The Extraterritorial applicability of the GDPR: even outside the EU?

Australian, Asian, American (ea.) based companies.. brace yourselves as EU's new General Data Protection Regulation (GDPR) is coming for you too! While there are many questions relating to the new regulation, a key question remains: are companies outside of the European Union required to comply with the EU -even when they lack any physical presence within the Union- ? In this blog we will try to help you understand whether the GDPR will apply to your company. Bear in mind that the exact answer will largely depend on the specific business activities of your organisation. 

The GDPR replaces the EU Data Protection Directive from 1995 and will come into force on 25 may 2018. It promises new data protection rules that, among other things, will strengthen the right for individuals to control their own data. The GDPR brings a crucial change by expanding its territorial scope outside the EU. In other words: the GDPR can and -when certain standards are met- will apply to your company based outside of the borders of the EU. Non-compliance could cause severe consequences for your business as the GDPR contains a new set of penalties that could go up to 20 million euro's. Thus, the one million dollar question remains the same: when should you -as a non-EU company- start getting worried about the GDPR? The answer can be found in Article 3 of the GDPR. It introduces 2 situations that are related to specific business activities (the targeting and/or monitoring of EU citizens) wherein the regulation applies to controllers and processors that don't have any physical presence in the EU. According to the article, the GDPR will apply to processing activities related to:

  • The targeting of EU citizens: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

  • The monitoring of EU citizens: the monitoring of their behaviour as far their behaviour takes place within the Union.

There is no conclusive definition on the behaviour that would constitute to the 'offering of goods or services'. Luckily, the GDPR recitals give us some guidance in which factors could be relevant in making that decision. For example, the use of language, currency or top-level domain name of an EU Member State could be a strong indication that you're targeting EU citizens according to the GDPR.