May 31, 2018
Borders, Branches, and Behavior: Dispelling Myths about Scope of General Data Protection Regulation
By now, you've likely heard about "the GDPR," the European Union's new data protection law that became effective on May 25, 2018. The General Data Protection Regulation replaces an older EU law and, in addition to imposing new requirements on entities that process personal data, the regulation has a broader territorial scope than the old law. Specifically, the GDPR applies beyond the borders of the EU to companies that do not consider themselves to be "in the EU." Given this expanded scope, we have observed quite a bit of misinformation and confusion about exactly who needs to worry about the GDPR. Companies that touch personal data should consider whether they are subject to the GDPR and not fall prey to myths about the GDPR's scope. The following are eight common myths about the GDPR's territorial scope.
1. Myth: The GDPR applies only to "data companies."
The GDPR applies to companies that "process" personal data under certain circumstances. The term "process" is defined broadly and means any operation performed on personal data, including but not limited to collection, organization, storage, alteration, retrieval, use, disclosure, or erasure. It is possible that any company that touches personal information could be within the GDPR's scope, not just companies that consider themselves "data companies."
2. Myth: The GDPR applies only to entities processing personal data on EU residents.
The GDPR does not act to protect only EU residents or citizens. It applies where a company offers goods or services to individuals "in the EU" and it applies to entities that monitor the behavior (within the EU) of individuals who are "in the EU." Thus, an American that does not have dual citizenship or live in the EU, but travels there, could be "in the EU;" on the other hand, a citizen of Germany visiting the U.S. would not be an individual "in the EU." Citizenship and residency are not part of the territorial scope equation.
3. Myth: A carefully constructed legal structure can shield you from the GDPR.
Just like citizenship and residency are not part of the territorial scope equation, neither is legal form, at least not entirely. While one prong of the territorial scope article says that the GDPR applies where processing is "in the context of" an entity established in the EU, "establishment" captures more than legal form and requires an evaluation of a company's business model. Other prongs are similarly complicated. A company would not be able to escape the scope of the GDPR simply by corporate restructuring.
4. Myth: Any company that collects email addresses on website visitors must comply with the GDPR.
While the GDPR applies broadly, it does not apply this broadly. You likely have been getting lots of emails from different websites about changes to their privacy policies, but those companies aren't subject to the GDPR just because you've visited their sites and provided an email address. Companies that monitor the behavior of individuals that are in the EU are subject to the GDPR-to the extent that the behavior they are monitoring is in the EU-but collecting an email address alone would not be monitoring.
5. Myth: You can escape the scope of the GDPR by storing-and keeping-your data outside the EU.
The GDPR does not care where you store your data. The GDPR will apply to certain processing related to an EU establishment, and it will apply to you where you offer goods or services to individuals in the EU or where you monitor certain behavior of individuals in the EU. If you do any of these things, it won't matter whether you store data in, or transfer data to, the EU, nor will you be pulled into the GDPR's scope simply by engaging a server farm in Finland.
6. Myth: The GDPR doesn't apply to companies who only have an online presence.
You do not escape the reach of the GDPR by conducting all business online and not opening that branch in Bulgaria. Like previously mentioned, the GDPR applies in certain circumstances to the processing of personal data in relation to individuals in the EU. It will not matter whether a company interacts with a customer in person in the EU or the interaction happens online.
7. Myth: The GDPR applies to all companies with an online presence.
The other side is that companies that do business with individuals online are not necessarily subject to the GDPR. The GDPR's recitals point out that a company is not offering goods or services to individuals in the EU just by setting up a website that someone in the EU can access. That company would have to do more to fall within the scope of the GDPR under this prong, or it could be subject to the GDPR under other prongs.
8. Myth: The GDPR does not directly apply to service providers that process data for others.
One of the big changes that the GDPR ushers in is that it applies directly to service providers to companies that own personal information. The GDPR would call these services providers "processors" and the data owners "controllers." Data processors should, just like data controllers, consider whether, and to what extent, they are subject to the GDPR.
The GDPR authorizes serious penalties, up to the greater of 4% of a company's revenue or €20M (approximately $24.7M). European officials have indicated that they will not automatically impose monetary penalties for GDPR violations and will prefer voluntary compliance, even after warnings. But don't fall for myths: look at your business and assess-consulting counsel where appropriate-whether your company might be subject to the GDPR.