The General Data Protection Regulation (GDPR) — Europe’s most comprehensive data privacy law to date — turned the digital world on its head when it became enforceable on May 25, 2018.
Although rooted in European Union (EU) law, the reach of this landmark data protection and privacy regulation far exceeds the physical boundaries of the EU, and the European Economic Area (EEA) and Switzerland (hereafter referred to as EEA for brevity). This most notably includes the United States (US), the biggest trading partner of the EU.
The wide reach of the GDPR naturally raises a few questions: Does the GDPR apply to US businesses? Does it apply to US citizens? How is the GDPR enforced in the US?
This article answers these and other pressing questions, and discusses the impact of the GDPR in the US and what it means for US companies.
1. Does GDPR Apply to the US?
Yes, the GDPR applies to the US (and all other countries worldwide). This is because Article 3 of the GDPR, which defines the law’s territorial scope, states that it not only applies to companies in the EU/EEA, but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.
Does GDPR Apply to US Companies?
The GDPR applies to US businesses, regardless of their size in terms of revenue or staff, if at least one of the following two conditions are met:
- The company offers good or services (even in the absence of commercial transactions) to EU/EEA residents.
- The company monitors the behavior of users inside the EU/EEA.
Personal data and behavior covered by the GDPR include names, contact information, device details (e.g., IP addresses, location data), biometric information, photographs, and videos, among others.
GDPR compliance requirements vary depending on the characteristics of the company. For instance, businesses with fewer than 250 employees do not need to maintain a record of their data-processing activities.
However, this rule applies only if the processing is not likely to pose a risk to the rights and freedoms of the data subjects, if no special categories of data are processed, or if the processing is done only occasionally, as indicated in Art. 30(5) of the GDPR.
Most organizations that process data regularly — whether for websites, ecommerce stores, CRM systems, or even calculating salaries — must keep records of their data-processing activities.
The following four examples clarify how these conditions apply in real-world scenarios:
Example 1: The ecommerce website of a New York-based clothing store that ships orders to several major European cities, for example, Paris and Berlin
GDPR applies: In this case, both of the aforementioned conditions are met. To avoid fines, the website and data handling processes of this company should be GDPR-compliant.
Example 2: The portfolio website of a Los Angeles-based freelance travel writer who writes in French and accepts commissions from publications in France
GDPR applies: Because the writer intentionally targets clients in France and likely uses contact forms or other means of data collection that allow them to get in touch with potential clients, the website must be GDPR-compliant, as both the aforementioned conditions are satisfied.
Example 3: A Chicago-based coffee shop that accepts online orders for deliveries within a 3-mile radius
GDPR does not apply: Since this website is not designed to serve or target residents of the EU/EEA, it need not comply with the GDPR, even if it is accessible within the EU/EEA.
Example 4: A website that facilitates language exchange meetups in Houston
GDPR does not apply: Although such a website would likely track the user behavior of EU/EEA citizens, as the website would attract native speakers of several European languages, the GDPR does not apply here because:
- the service does not target EU/EEA residents, and
- the tracked user behavior is not occurring within the EU/EEA.
Thus, neither of the aforementioned conditions are met.
This article uses the most widely accepted definition of “data subject.” Some legal scholars, however, differ in their interpretation of this term, as the text of the GDPR itself does not extensively discuss it.
In summary, if a US-based company either servers EU/EEA data subjects or monitors their personal data, then the GDPR applies to that company.
Does GDPR Apply to US Citizens?
Depending on where they are located, the GDPR can and does apply to US citizens.
The GDPR uses the term data subject to refer to the individual whose data is being processed. Per most interpretations of the GDPR, whether the GDPR applies is dependent on where the data subject is when their data is processed, and not the citizenship or nationality of the data subject.
Therefore, the GDPR would apply to US citizens if/when they are located in the EU/EEA, but not those located in the US, as illustrated in the following two examples:
Example 1: A gym in Philadelphia that collects and stores the contact information of its clients
GDPR does not apply: In this scenario, the company as well as its clients are located outside of the EU/EEA, and the data processing and storage occurs outside the EU/EEA as well. Therefore, this gym does not need to comply with the GDPR.
Example 2: The souvenir store of a US university offers delivery to Europe and accepts payment in euros
GDPR applies: As this store clearly targets users in the EU/EEA, even if most of those EU/EEA-based customers would be US citizens, it must ensure that it is GDPR-compliant.
Does GDPR Apply to EU Citizens in the US?
The location of the data subject takes precedence over their citizenship when determining whether the GDPR applies. Thus, the GDPR does not apply to EU citizens traveling or living in the US.
However, note that the language of the GDPR is vague when it comes to the definition of a data subject.
Does GDPR Apply to the US Government?
The GDPR does not make blanket exceptions to governmental or public agencies. Therefore, if the US government targets or processes the personal data of EU/EEA-based users, it will be expected to comply with the GDPR. This is true for all non-EU/EEA public agencies.
The GDPR does afford a few exemptions to member states of the EU/EEA.
One such exemption is that government agencies are excused from complying with certain provisions of the GDPR so long as personal data is processed in public interest, such as for preventing, investigating, and prosecuting criminal offenses or threats to public safety.
However, because the US is not an EU member state, these exemptions do not directly apply to the US. Moreover, the EU has strict guidelines on data transfers from within the EU to elsewhere.
To summarize, although some non-EU/EEA governments are not wholly clear on the extent to which they must comply with the GDPR, US federal or state government bodies processing the data of EU/EEA residents are expected to comply with the GDPR.
2. GDPR Requirements for US Companies
In the event that a US company is expected to comply with the GDPR, it is subject to the same strict requirements that companies located in the EU are expected to meet.
The text of the GDPR is quite extensive, and ensuring compliance can be difficult. For companies that must comply with the GDPR, the following are the key requirements and features:
- Data Breach Notifications
- Data Protection Impact Assessments
- Privacy by Design
- Strict Consent Conditions
- Data Subject Access Requests
- Appointing a Data Protection Officer
These six features, along with other requirements, are explained in our What is GDPR? guide.
3. GDPR Enforcement in the US: The Who and the How
In Europe, enforcement of the GDPR lies with the numerous supervisory authorities in the EEA and Switzerland. However, as the GDPR applies to companies outside of European borders as well, how would the GDPR be enforced in, say, the US?
There are several mechanisms through which the GDPR can be enforced in the US.
- If the company has a presence or assets (e.g., bank accounts, real estate, servers) in the EU/EEA, they can be seized for GDPR noncompliance.
- For companies without a physical presence in the EU/EEA, the GDPR mandates the appointment of a representative who is physically located within the EU/EEA. In cases of GDPR noncompliance, this representative would be a likely channel through which fines are levied.
- International law is another potential channel through which legal action can be taken. Given that it is mutually beneficial for national enforcement agencies to support each other, punitive actions may be pursued by the EU/EEA enforcement agencies. These agencies are likely to be assisted by public agencies in the country where the company is registered.
To sum up, especially for multinational or large companies, noncompliance will be pursued aggressively by the EU/EEA enforcement agencies.
GDPR Fines for US Companies
Fines for companies that do not comply with the GDPR can be as high as 4% of their annual global revenue or €20 million, whichever is higher.
The national enforcement agencies of various EU/EEA countries have the legal means to enforce noncompliance fines and penalties on companies located outside of their territory.
The biggest example of this is the €50 million Google fine, headquartered in California, by France’s GDPR enforcement agency, the Commission Nationale de L’informatique et des Libertés. Google was fined for processing user data for advertising without valid consent.
To avoid fines, some businesses are actively blocking their websites from EU users while they build toward GDPR compliance.
Clearly, GDPR noncompliance can be expensive for American businesses operating in the EU/EEA.
Whether the GDPR applies is dependent on where the data subject is when their data is processed, and not the citizenship or nationality of the data subject.
Any US company that serves customers in the EU or EEA — or tracks their behavior within this region — must fully comply with the GDPR.
With adequate means and measures in place to penalize companies that do not comply, the GDPR can be costly for those who violate its stringent requirements — even those with no physical presence in the EU/EEA.
Ensure GDPR compliance now to avoid expensive consequences.