Menu
Preparing for the GDPR Outside of the EU
Thursday, Mar 01, 2018

The new head of the Article 29 Working Party, consisting of representatives of the European Union’s data protection authorities, has indicated that the Working Party does not have plans to issue additional guidance on the extraterritorial reach of the General Data Protection Regulation (GDPR) before compliance with the Regulation is required on May 25th. This issue is important for many companies outside the EU because Article Three of the GDPR provides that the GDPR directly applies to controller and processers with establishments in the EU “regardless of whether processing takes place in the Union or not.” Article Three also applies the GDPR to controllers and processors that are not located in the EU, if either they are offering goods or services to data subject in the EU or monitoring the behavior of data subjects that takes place in the EU.

Andrea Jelinek, head of the Austrian Data Protection Authority, was elected earlier this month to succeed Isabelle-Falque-Pierrotin of France as head of the Article 29 Working Party. As reported by Bloomberg Law, Jelinek has stated that additional guidance on the international reach of the GDPR will not be issued before GDPR compliance is required in May. According to Bloomberg, she said that the guidance issued by the Working Party to date is “enough for everybody to start with” and indicated that companies should have been working on GDPR compliance rather than waiting for additional guidance.

Recitals accompanying the GDPR provide some guidance on the scope issue, but questions remain in a number of areas, including how broadly the EU will interpret what constitutes the “offering of goods or services” to EU data subjects, the potential application of the GDPR to websites that are not directed at individuals in the EU but use cookies and other online tracking technologies, and the reach of the GDPR to non-EU operations of a company that also has an establishment in the EU. How the regulators ultimately address these issues could further broaden the extraterritorial reach of the GDPR. We will all need to do our best to make reasonable and appropriate judgments about extraterritorial reach while we work on being ready for May 25th.