Territorial  Scope

The increasing territorial scope (i.e. the question of who will be subject to the GDPR) of the regulation is an unprecedented change in the world of data protection, and will have significant impact on the worldwide (not just-European) appreciation of data integrity and security, and will transform the way in which commercial entities deal with their customers.

The GDPR will expand the territorial scope and reach of European data protection law; applying, not only to data processors and data controllers (see our first GDPR blog entry to remind yourself of the differences!), but to any entity who:

  • offers goods and/or services to EU citizens (regardless of whether payment has been received in exchange); or
  • monitors the behaviour of EU citizens (e.g. a company that uses cookies to build a profile on an individual)

As a consequence of this important change, there are a large number of entities outside of Europe, previously unaffected by European data law, who will now find themselves subject to the GDPR; it is vital that these entities are aware of their increased exposure. DAC Beachcroft, a well respected law firm in the data and privacy field, have put together some useful examples to help highlight some of the territorial scope considerations:

 

Scenario

Impacted by existing law?

Impacted by GDPR?

Australian social media company with no European group companies, targeting their service at individuals in the EU

No

Yes

Singapore e-commerce retailer, whose website is in English and is accessible by EU citizens. The company only delivers to addresses in Singapore

No

No

Hong Kong retailer with e-commerce website in English, which allows purchases to be made and delivered to European citizens in their local currency

No

Yes

Canadian website which uses cookies to monitor behaviour and sends targeted marketing to IP addresses; including those from European citizens

No

Yes

(Source: DAC Beachcroft, 2017)

 

Data Processor’s Obligations

A significant number of businesses located outside of Europe, but who fall within the scope of the GDPR, will be required to appoint a European-based representative to act on behalf of the data controller and data processor. Under these requirements, the representative will have to liaise with the appropriate supervising authority and accept liability for breaches of the GDPR. Whilst this role of a European representative is likely to come in the form of a specialised outsourced service provider, it will still be onerous and potentially expensive for businesses; however, as with most regulations, the cost of non-compliance far outweighs the cost of compliance.

 

Next month we will be providing insight into the principles and processing of the GDPR. If you would like to discuss the GDPR further please get in contact with us via: cyber@safeonline.com