Skip to Content
Main Content

No, GDPR does not apply to EVERYONE: New guidance released clarifying GDPR’s applicability to US entities

November 29, 2018
View as PDF

European regulators recently released the much anticipated guidance on the applicability of the GDPR outside of the European Union (EU). The new guidance relieves some of the initial fears that U.S. entities with solely U.S.-based operations could potentially face stiff fines under the regulation. Regulators appear to be taking a practical approach to the regulation’s reach. In general, American entities with operations solely in the U.S. will not need to comply with the GDPR, unless the entity is purposefully targeting individuals in the EU.

The guidance also addresses some of the misconceptions regarding GDPR-applicability. In particular, regulators confirmed that the processing of EU citizens’ or residents’ personal data outside of the EU does not alone trigger GDPR-applicability. Thus, if an EU resident used their credit card to pay for a souvenir at a local U.S.-based store during a vacation, then the GDPR would not apply to the store simply because the store processed an EU resident’s personal data. 

While the guidelines have only been published for public comment and have yet to be finalized, they provide key insights into how the EU’s regulators view the regulation’s reach. If you have any questions about how the new guidance impacts your company’s GDPR-risk profile, please contact a member of Godfrey & Kahn’s Data Privacy & Cybersecurity team.   


Recent News

Join Our Mailing List

Need to stay current on the latest news, trends and regulatory issues impacting your business? Subscribe today! We know your time is valuable, so we limit our communications to only the most pertinent info you need to stay informed.