According to current case law, even one employee working in the EU can activate the GDPR’s current trigger mechanism.
In 2016, the European Union passed the General Data Protection Regulation (GDPR), dramatically changing how governments oversee and regulate consumer data privacy protections. The GDPR is an aggressive law that has modernized data privacy best practices to ensure that they’re capable of meeting the demands of our modern, digital economy.
Part of the reason the GDPR has been so successful in transforming the data privacy landscape is that it applies to a broad range of companies and situations across a wide swath of major economic players.
This strength can also be its weakness. The expansive reach of the GDPR means that many companies not based in the EU don’t realize their advertising campaigns and customer base makes them subject to GDPR-specific compliance obligations.
If you’re suddenly asking yourself, “Wait, am I subject to the GDPR?” don’t worry. We’re here to help you figure it out.
What Does the GDPR Actually Say?
U.S. federal data privacy regulation has often been focused on specific industries or sectors (e.g. HIPAA for healthcare, Gramm-Leach-Bliley Act for financial institutions, etc.). The GDPR is unique in that it’s built around consumer interaction instead of business type. In fact, the only time the EU explicitly does not apply is if the collected information is used for a “purely personal or household activity.”
Here’s the GDPR Article 3 text explaining who the law applies to (the important bits are highlighted):
Article 3(1)1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Takeaway 1: The GDPR applies to companies who operate in the EU, even if the processing of personal data happens outside EU jurisdiction.
Article 3(2). This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
Takeaway 2: The GDPR applies to companies who collect or process the personal information of EU residents, regardless of where the company is located or whether they receive payment, so long as goods or services are being offered and/or individual online behavior happening in the EU is being monitored.
Article 3(3). This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Takeaway 3: This is a narrower use case, but this section clarifies that the GDPR applies to diplomatic missions and consular positions. (You probably won’t have to worry about this one.)
If you don’t understand this technical, legal language, that’s okay. It all boils down to three points. The GDPR applies to data controllers and data processors that are:
- Established in the EU
- Offering goods and services to EU residents
- Monitoring online behavior of EU residents
Let’s discuss.
What Does it Mean to Be an “Establishment” in the EU?
Before we get too far into what it means to be established, let’s go through a few definitions.
What is a data controller?
According to the EU, a data controller is a “legal or natural person, an agency, a public authority, or any other body who, alone or joined with others, determines the purposes of any personal data and the means of processing it.” Basically, a data controller is an entity deciding the types of consumer data being collected, why it’s needed, and what it’s being used for. Depending on circumstances, there may be a joint controller, as well. (I.e., another controller participating in the process of, well, processing. If two companies are both deciding how data can be processed, then both companies might be joint controllers.)
What is a data processor?
By contrast, a data processor is a “legal or natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.” Data processors are usually third-party vendors tasked with running the analytics, outreach, or storage of consumer data for a controller.
As a processor, you may at times have regulatory compliance obligations—but you may also have pressing consumer expectations for compliance. Getting ahead of consumer expectations for GDPR compliance can be a powerful business strategy, especially when you use it to differentiate your business from competitors. (Just make sure you get the word out in your marketing and on your website!)
Now that we’re on the same page, let’s dive in.
What does it mean to be an “establishment” in the EU? Having physical operations in the EU establishes you, but are you subject to the GDPR if your Boston-based business has a single customer in France? Which laws apply if your website is hosted in the U.S. and has prices listed in U.S. currency, but it’s also accessible in Germany?
According to current case law, even one employee working in the EU can activate the GDPR’s current trigger mechanism (“effective and real activity through stable arrangements”).
But don’t panic!
What Does it Mean to “Offer Goods or Services” Under the GDPR?
If your business is actively targeting, tracking, or selling to EU residents, GDPR compliance should be your top priority.
Notice we didn’t say “if you generate revenue from the EU.” Money doesn’t have to change hands for the GDPR to be applicable. According to GDPR stipulations, your company is “offering goods or services if you:
- Are involved in marketing to EU residents
- Have EU-specific addresses or phone numbers
- Promote reviews or testimonials from EU residents
- Encourage EU residents to create an account with your business
- Use an EU language or currency on your site
- Offer shipping to EU addresses
This is true even if you never make a single euro from your efforts.
What Does it Mean to Monitor Behavior?
Article 4 of the GDPR says monitoring behavior includes the “automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, etc.” of consumers either online or through the use of smart technology.
Examples of monitoring, also called profiling, include:
- Behavioral or targeted advertising
- Geolocation tracking
- Market research
- Digital fingerprinting
- Risk assessments for automated decision-making processes
- Surveillance methods (CCTV, security cameras, other smart devices)
What’s Next?
We know that taking in all this information probably feels like trying to drink from a fire hose. The truth is that GDPR regulations and compliance obligations are complex. If you’ve read this post and you still can’t tell whether or not the GDPR applies to your company, consider contacting someone who specializes in data privacy consulting.
Data privacy consultants understand the nuance of international privacy law, and they also know how to balance operational needs with compliance obligations. Save yourself time, money, and stress by letting a professional lead your privacy program. That way you can both stay focused on what really matters—your customers.
Join the conversation!