The answer is maybe. There are a lot of consultants making a bundle off GDPR at the moment, selling opinions. What is definite is that we have the wording of the legislation, prior EU laws and guidelines.
What is the GDPR anyway?
The General Data Protection Regulation (GDPR) is the largest overhaul of EU privacy laws in the last 20 years. Because of the interconnectedness of today’s trade and the extraterritoriality clauses in this regulation, it is probably the most significant set of privacy laws in the world. The laws will be enforced from the 25th May 2018.
Can the EU fine someone outside their borders?
Yes. The GDPR is based on international law, which has been agreed and negotiated. Even if an institution has no physical presence in the EU, GDPR fines can be enforced. The maximum penalty for infringing these laws is the greater of €20 million or 4% of worldwide turnover. These ‘effective, proportional and dissuasive’ fines can sound scary, but it’s unlikely the maximum penalty would apply, except in the most egregious cases.
Who does it apply to?
If you are based in the EU, the GDPR applies. If you are not based in the EU, then it depends on whether you offer goods and services to EU citizens, free or otherwise, or you monitor EU citizens, regardless of where they are being monitored.
But does that mean that the laws apply if someone with an EU passport does business with you in a non-EU country? The laws as written say yes, but there is a limit to how practical this is, and the GDPR is not designed to put companies out of business.
This is where we enter the realm of opinion. A common school of thought goes that if the company does not target EU citizens (such as by having a German translation of their site, or a .fr domain name), does not directly do business with the EU, and does not monitor their citizens, then the GDPR does not apply. However, at this stage, it is still unknown if that will be how the laws will be applied.
What if I’m doing business with the UK?
The UK will be implementing the GDPR regardless of Brexit. Only if the UK subsequently chooses not to join the European Economic Area (EEA) will the GDPR no longer apply. If this occurs, the UK will still need to implement equivalent protections to facilitate trade with the EU.
Much of how the GDPR is implemented will depend on legal precedents set after it is implemented, and until then, opinion (backed by various levels of expertise) is all we have. If this is an issue your business is going to face, you need to have your specific circumstances reviewed by a group with expertise in EU law (and probably not from a blog article). May next year is fast approaching, and the clock is ticking.