WHO DOES THE EU GDPR APPLY TO?
One of the more complex issues with the new GDPR is what’s being called ‘extraterritoriality’. As proposed by EU parliament, the GDPR will apply to any data transferred outside the EU zone.
Under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in Ireland, the UK or Germany – despite the fact they do not have any servers or offices here.
Legal experts note this may not be easy to enforce, but if a large enough multinational breaks one of the rules such as the GDPR’s new strict breach notification requirement it is likely the EU regulators will target it.
Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online etc.
Under the old rules in the Data Protection Directive (DPD) there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU.
The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply.
Companies such as Google, Facebook, and other social-networking companies were following this approach.
However, the General Data Protection Legislation provides EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.