The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a company in the United States uses a service provider that is located in Europe, does it risk subjecting itself to the GDPR?
The GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”1 Although the regulation does not offer a precise definition of what it means to be an “establishment,” the recitals to the regulation state that an establishment “implies the effective and real exercise of activity through stable arrangements.”2 This language has led many American companies to be concerned that using a service provider in Europe might be viewed as a “stable arrangement” that brings American companies, inadvertently, within the jurisdiction of the GDPR.
The European Data Protection Board has addressed this concern by stating that it “deems that a processor in the EU should not be considered to be an establishment of a data controller . . . merely by virtue of its status as processor.”3 As a result, an American company “will not become subject to the GDPR simply because it chooses to use a processor in the [European] Union.”4
Although American companies are not infected with the GDPR simply because they send their data to European processors, it is important to note that European service providers are, themselves, subject to the GDPR when handling the American data. The net result is that while an American company may not need to comply with the GDPR, its European provider is independently “required to comply with the obligations imposed on processors by the GDPR.”5
1. GDPR, Article 3(1) (emphasis added).
2. GDPR, Recital 22 (emphasis added).
3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 9.
4. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 10.
5. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 9.