Does the GDPR apply outside the EU/UK?
Six Data Privacy Myths those outside the EU/UK need to be aware of...
There are a number of myths floating around the General Data Protection Regulation (GDPR) and EU/UK data protection especially when it comes to non EU data subjects and the use of non-EU processors as well as the obligations on businesses outside the EU. Here are some myths those outside of the EU/UK need to be particularly aware of.
Myth 1. The GDPR only applies to the personal data of EU/UK citizens
Wrong. If you are a data controller established in the EU/UK processing personal data you will have to comply with the law whether your customers/data subjects are inside the EU/UK or outside the EU/UK. US data subjects, for example, will have the same rights as UK ones. The same is true for a data processor established in the EU/UK as well, although data processors have more limited GDPR obligations than processors. So for example if you are established in the EU/UK but only process say the personal data of people in China or the USA you will still be caught by the GDPR.
Myth 2. If you don't have an establishment in the EU/UK you cannot be caught by the GDPR.
Wrong. Even if you don't have an establishment in the EU/UK (for example a subsidiary, branch, agent or some other "stable arrangement") you can still be caught by the GDPR if you offer goods or services (even free of charge) to data subjects in the EU/UK or you monitor their behaviour within the EU/UK. In this case unless a limited exemption applies you will also need designate a representative within the EU/UK.
Myth 3. The GDPR applies to any offshore (non EU/UK) business processing personal data of data subjects in the EU/UK
Wrong. It depends on the facts. For example if you operate a global business but don't actually target data subjects in the EU/UK with goods or services nor do you have an establishment in the EU/UK then the GDPR won't apply to you. But if you monitor the behaviour of data subjects within the EU/UK you will be subject to the GDPR – for example if you monitor to target advertising or you monitor the health of data subjects.
Myth 4. If an EU/UK data controller outsources personal data processing to a processor outside the EU/UK the offshore processor is responsible under the GDPR
Wrong. The responsibility for complying with the GDPR falls on the EU/UK data controller. Unless the processor itself offers goods or services (even free of charge) to data subjects in the EU/UK or monitors their behaviour with the EU/UK then the processor itself won't be caught by the GDPR. However the offshore processor is likely to become subject to the GDPR indirectly via contract as the data controller will need to impose certain contractual obligations on the data processor under Article 28 GDPR and depending on the territory of the data processor the controller may also insist on additional contractual protections (for example EU-mandated model international data transfer clauses from 2010).
Myth 5. A non EU/UK business (data controller) has an EU/UK affiliate that doesn't actually process any personal data (all the processing is done offshore). So the GDPR does not apply.
Wrong. EU case law (Google Spain) and recent European Data Protection Board (EDPB) guidance make it clear that if there is an inextricable link between the activities of the EU/UK affiliate or other "establishment" in the EU/UK and the offshore data controller then the GDPR will still apply. For example the EDPB guidance mentions the activities of a revenue generating EU sales office as being potentially caught by the GDPR even if that office does not itself process personal data.
Myth 6. The GDPR won't apply in the UK after Brexit
Wrong. The UK will continue to apply the GDPR in the UK regardless of the Brexit outcome: non-EU based businesses will remain caught by the UK application of the GDPR pursuant to section 207 of the Data Protection Act 2018 along similar principles to those outlined above.