European regulators recently released the much anticipated guidance on the applicability of the GDPR outside of the European Union (EU). The new guidance relieves some of the initial fears that U.S. entities with solely U.S.-based operations could potentially face stiff fines under the regulation. Regulators appear to be taking a practical approach to the regulation’s reach. In general, American entities with operations solely in the U.S. will not need to comply with the GDPR, unless the entity is purposefully targeting individuals in the EU.

The guidance also addresses some of the misconceptions regarding GDPR-applicability. In particular, regulators confirmed that the processing of EU citizens’ or residents’ personal data outside of the EU does not alone trigger GDPR-applicability. Thus, if an EU resident used their credit card to pay for a souvenir at a local U.S.-based store during a vacation, then the GDPR would not apply to the store simply because the store processed an EU resident’s personal data. 

While the guidelines have only been published for public comment and have yet to be finalized, they provide key insights into how the EU’s regulators view the regulation’s reach. If you have any questions about how the new guidance impacts your company’s GDPR-risk profile, please contact a member of Godfrey & Kahn’s Data Privacy & Cybersecurity team.