Breaking Legal News & Current Law Headlines | Daily Legal Briefing
  • Home
  • Hot Topics
  • Breaking
  • Business
  • Big Law
  • Small Law
  • Law School
  • Legal Tech
No Result
View All Result
No Result
View All Result
Breaking Legal News & Current Law Headlines | Daily Legal Briefing
No Result
View All Result
Home Business

How Do Global Businesses Know When EU Data Protection Law Applies to Them?

Daily Legal Briefing by Daily Legal Briefing
September 16, 2022
in Business
0
How Blockchain and Crypto Influence the Film Industry
4
SHARES
32
VIEWS
Share on FacebookShare on Twitter


According to current case law, even one employee working in the EU can activate the GDPR’s current trigger mechanism.


In 2016, the European Union passed the General Data Protection Regulation (GDPR), dramatically changing how governments oversee and regulate consumer data privacy protections. The GDPR is an aggressive law that has modernized data privacy best practices to ensure that they’re capable of meeting the demands of our modern, digital economy.

Part of the reason the GDPR has been so successful in transforming the data privacy landscape is that it applies to a broad range of companies and situations across a wide swath of major economic players. 

This strength can also be its weakness. The expansive reach of the GDPR means that many companies not based in the EU don’t realize their advertising campaigns and customer base makes them subject to GDPR-specific compliance obligations. 

If you’re suddenly asking yourself, “Wait, am I subject to the GDPR?” don’t worry. We’re here to help you figure it out.

What Does the GDPR Actually Say?

U.S. federal data privacy regulation has often been focused on specific industries or sectors (e.g. HIPAA for healthcare, Gramm-Leach-Bliley Act for financial institutions, etc.). The GDPR is unique in that it’s built around consumer interaction instead of business type. In fact, the only time the EU explicitly does not apply is if the collected information is used for a “purely personal or household activity.”

Here’s the GDPR Article 3 text explaining who the law applies to (the important bits are highlighted):

Article 3(1)1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Takeaway 1: The GDPR applies to companies who operate in the EU, even if the processing of personal data happens outside EU jurisdiction.

pastedGraphic.png

Article 3(2). This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

Takeaway 2: The GDPR applies to companies who collect or process the personal information of EU residents, regardless of where the company is located or whether they receive payment, so long as goods or services are being offered and/or individual online behavior happening in the EU is being monitored.pastedGraphic.png

Article 3(3). This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Takeaway 3: This is a narrower use case, but this section clarifies that the GDPR applies to diplomatic missions and consular positions. (You probably won’t have to worry about this one.)

pastedGraphic.png

If you don’t understand this technical, legal language, that’s okay. It all boils down to three points. The GDPR applies to data controllers and data processors that are:

  1. Established in the EU
  2. Offering goods and services to EU residents
  3. Monitoring online behavior of EU residents

Let’s discuss.

What Does it Mean to Be an “Establishment” in the EU?

Before we get too far into what it means to be established, let’s go through a few definitions.

What is a data controller?

According to the EU, a data controller is a “legal or natural person, an agency, a public authority, or any other body who, alone or joined with others, determines the purposes of any personal data and the means of processing it.” Basically, a data controller is an entity deciding the types of consumer data being collected, why it’s needed, and what it’s being used for. Depending on circumstances, there may be a joint controller, as well. (I.e., another controller participating in the process of, well, processing. If two companies are both deciding how data can be processed, then both companies might be joint controllers.)

What is a data processor?

Capital One Settles with Nearly 100M Data Breach Customers
Photo by Negative Space from Pexels

By contrast, a data processor is a “legal or natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.” Data processors are usually third-party vendors tasked with running the analytics, outreach, or storage of consumer data for a controller.

As a processor, you may at times have regulatory compliance obligations—but you may also have pressing consumer expectations for compliance. Getting ahead of consumer expectations for GDPR compliance can be a powerful business strategy, especially when you use it to differentiate your business from competitors. (Just make sure you get the word out in your marketing and on your website!)

Now that we’re on the same page, let’s dive in. 

What does it mean to be an “establishment” in the EU? Having physical operations in the EU establishes you, but are you subject to the GDPR if your Boston-based business has a single customer in France? Which laws apply if your website is hosted in the U.S. and has prices listed in U.S. currency, but it’s also accessible in Germany? 

According to current case law, even one employee working in the EU can activate the GDPR’s current trigger mechanism (“effective and real activity through stable arrangements”). 

But don’t panic!    

What Does it Mean to “Offer Goods or Services” Under the GDPR?

If your business is actively targeting, tracking, or selling to EU residents, GDPR compliance should be your top priority. 

Notice we didn’t say “if you generate revenue from the EU.” Money doesn’t have to change hands for the GDPR to be applicable. According to GDPR stipulations, your company is “offering goods or services if you:

  • Are involved in marketing to EU residents
  • Have EU-specific addresses or phone numbers
  • Promote reviews or testimonials from EU residents
  • Encourage EU residents to create an account with your business
  • Use an EU language or currency on your site
  • Offer shipping to EU addresses

This is true even if you never make a single euro from your efforts.

What Does it Mean to Monitor Behavior?

Article 4 of the GDPR says monitoring behavior includes the “automated analysis or predicting of behavior, location, movements, reliability, interests, personal preferences, health, etc.” of consumers either online or through the use of smart technology.

Examples of monitoring, also called profiling, include:

  • Behavioral or targeted advertising
  • Geolocation tracking
  • Market research
  • Digital fingerprinting
  • Risk assessments for automated decision-making processes
  • Surveillance methods (CCTV, security cameras, other smart devices)

What’s Next?

We know that taking in all this information probably feels like trying to drink from a fire hose. The truth is that GDPR regulations and compliance obligations are complex. If you’ve read this post and you still can’t tell whether or not the GDPR applies to your company, consider contacting someone who specializes in data privacy consulting.

Data privacy consultants understand the nuance of international privacy law, and they also know how to balance operational needs with compliance obligations. Save yourself time, money, and stress by letting a professional lead your privacy program. That way you can both stay focused on what really matters—your customers.



Click to Read Original Article

Previous Post

4 Things That Could Cause a Lawsuit for New Business Owners

Next Post

An Overview of Construction Law in Australia

Daily Legal Briefing

Daily Legal Briefing

The latest breaking legal news from across World all in one place.

Related Posts

5 Ways Attorneys Can Deal with Changes Occurring in the Legal Profession
Business

How Blockchain Technology is Changing the Legal Industry

by Daily Legal Briefing
March 22, 2023
How to Select the Right Insolvency Practitioner for Your Company
Business

3 Professionals You Need to Have on Your Radar

by Daily Legal Briefing
March 22, 2023
Ways of Resolving Contract Breach in Business in 2022
Business

CounselLink Introduces Contract Lifecycle Management and Enhanced Work Intake Features to its Leading Enterprise Legal Management Solution

by Daily Legal Briefing
March 20, 2023
4 Reasons People Filing Taxes in Denver May Need a Lawyer
Business

What Can a Tax Lawyer Do When the Government Tries to Seize Property?

by Daily Legal Briefing
March 20, 2023
Business

Cloud Computing Can Give Your Business a Much-Needed Boost

by Daily Legal Briefing
March 18, 2023
Next Post
An Overview of Construction Law in Australia

An Overview of Construction Law in Australia

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Premium Content

Lawyers in Illinois experienced this type of incivility most often, new survey says

Lawyers in Illinois experienced this type of incivility most often, new survey says

December 15, 2021
Proven Marketing Guide to Enhance Your Law Firms Visibility

Proven Marketing Guide to Enhance Your Law Firms Visibility

May 27, 2022
Biglaw Is Paying ‘Almost 50% Above’ Magic Circle Peers

Biglaw Is Paying ‘Almost 50% Above’ Magic Circle Peers

August 3, 2022

Browse by Category

  • Big Law
  • Breaking
  • Business
  • Hot Topics
  • Law School
  • Legal Tech
  • Small Law

About US

Breaking Legal News & Current Law Headlines | Daily Legal Briefing.
Online coverage of breaking legal news and current law headlines from around the US. Top stories, videos, insight, and in-depth analysis.

Categories

  • Big Law
  • Breaking
  • Business
  • Hot Topics
  • Law School
  • Legal Tech
  • Small Law

Recent Updates

  • Tax Strategies for Solos & Smalls in a Digital and Web 3.0 World
  • How Blockchain Technology is Changing the Legal Industry
  • Women in Law Are Driving an Entirely New Practice Model

© 2021 Daily Legal Briefing | Breaking Legal News & Current Law Headlines

No Result
View All Result
  • Contact Us
  • Home

© 2021 Daily Legal Briefing | Breaking Legal News & Current Law Headlines

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?