make it clear that GDPR only applies if the business is intentionally going after EU citizens.
“A company providing goods or services to users in the EU will be subject to the GDPR only where these offerings result from intentionally, rather than inadvertently or incidentally, targeting individuals in the EU,†notes Nate Garhart, special counsel for law firm Farella Braun + Martel LLPOpens a new window .
“U.S. businesses should document their policies and processes—and train employees on such policies and processes—to make clear that the company is not intentionally targeting EU users,†he advises.
If You Have Stable Representation in the EU
GDPR applies to your business if you have what is known as “stable representation†in an EU member state.
“The guidelines confirm that GDPR applies to you if you have some form of stable representation in the EU,†says Kagan.
A good example of stable representation is the business that has an office based in Europe, or if an employee of the company lives there. Where it gets tricky is that even an agent for the business who works there might be considered stable representation. The point is that businesses that have some enduring tie to an EU country fall under GDPR rules.
If You Track EU Citizens
Finally, the guidelines clarify that GDPR applies to businesses outside of the EU if the business knowingly tracks or monitors EU citizens. It doesn’t take a financial transaction for a business to get caught by GDPR jurisdiction; merely tracking EU citizens trigger GDPR rules, as you might expect given that the point of GDPR is protecting individuals from losing control of their data.
The obvious exception is if you track EU citizens without knowing you are doing so. This is a realistic limitation or else every business that uses internet cookies might inadvertently fall afoul of the regulations.
When GDPR Does Not Apply
The recent guidelines also clarify when businesses are not ensnared by GDPR. Two common-sense exemptions apply.
If a Web Site is Accessible in the EU
Thankfully, the guidelines put forth by the Data Protection Board explicitly exclude businesses from GDPR rules that have no connection with the EU but still can be found on the web by EU citizens.
“The final guidelines make clear that, as expected and appropriate, the mere fact that the website of a U.S. business is accessible to users in the EU does not make that company’s activities subject to the requirements of the GDPR,†notes Garhart.
So the accessibility of a company’s web site by people in the EU does not introduce GDPR liability to a business.
If Customers Visit the EU
In a second nod to common sense, GDPR also does not apply to businesses that interact with customers who are outside the EU and then take a holiday there. Just entering the EU is not enough to trigger GDPR rules.
“Where a company targets individuals outside of the EU, and certain recipients continue to receive such goods or services after entering the EU, the GDPR will not necessarily be triggered,†explains Garhart.
Time for a Legal Review
In light of the new guidelines, businesses should take another look at their GDPR compliance and see if anything has shifted. The penalties for GDPR non-compliance are up to $22 million or 4 percent of global turnover, whichever is higher. That makes GDPR a requirement that most applicable businesses will want to follow.
“If you have examined whether GDPR applies to you and decided it did not, you should take another look in view of the guidelines,†says Kagan. “If you already know that you are in scope, you should take a look at the guidelines and the examples they provide to see whether you need to change anything.â€
The new guidelines don’t change the substance of GDPR, but they do define the scope more precisely.
This article is for informational purposes only, and does not constitute legal advice.