Regulators Release Guidelines On GDPR’s Geographic Scope

The European Data Protection Board (EDPB), which represents European data regulators, has released guidance on the geographic scope of broad new data protection laws that came into force this year, one of the most controversial aspects of the regulations.

The General Data Protection Regulation (GDPR), which came into force on 25 May, is perhaps the year’s single most significant development for companies handling customers’ personal data.

And the GDPR’s rules on geographic scope, laid out in Article 3, came as a shock to many organisations based outside of Europe, which unexpectedly discovered that they were required to comply with EU data laws if they provided services to EU citizens.

As a result, many organisations cut off access to anyone based in the EU, with a number of major US news publications still unavailable online from within Europe.

Legal test

The new guidance, which is available for public consultation until 18 January, specifies that the Article 3 rules are intended to provide a level playing field for those providing services in the EU and to ensure EU citizens’ data is comprehensively protected.

“On its face, Article 3 can be interpreted to apply to almost any organisation that has a presence in the EU or that processes the personal data of any EU citizen, regardless of where that organisation is located,” said US law firm Morgan Lewis & Bockius in an analysis of the guidance.

“Companies outside the EU have been eagerly anticipating more guidance from the EDPB on this subject, to either confirm or restrict the regulation’s extraterritorial breadth.”

The guidance does specify some limitations to the GDPR’s geographic scope, for instance clarifying that a non-EU organisation does not meet the geographic test merely by processing an EU citizen’s data.

The organisation must rather be “targeting” individuals in the EU to offer them goods or services, or monitoring their behaviour, the guidance says.

It also provides specific tests that organisations can use to determine their status under the GDPR.

Major shift

While they have been in force for several months, the effects of the new rules are likely to begin making themselves felt only in the coming year.

For the rules to be effective, they also require national regulators to develop more comprehensive enforcement capabilities.

Facebook, Marriott and British Airways are amongst the organisations that have been hit by major data breaches since the GDPR came into effect.

But while the rules allow data regulators to impose stiff new financial penalties for negligence that leads to a breach, no significant fines have yet been levied, and no major investigations under the GDPR have yet been concluded.