The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a company processes data in Europe that relates to both Europeans and Americans is all of the data governed by the GDPR
The GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”1 As a result, if a company either processes data in Europe or makes decisions about the processing of data in Europe, the act of utilizing its European establishments arguably subjects the data to the scope of the GDPR regardless of whether the information relates to Europeans or non-Europeans (e.g., Americans).
As an example, if a French company collects data about both Europeans and Americans in order to offer an application or a service, a supervisory authority is likely to argue that all of the data (European and American) is governed by the GDPR.2 It is important to note that a supervisory authority is likely to take this position regardless of whether the French company stores the data in Europe, or stores the data in the United States, but directs the use of the data from Europe. Put simply, if a supervisory authority believes that a company is established in Europe, and is processing data in the context of that establishment, then “any personal data processing . . . would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed.”3
1. GDPR, Article 3(1) (emphasis added).
2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 8.
3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 9.