Friday, July 12, 2019

A Privacy Regulation Applying in the USA and Canada (and Elsewhere)

Although the General Data Protection Regulation (GDPR)* was passed more than three years ago and entered force more than one year ago, there is still confusion and misconception about the regulation’s sphere of impact.

In a new series of posts, I will share some advice** drawn from experience in projects that I have conducted since the inception of the regulation. This post is meant to reemphasize the territorial impact (pls. also see GDPR - Repeated Misconceptions).

GDPR is a regulation to protect personal data of individuals (“data subjects”) who are physically present – and may it only be temporarily - in the EEA (European Economic Area – which includes all EU member states plus Iceland, Liechtenstein and Norway). 

Protection rights are not dependent on the data subjects’ citizenship or residency!

All organizations worldwide that process personal data of data subjects being in the EEA are obligated to comply with the GDPR.

Organizations established in the EEA have additional obligations: They must comply with GDPR regardless of where in the world data subjects are located.

The following matrix shows under which conditions GDPR applies:

Organizations established in the USA or Canada (or elsewhere) may still believe that GDPR does not apply to them, if they do not have any ”EU customers". Again, the decisive factor is whether their data subjects with any nationality are within the borders of the EEA. And in a world of international trade and high mobility of individuals, organizations can obviously not control the data subjects’ whereabouts while a business transaction takes place or thereafter. (Even data subjects’ IP addresses captured during electronic communications do not prove presence in or absence from a certain territory since individuals can legitimately – and will increasingly – hide their real geographical location by employing Virtual Private Networks.)

This been said, any medium or large organization worldwide should presume, by default, that GDPR applies to them. On the complementary, only businesses that operate with limited geographical, commercial and technical outreach could be exempt from GDPR compliance, e.g. a brick-and-mortar shop that provides all goods / services on the spot without processing personal data and in direct exchange for cash.

* Official publication of GDPR at
** Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.

No comments:

Post a Comment