Since its enforcement in 2018, one of the most asked question about GDPR has been: does it apply outside the European Union? And, more specifically: does it apply to US companies?
In this post, we’ll answer this question and explain what US companies may need to do to comply (and avoid fines!).
In most cases, yes, it does.
The GDPR has an extraterritorial scope, meaning that it can also apply outside the European Union. The regulation is meant to protect European users, and therefore it can extend to foreign businesses too.
To be more precise, for the GDPR to apply to your US companies, you should meet at least one of the following requirements:
Here’s a practical example, taken from the European Data Protection Board guidelines:
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app, in order to offer targeted advertisement for places to visit, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union. The processing of the EU-based data subjects’ personal data together with the offering of the service falls within the scope of the GDPR. Furthermore, by processing data subject’s location data in order to offer targeted advertisement, the processing activities also relate to the monitoring of behavior of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR
For a more comprehensive explanation, take a look at this video.
Therefore, it’s a mistake to think that, being the GDPR a European regulation, it doesn’t affect US businesses at all.
As we said above, the extraterritorial scope may allow European Data Protection Authorities to enforce the GDPR outside the European Union.
The enforcement can be implemented in different ways.
The “scariest” one is definitely the fines: they can reach up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater). But perhaps equally concerning are the other potential sanctions: official reprimands (for first-time violations), periodic data protection audits and liability damages.
In order for your US business to comply with the GDPR, here are some of the steps to follow:
At iubenda, we take a comprehensive approach to data law compliance. We build solutions with the strictest regulations in mind, giving you full options to customize as needed. This way, we’ll assist you with meeting your legal obligations, reduce your risk of litigation and protect your customers —building trust and credibility.
You can take a look at our set of solutions for GDPR compliance here.