Expanded territorial scope
The GDPR represents a significantly increased territorial reach over its Data Protection Directive predecessor. Article 3 of the GDPR outlines that (all emphasis added unless otherwise stated):
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Two primary groups of entities must therefore comply with the GDPR.
- Firms located in the EU
- Firms not located in the EU, if they offer free or paid goods or services to EU residents or monitor the behavior of EU residents
This second category likely renders most global businesses liable. If a firm has any European presence, it would need to either become compliant for its entire user base, or become capable of identifying EU residents within its user base and adhering to GDPR rules for that group only. However, it is expensive and likely impractical to build and maintain two parallel systems and policies for EU residents and non-EU residents, and incorrect classification can lead to penalties. It is expected therefore that many firms will choose to migrate their global operations to comply with the GDPR regime.
Recital 23 provides a further clarification for cases where it’s unclear if a firm offers goods and services to EU data subjects:
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
This outlines non-exhaustive examples for deciding whether there is sufficient evidence that a firm is within the GDPR’s scope:
- May be insufficient evidence
- The firm’s website is accessible to EU residents
- The firm’s email or other contact details is accessible to EU residents
- The firm is located in a non-EU state that speaks the same language as an EU state
- May be sufficient evidence
- The firm markets its goods and services in the same language as that which is generally used in an EU member state
- The firm lists prices in EU member state currencies (the Euro, British pound sterling, Swiss franc, etc.)
- The firm cites EU customers or users
This recital therefore provides a safe harbor to firms that do not market goods or services to the EU, by calling out that they do not need to undertake potentially expensive processes to block EU IP addresses from accessing their websites or reject emails sent by EU mail servers.
It further suggests a nuanced interpretation when it comes to marketing language. One possibility is that languages commonly used outside of EU states such as English or Spanish will not be by themselves deemed sufficient evidence of intent to offer goods and services to EU residents, whereas languages more local to EU member states, such as Bulgarian or Estonian, may be sufficient alone.
Exemptions and Derogations
While the GDPR has broad implications for commerce, it nonetheless exempts certain entities or activities from compliance. Below is a non-exhaustive review of key exemptions.
Personal or household activity
Article 2(2c) states that the regulation does not apply for data processing :by a natural person in the course of a purely personal or household activity”.
No grandfathering for previously collected personal data
The GDPR does not grandfather in personal data collected prior to its enforcement. Only if the manner by which such data were collected would have satisfied the GDPR in the first place can processing continue. Otherwise, controllers must either attempt to obtain consent from data subjects for such data, or cease processing.