On May 25, 2018, The General Data Protection Regulation (GDPR) was probably the most intricate data privacy regulation that the European Union has ever created. The European Union came up with this policy to see that the personal privacy rights of EU citizens are safeguarded. However, does it also apply to US Citizens? Read on to find out more.
Does the scope of the GDPR cover the United States?
While it is mainly anchored on EU legislation, this seminal data security and privacy regulation reach far beyond the EU’s and the European Economic Area’s geographical scope (EEA). In most cases, the GDPR applies to the United States of America, the EU’s second-largest trade partner.
The primary objective of the GDPR is to protect the personal data of EU citizens and residents. Subsequently, this regulation applies to organizations that handle certain data regardless of whether they are in the EU – referred to as the “extra-territorial effect.”
As indicated in Article 3 of the GDPR, the law’s geographical scope is not limited to organizations in the EU/EEA. The regulation applies the GDPR’s processing rules to organizations outside of the EU/EEA if the following two requirements are satisfied:
The organization offers goods or services to EU/EEA citizens or
The organization monitors or controls the activities of consumers within the EU/EEA.
Consequently, organizations in the USA and other countries worldwide are bound to abide by this regulation as long as they satisfy at least one of the conditions mentioned above.
If a US-based organization needs to comply with the requirements set by GDPR, the same stringent conditions that apply to EU-based organizations apply to it.
The GDPR regulates the processing of personal data in a myriad of ways. For example, contact numbers, biometric data, images, and videos can all fall under the classification of personal data.
Location Vs. Citizenship
The GDPR considers location and not citizenship. The difference between citizenship and location arises when we tackle non-EU people residing in the EU as opposed to EU citizens residing outside of the EU, or when the goods or services are rendered inside or outside the geographical scope of the EU.
Here are some instances when the GDPR is applicable:
A US citizen is on holiday in France. He orders online for dinner from a restaurant in Paris and has it delivered to the hotel where he is staying.
The GDPR’s policy applies to this scenario because the data subject, a US citizen, is in an EU country and provides personal data for a good or service in the EU. Therefore, the citizenship of the data subject is irrelevant.
A US citizen residing in Italy visits the website of a US electronics business and places an order for a laptop, providing her EU delivery address. The US electronics business advertises that it sells to Italy and offers the laptop for sale in Euros.
The GDPR is applicable since the data subject is currently residing in the EU, orders using an EU address, and the US electronics business offers its goods to individuals in the EU. For this instance, both the citizenship of the data subject and the store’s location are not significant.
GDPR plays a crucial role because it bolsters the security of European data subjects’ rights and defines the responsibilities of organizations that control personal data to uphold these rights.
GDPR principles revolve around data processing activities and not citizenship; it covers personal data and information gathered from whichever EU country and can apply to either an EU or non-EU resident residing in or visiting the EU.
Any US organization or company catering to customers in the EU/EEA–or monitoring their behavior within this area–should consider complying with the GDPR. The regulation also looks out for US citizens who share their information in the EU.