Client Alert: Does the GDPR Apply to my Organization?
Guidance from EU authorities clarifies the scope for U.S. organizations
By: Eric Langland, CIPP/E, CIPP/US
Many U.S. organizations receive personal data from EU residents, whether or not the organization is active in the EU market. With its laundry list of compliance obligations and hefty fines, it’s no surprise these organizations frequently ask whether the EU’s General Data Protection Regulation (GDPR) applies to their collection of EU resident personal data.
Fortunately, EU authorities have spoken. In draft guidelines (view here) issued recently, the European Data Protection Board (EDPB) elaborated on the territorial scope of the GDPR. Perhaps the most significant developments in the EDPB’s guidance were (1) the addition of a “targeting” requirement for organizations outside the EU that offer goods or services to residents in the EU, and (2) the requirement for companies monitoring the behavior of EU residents to analyze or build a behavioral profile with the data. As a result, the guidance restricts the GDPR’s scope for organizations outside the EU.
While the EDPB’s guidance covers a range of areas, here are the key takeaways from the guidance regarding the offering of goods or services to, or monitoring the behavior of, EU residents by organizations outside of the EU.
Offering Goods or Services to EU residents
Merely possessing or processing the personal data of EU citizens alone is not sufficient to bring a U.S. based organization under the purview of the GDPR. Instead, the organization offering goods or services to EU residents must “target” individuals in the EU. The guidance provides a list of nine factors to consider when determining whether an organization is targeting EU residents by offering them goods or services: (1) the organization makes reference to the EU or member states with regard to the goods or services offered; (2) the organization outside the EU has launched a marketing campaign in the EU, or pays a search engine operator to facilitate access by EU residents; (3) the nature of activity at issue is international, e.g., tourism; (4) the organization references dedicated contact information for EU residents; (5) the organization uses an EU or member state domain name, e.g. “. de” or “.eu”; (6) the organization provides travel instructions for residents in the EU to a place where the service is provided; (7) the organization references clientele in the EU; (8) the use of a language or currency that is different from the one used in the non-EU organization’s country; and (9) the organization offers to deliver goods or services in an EU member state.
An EU resident visits the website of a U.S. company and signs up to join its weekly newsletter. The EU resident provides her name, email address, and home address. The company does not market its goods or services to residents in the EU, nor does it have a regional office, subsidiary, or sales representative in the EU. Furthermore, it does not monitor (see discussion on monitoring below) the behavior of EU residents. The U.S. company is not targeting its goods or services to EU residents and is not subject to the GDPR.
A bank in the United States has customers who are German citizens but reside in the United States. The bank directs all of its services to customers in the United States and has no presence in the European Union. The bank is not targeting EU residents and is not subject to the GDPR.
A website owned by a Boston-based company, with its servers and IT personnel in the United States, offers services for the creation, printing, and shipping of family photo albums. The website is available in English, French, Dutch and German. Payment can be made in euros and sterling. The printed products can be shipped to Europe. The company is subject to the GDPR because accepting euros, offering delivery to the EU, and presenting the website in languages spoken in the EU would meet the EDPB’s definition of “targeting” EU residents.
A university in New Hampshire allows prospective students to apply for admission on its website. Admission is open to any student with the sufficient level of education and English language skills. The university does not market the program to EU residents and only takes payment in U.S. dollars. An EU resident applies to the program and submits her personal information through the website. The university is not subject to the GDPR because none of its activities fall within the definition of “targeting” individuals in the EU.
Same fact pattern as above, but the university partners with an EU university or hires a study abroad company to market its program in the EU. The GDPR applies because the university is now targeting EU residents by advertising its program in the EU.
Monitoring the behavior of EU residents
Even if an organization outside the EU does not offer goods or services to EU residents, it may be subject to the GDPR if it “monitors” the behavior of individuals in the EU. “Monitoring” includes not only tracking user behavior online through cookies and other technologies, but also geo-location activities, CCTV, online surveys, and others. However, monitoring alone will not necessarily trigger the GDPR. According to the guidance, monitoring implies that the organization “has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.”
A company in the United States provides advice to retailers about customer shopping trends by tracking customer movements via Wi-Fi throughout shopping centers. The company is advising a French shopping mall and collects the geo-location information of French shoppers through their smart phones. The company uses this information to build a shopping profile of each customer. The U.S. company is subject to the GDPR. The tracking of geo-location and subsequent profiling constitutes “monitoring” under the GDPR.
A U.S. company uses an analytics tool on its website to track visitors’ behavior—e.g., length of visit, pages visited, content viewed, etc. It does not market its good or services to EU residents, but it collects data from EU residents when they visit the website. The company does not include EU resident data in the analysis and profiling that results from the processing of its analytic data. Although the company engages in monitoring, the GDPR will not apply if the company does not reuse the EU residents’ data in a profile or behavioral analysis.
The EDPB provides valuable guidance regarding the “targeting” and “monitoring” of EU residents by organizations outside the EU. U.S. organizations with EU resident data will need to analyze their data processing activities to determine whether they fall within the GDPR’s territorial scope. In addition to the GDPR, EU member state law and the EU’s ePrivacy Directive may apply to your organization’s processing of EU resident data.
The EDPB’s guidance on the GDPR’s territorial scope is open for public comment until January 18, 2019.
Eric Langland is an attorney at Bernstein Shur. His practice focuses on helping organizations build data privacy programs and comply with data privacy laws. Previously, he was the privacy officer and in-house counsel for a large German company’s operations in the United States. He holds the International Association of Privacy Professionals’ CIPP/E and CIPP/US certifications.