GDPR—the EU General Data Protection Regulation—has been the talk of the town for months and, as if anyone needed reminding, it comes into force on May 25, 2018. But before you go down the long and winding road towards GDPR compliance, do not forget to ask: does the GDPR apply to my business?
EU Established Businesses. If you have an EU “establishment,” there is no hiding. GDPR will apply to the personal data you collect, store, analyse, transfer, or use in connection with your EU business, no matter where you do it. Having an EU-incorporated or registered entity, EU-based employees or other representatives, or even technical presence such as servers in the EU could qualify as an “establishment” for GDPR purposes. If this sounds like your business, you may want to stop reading this update and get back to preparing for the GDPR (and please let us know if we can help!)
Offering Goods or Services. The GDPR can apply extraterritorially if you “offer goods or services” to individuals in the EU. You probably have heard a lot of advice about what that means. That is because the extraterritorial provisions of the GDPR are brand-new and untested. From the little guidance that is available, it is likely that having EU-based customers or contacts, or a general website that is accessible from the EU, would not automatically mean that the GDPR applies. However, if you proactively market to individuals in the EU or take steps to position your website to attract individuals in the EU, you are likely in trouble.
Monitoring. The GDPR also applies extraterritorially if you “monitor” individuals’ behavior in the EU. The GDPR does not define “monitoring” (that would be too easy), leading to more uncertainty. From the available guidance, it appears that online tracking technologies (e.g., persistent website cookies), behavioral advertising, location tracking, and monitoring for fraud prevention may subject you to the GDPR when EU-based individuals are involved.
Just how aggressively EU data protection authorities will interpret and enforce the GDPR’s extraterritorial provisions remains to be seen. In the meantime, we have been advising clients on risk mitigation and compliance in light of their business structure, EU profile, and objectives. If, having read this, you are comfortable that the GDPR does not apply to you, congratulations! Otherwise, please do not hesitate to get in touch.
On Wednesday, May 16 at 12:00noon US/Canada EDT, the Debevoise team will be hosting an interactive webinar, intended as a final “GDPR health clinic” checkup. To register for the webinar,click here.
Debevoise advises on all areas of GDPR compliance and assists EU and non-EU businesses assess and manage their GDPR risk profile.