Since the EU General Data Protection Regulation went into effect in May 2018, under certain circumstances, territorial law subjects U.S. companies that process EU personal data to the GDPR provisions, even if these entities do not have any branches or subsidiaries in Europe. On Nov. 16, 2018, the European Data Protection Board issued guidelines (for consultation) to clarify what could create “certain circumstances” when the GDPR would be applicable. This article considers these guidelines and incorporates the factors raised in it.
Applicability of the GDPR to US entity
Below is a list of nonexclusive factors that should assist you in determining whether your entity needs to comply with the GDPR. While the GDPR and the EDPB guidelines are silent as to how these factors should be weighted, they do indicate that all of them should be taken into consideration alongside with goals of a company.
Do you personalize your goods or services for EU customers?
A U.S. entity can attract European customers by translating its services/goods/website into EU languages, having EU top-level domain, delivering its goods to Europe, mentioning European customers and use cases, allowing customers to purchase its goods/services in EU currency, providing EU contact details (for example, a phone number with an EU area code, EU address or EU specific email), or offering instructions on how to reach your U.S. business from Europe. While these factors can help you achieve your revenue goals by expanding your user base, they can also increase compliance costs associated with legal fees surrounding the GDPR. If you are not ready to comply with the GDPR, a sensible approach would be to include in your privacy policy a section stating that your site is not meant for EU users and make sure that you are minimizing your business’ visibility in Europe by not personalizing any of your offerings for EU target markets.
Do you target EU users with advertising campaigns?
By purposely advertising its services to European markets, a non-European entity will need to comply with the GDPR. When evaluating your entity against this factor, you will need to gather information from your sales, human resources, public relations and marketing teams and determine whether any of them attend any trade shows, run online ads, email campaigns, works with European PR agencies to publish articles, or are part of affiliate networks that target European audiences on their behalf. While personalized marketing campaigns for European audiences will trigger applicability of the GDPR, campaigns that do not differentiate content by location and do not specifically target Europe will most likely not.
Is there an establishment in the EU that is processing personal data on your entity’s behalf?
The GDPR will be extended to non-European entities that work with European establishments to process EU personal data on their behalf or to further entities’ goals that indirectly will involve EU personal data. To analyze operations of your entity against this factor, consider whether it partners with any third party to advertise its services, find customers, or perform any other of its operations in Europe. Any potential link between the U.S. entity and EU establishments should be analyzed. The threshold is very low and, in some circumstances, even one employee or an agent can trigger applicability of the GDPR. The key is to look for “stable arrangements” that inextricably link your company to an EU establishment. Nevertheless, having your U.S. employees visit Europe for work, whether to find investment opportunities or to purchase services/goods from there, will most likely not be enough to trigger applicability of the GDPR.
Do you monitor European users?
When evaluating whether a U.S. company is monitoring the behavior of EU residents, you should review whether EU residents are being tracked on the internet with the purpose to analyze and predict their preferences. The key here is to analyze whether your company creates profiles on users who visit your website/online services with an intent to affect their attitudes and behavior. The GDPR states that mere accessibility of a website in Europe is insufficient to trigger GDPR applicability. Thus, neither first- nor third-party cookies that are used for statistical and strictly necessary purposes, such as security, load balancing, or authentication should trigger applicability of the GDPR. Generally, online marketing tools/agencies that offer profiling services are sophisticated enough to allow their users to specify what geo-locations should see their ads, thus, absent a human-error, a company will not stumble upon creating profiles on users from an unintended European country.
Do you have a large customer base in the EU?
While there is no specific number of users/customers that would place a company into GDPR jurisdiction, an entity cannot act in a willfully blind manner concerning the origin of its customers. Neither the EDPB’s guidelines nor the GDPR itself explicitly mentions this factor as a separate consideration, however, the EDPB does state that companies need to consider industries in which they operate.
While the EDPB does not elaborate on what industries are more prone than others to be subject to the GDPR, companies that operate in industries that are known for producing viral products and that have services which are easily accessible from Europe should pay close attention to this factor and reevaluate themselves against this GDPR factor more often than others. Some of these industries are most likely social media, content sharing and investment industries. This is one of the hardest factors to analyze. What if your entity has 5,000 EU users that constitute 50 percent of your revenue? What about 500,000 with 10 percent share? There is no bright red line. It will be ultimately up to you to decide whether you think the number is high.
Global reach of the GDPR
However, even if your U.S. entity is not subject to the GDPR according to the five factors per above, that does not mean it does not need to comply with the GDPR. The GDPR has a global reach and requires all controllers that share European personal data with non-EU based processor to make sure that these processors comply with the GDPR. What this means is that even if a U.S. company is not directly subject to the GDPR, it may need to comply with the law if it processes European personal data on behalf its EU client. The GDPR requires all EU companies that work with non-EU entities to ensure, through contractual provisions, that these entities that have access to EU personal data follow certain GDPR provisions. Otherwise, these EU companies will be in breach of the GDPR.
To the extent a U.S. company determines it does not need to comply with the GDPR, it is wise to document its rationale for such a conclusion. That way, if an EU data subject disagrees and the company becomes the subject of an EU investigation, it will have evidence that it recognized the importance of the GDPR and determined why it was not subject to the GDPR.
photo credit: joshtasman Question Finger 6 via photopin (license)