How the GDPR Affects Non-EU Companies

Adopted by the European Union in 2016 and enforced in 2018, the General Data Protection Regulation (GDPR) was signed in to replace aging data protection directives across Europe. This regulation applies not only to the EU but also to all countries in the European Economic Area (EEA) and any company that collects data on EU residents.

Any time goods and services are offered, or behavior is monitored, the GDPR comes into play. This can be anything as simple as visiting a website or buying a shirt.

The GDPR completely modernized how most companies use sensitive information like personal data. The GDPR and subsequent data protection regulations in other places, such as California’s CCPA, are the answer to those who are concerned with how ethically their data is processed—in particular, by companies that turn a profit by selling personal information without consent. While there is a difference between the GDPR and CCPA, the GDPR is seen as stricter.

How are companies outside of Europe affected? The GDPR has many hoops to jump through to ensure compliance, and companies risk significant fines if they don’t follow the regulations. It’s difficult for online companies to figure out if they must be a GDPR-compliant business since some of their users may be European even though the company isn’t.

When Does the GDPR Apply to Companies Outside Europe?

This begs the question: how are companies outside of Europe affected by the GDPR? When does the GDPR apply outside Europe? Should a non-EU company be compliant with the GDPR?

If the company services a person physically in the EU, then yes, it should. But why?

The GDPR covers not only companies with a presence in the EU but also any company that does business remotely with EU residents. Anyone physically in the EU or EEA is considered a “data subject” and protected by the GDPR. Generally, the moment goods and services are offered or behavior is monitored is when it must be determined if the person is in the EU or not. Any company that receives and processes subsequent data must ensure it complies with the GDPR.

Even when an e-commerce store doesn’t sell products to the EU, it must comply if it processes an EU resident’s information by tracking them using a cookie. In such instances, compliance can be ensured through a GDPR and cookie consent popup. Other cases require further steps to ensure compliance.

When Does the GDPR Not Apply to Companies Outside Europe?

For companies processing a lot of user information, it’s costly to abide by EU data protection regulations all the time. It’s a good idea to determine when it does not apply to minimize the impact of the GDPR on non-EU companies.

Just because someone from the EU visits the company website doesn’t mean the GDPR comes into play. It’s only when there’s a specific action taken with the data, such as profiling, analysis, and sharing, that regulations must be followed. Tracking with cookies, personalized advertising, and market surveys fall under the scope of monitoring.

It’s also not necessary for companies with employees in Europe to abide by the GDPR. HR purposes don’t fall under offering goods and services or monitoring activities and are thus excluded.

An important fact to note is that the GDPR does not cover EU citizens who are physically outside the EU. Targeting EU citizens in a non-EU country with sales or monitoring is excluded from the GDPR’s scope until they enter the EU again.

How Non-EU Companies Are Affected by the GDPR

As a controller or a processor of an EU resident’s data, a company must follow the strict guidelines set out by the GDPR to protect their rights—but non-EU companies don’t need to be overly concerned. Merely processing data received from someone in the EU doesn’t necessarily fall under the regulations since there must be an element of intentional targeting to require compliance.

For some companies, compliance might be as simple as adding a cookie consent popup on their website. US e-commerce stores and any other non-EU e-commerce store that sell products locally and don’t specifically offer shipping to the EU also don’t need to be concerned. It’s only when targeted advertising and personal information transfer occur that companies need to consult GDPR guidelines and implement policies accordingly.