Does the GDPR apply to non-EU organizations?
One of the sources of confusion regarding the GDPR is whether or not non-EU organizations meet GDPR requirements. There are two scenarios where the GDPR may apply to you:
- Your business is established within the EU.
- Your business is established outside of the EU but you either:
- Offer goods or services to data subjects who are in the European Union, or
- You monitor the behavior of data subjects, as far as that behavior takes place within the EU.
So, is your business established in the EU?
This is a straightforward enough question to answer if your business is entirely based in Spain, France or Italy, but what if your main business is located outside of the EU and you have a very small presence in an EU country?
What does “established” actually mean? We have to look at the “effective and real exercise of activity through stable arrangements” to see what that means.
The following factors by themselves do not determine establishment within the EU:
- Your organization has a single server in an EU country.
- Your website is accessible by people within the EU.
- You have an Article 27 Representative in the EU.
- You use a data processor within the EU (a service provider who processes personal data on your behalf and under your instruction, in other words).
- Your data subjects (the individuals whose personal data you hold) are based in the EU.
Equally, the place of incorporation of your business or the fact that you have a branch or subsidiary in certain countries is not the deciding factor in where your business is established.
Yet, if you have just one sales agent, one employee, or other such representative in an EU country and this constitutes an effective and real exercise of activity through stable arrangements, then you will have an establishment within an EU country.
You don’t have to be processing personal data within the EU for the GDPR to apply. If you are processing personal data “in the context of the activities” of the EU establishment (remember that this may be a single sales rep), then GDPR will apply to you whether the processing takes place within the EU or not.
Hence, if your business is mainly based outside of the EU and this is where the processing of personal data takes place, but you have an establishment within the EU and the processing carried out is in the context of the activities of the entity based outside of the EU, then the GDPR will apply regardless of the fact that the processing is being carried out outside of the EU.
For the processing of personal data to be “in the context of the activities of the establishment,” there needs to be an inextricable link between the activities of the establishment based outside the EU (the one carrying out the processing) and the establishment based in the EU. Inextricable means that the two establishments are connected and cannot be separated.
If processing by a non-EU entity is inextricably linked to the activities of an establishment in the EU, then the GDPR applies to all processing (even of data subjects outside of the EU), even though the EU establishment isn’t carrying out (or taking any part in) the data processing itself.
If you have decided you definitely don’t have an establishment in the EU, then you need to look at whether you:
- Offer goods or services to data subjects who are in the European Union; or
- Monitor the behavior of data subjects, as far as that behaviour takes place within the EU.
In terms of offering goods or services, it is irrelevant whether payment is made for these or not.
When considering whether you’re offering goods or services to data subjects within the EU, you need to look at whether it was actually an active part of your business plan to offer goods or services to data subjects within the EU. If you have a few one-off sales in the EU or sign-ups to your newsletter from data subjects in the EU, for example, you may not be subject to the GDPR.
The following factors are considered in determining whether you are offering goods or services in such a way that the GDPR applies to you:
- Your text is in an EU language.
- You’re displaying prices in an EU currency.
- You’ve enabled the ability for people to place orders in EU languages.
- You make references to the country of EU users or customers.
- You have advertisements directed to people within EU member states.
- You display telephone numbers with international codes.
- You’re using a domain of the European member state (for example, .de or .eu).
- You mention clients or customers in European member states.
This list isn’t exhaustive and all circumstances need to be considered.
The data processing must relate to data subjects located in the EU at the moment when the goods or services are offered or when the behavior is monitored. The citizenship, place of residence, or other legal status of the data subject has no relevance.
One example is that of an app offered by a United States-based start-up that provides city mapping and targeted advertising for tourists from the US visiting European cities such as London, Paris and Rome. These US citizens who are in the EU when the service is offered and their behavior is monitored are “in the EU” and therefore the GDPR applies to this data processing. If, however, a US tourist downloads a US news app that targets US residents while on vacation in a country within the EU, this data processing is not subject to the GDPR.
If you monitor or profile EU individuals’ behavior, where that behavior is occurring within the EU, then the GDPR applies to you.
Monitoring includes the tracking of individuals online to create profiles, particularly where this is in order to make decisions concerning that individual or for analyzing or predicting the individual’s preferences, behaviors, and attitudes. For example, if you’re using cookies to track an individual’s activity on the Internet and that individual is within the EU, the GDPR applies to you.
Can non-EU organizations be fined for non-compliance?
You will no doubt have heard of the headline fines introduced by the GDPR — a maximum of 20 million euros (about $24 million USD) or 4 percent of your worldwide turnover for the previous financial year, whichever is the higher.
In 2019, British Airways faced a £183 million (about $229.72 million USD) fine and Marriott faced a £99 million (about $124 million USD) fine for security breaches. Google was fined 50 million euros (about $57 million USD) for a failure to follow the principles of the GDPR. Many other serious investigations into GDPR compliance failures are ongoing.
But if your business is mainly based outside of the EU, you may be thinking, “Well, why should I bother complying with the GDPR, as surely EU regulators can’t take action against my business?”
Such an approach may not be the smartest. Let’s look at the reasons why.
The regulatory consequences and the huge fines
Article 50 of the GDPR anticipates attempts by non-EU organizations to avoid compliance and makes specific provision for the EU’s data protection authorities to establish international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data.
As was demonstrated by the United Kingdom’s enforcement notice against a Canadian company with no physical presence in the EU that was not in compliance with the GDPR, EU regulators will not be shy to take action against organizations outside of the EU.
Your EU customer and prospects won’t trust you
Aside from the regulatory consequences, your customers and prospects are much more informed about the GDPR than they were when it came to the old data protection laws and may not trust you with their personal data if they see examples of non-compliance.
Supervisory authorities have run public awareness campaigns, so your prospects and customers in the EU will be much more savvy about their rights and how you should be complying with the GDPR. They will know, for example, that you should be providing them with your Privacy Notice and if you don’t do so, they will be suspicious and may decide not to entrust you with their personal data. In many cases, EU customers will vote with their feet and will move to a new supplier who is compliant with the GDPR.
Your EU customers will leave you
If you are processing personal data on behalf of data controllers within the EU — perhaps because you are an email services provider, a technology company, a marketing company or similar — and the data controllers transfer the personal data to you for to process in some way, then you need to comply with the GDPR. If not, the data controller is not legally allowed to hire you as they must only appoint data processors who put measures in place to comply with the GDPR.
Your US customers care about data protection
According to a 2018 survey by Acxiom, 82 percent of people in the US are concerned about the issue of online privacy. This was the highest percentage out of all ten countries surveyed, including Spain, Canada, Australia, the UK, Singapore, France, Argentina, Germany, and the Netherlands.
Although organizations established outside of the EU only need to comply with the GDPR in relation to data subjects within the EU, you might want to think about complying with it for all of your data subjects.
The GDPR is the gold standard of data protection, so if you need to comply for your EU customers and prospects, why not have one tier of data protection rather than a lesser standard for your US data subjects. You can use this to your competitive advantage by advertising the fact that you care about their personal data.
It isn’t as onerous to comply as you think
You might think that complying with the GDPR is a time consuming and expensive thing to do, but if you have the right resources and your business is relatively straightforward, it need be neither of these things.
Do you need an Article 27 representative?
If you do not have an establishment within the EU and the GDPR applies to you, you’re required to appoint a representative in writing.
A representative can be a person or organization that acts as a liaison between your organization and EU supervisory authorities who investigate and enforce data protection matters.
You don’t have to appoint a representative if your processing of personal data meets all three of these criteria:
- It’s occasional.
- It doesn’t include processing of special category data or criminal convictions data on a large scale.
- It’s unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.
Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
The representative represents your organization with respect to your obligations under the GDPR, with the following two main responsibilities:
- To receive correspondence from supervisory authorities and data subjects on all issues related to the processing of personal data.
- To make available to the supervisory authority, at their request, your Article 30 processing records.
Article 30 processing records are certain records of processing that you, as a data controller or a data processor, are obliged to keep.
Representatives are typically law firms or consultants and must be established within an EU member state where your relevant data subjects are. For example, if you’re established in the United States and have no data subjects in Ireland, you cannot appoint a representative in Ireland because you speak the same language.
After the UK leaves the EU, if you have data subjects within the UK, you will also need to appoint a UK Representative.