European regulators recently released the much anticipated guidance on the applicability of the GDPR outside of the European Union (EU). The new guidance relieves some of the initial fears that U.S. entities with solely U.S.-based operations could potentially face stiff fines under the regulation. Regulators appear to be taking a practical approach to the regulation’s reach. In general, American entities with operations solely in the U.S. will not need to comply with the GDPR, unless the entity is purposefully targeting individuals in the EU.
The guidance also addresses some of the misconceptions regarding GDPR-applicability. In particular, regulators confirmed that the processing of EU citizens’ or residents’ personal data outside of the EU does not alone trigger GDPR-applicability. Thus, if an EU resident used their credit card to pay for a souvenir at a local U.S.-based store during a vacation, then the GDPR would not apply to the store simply because the store processed an EU resident’s personal data.
While the guidelines have only been published for public comment and have yet to be finalized, they provide key insights into how the EU’s regulators view the regulation’s reach. If you have any questions about how the new guidance impacts your company’s GDPR-risk profile, please contact a member of Godfrey & Kahn’s Data Privacy & Cybersecurity team.
If you have a media request or need an attorney with particular knowledge for comment, please contact Kyle Mondy, Marketing & Communications Manager, at 414.287.9481 or kmondy@gklaw.com.
Subscribe today to receive firm newsletters and blogs, client updates, seminar announcements, and more according to your preferences and areas of interest.
Disclaimer and Legal Notices
Copyright © 2023 Godfrey & Kahn, S.C.
Attorneys at Law - All rights reserved.
Client Login