The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Is a company that provides a product or a service to a person in Europe always subject to the GDPR?
While the GDPR purports to apply extraterritorially to a company that is not based in the European Union, but “offer[s] goods or services” to a person that is located in the European Union, the European Data Protection Board has emphasized that merely providing service to individuals that happen to be in Europe is not enough to trigger the GDPR. Instead the EDPB has implied that the subjective intent of a company to offer products to Europeans must be evaluated. Specifically, the EDPB has focused on whether a company was “targeting” Europeans when providing a service, or whether a company has “demonstrate[d] its intention to offer goods or services to a data subject located in the Union.”1 The EDPB’s interpretation of the extra-territorial reach of the GDPR relies on language within the recitals of the GDPR that suggests that a company must “envisage” the offering of services into the Union in order for the regulation to apply extra-territorially.2
In order to determine whether a company intends to offer goods or services into Europe, the EDPB has suggested that supervisory authorities consider the following non-exhaustive list of factors:
Based upon the guidance provided by the EDPB there are several situations in which an American company may physically provide a product or a service to individuals that are in Europe, but not be subject to the GDPR. For example, if a company markets an App only to Americans, but an individual uses the App while in Europe on vacation, the EDPB has made clear that the company would not be subject to the GDPR because it did not intend to target Europeans.4 This determination should not be impacted by the mere fact that if the company examined its web logs it might have knowledge that a user entered the App via Europe).
1. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 14-15.
2. GDPR, Recital 23.
3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 15-16.
4. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 14 (Example 9).