The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does the GDPR apply to all EU citizens’ data?
It is a common misconception that the GDPR relates to data about EU “citizens.” The GDPR includes two jurisdictional “hooks.” Which people the regulation applies to depends, in part, on which jurisdictional “hook” applies to a company.
The first jurisdictional hook is found within Article 3(1) which purports to apply the GDPR to any “establishment” of a controller or processor in the EU, regardless of whether or not the processing takes place in the EU or the processing relates to data subjects in the EU. According to the GDPR, “establishment” implies the “effective and real exercise of activity through stable arrangements.” The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not a “determining factor” as to whether an establishment exists and, therefore, general jurisdiction attaches. Id. If the GDPR is triggered because a company is established in the EU an argument may be made that the GDPR is intended to apply to all data subjects – regardless of whether they are citizens of the EU, the United States, or of another country. Such interpretation would seem to accord with the EU Commission’s statement that companies should respect the principles within the GDPR “whatever the nationality or residence” of a data subject.
The second jurisdictional hook is found within Article 3(2) which purports to apply the GDPR to companies that are “not established in the Union” if they offer goods or services or monitor the behavior of “data subjects who are in the Union.” The term “data subjects who are in the Union” would apply to EU citizens only if they are physically present in the EU. Conversely, the term “data subjects who are in the Union” would seem to apply to citizens of other countries when they are physically present in the EU (e.g., on vacation, studying, or ex patriates).
1. GDPR, Recital 22.
2. GDPR, Recital 2.