EU Citizen

GDPR: It’s Not Just About EU Citizens, or Residents

It is with some chagrin that I write this post. I fell for the very thing that I have warned my clients about for decades; “Read [regulation name] carefully and NEVER make assumptions, and if you don’t know something, ask someone who does!” Here I am now having to admit that I thought the GDPR was only about EU citizens.

It’s not.

The WORD ‘citizen’ never even appears in the Regulation. Not once. In fact, I’ll go so far as to say that it’s not even about EU residents, because that word never appears in the Regulation either. Neither of these words is what GDPR means by “in the Union“.

I take some very limited solace from the fact that I have never claimed to be a privacy expert, but my ongoing mission of pushing everyone to actually read the GDPR carefully makes me something of a hypocrite. So apologies for that, I should have known better.

But even now that I have read the relevant Recitals and Articles, and asked real experts for guidance, I am still only able to make assumptions. I know that somewhere, someone(s) knows exactly what all of this means in practice (and precedent) as there is very little ‘arbitrary’ about the law. Hopefully these someone(s) jump in at the supervisory authority level.

So the real point of this blog is NOT to impart knowledge, or instruct, I am unqualified to do so. It is to gather feedback, or even opinion on the below interpretation(s). And yes, I have reached out to both the ICO and Art. 29 WP for clarity, but I doubt I’ll get much back anytime soon.

[Note: I won’t name the people who have provided the following guidance (unless they want me to), but I thank them for it. That said, if I’m still way off the mark the blame is entirely my own.]

First, the KNOWN Facts:

  1. Nowhere in the GDPR, or any referenced document [of which I am aware], are the phrases ‘data subject’ and ‘natural person’ tied to ‘EU citizenship’ or even ‘EU residency’;
    o
  2. Recital 2 states – “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. […]” – [this is, after all, a human right];
    o
  3. Recital 14 states – “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. […]” – [it does not matter who or where they are];
    o
  4. Recital 22 states; – “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” – [a business established in the Union can [with caveats] process the data anywhere in the world, GDPR still applies];
    o
  5. The phrase – “[…] in the Union […]” appears frequently in relation to scope and/or applicability – [i.e. regardless of nationality and location];
    o
  6. Article 3(1) states – “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” – [regardless of 4. above, GDPR still applies]; and
    o
  7. Article 3(2) states – “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to […]” – [applies to non-EU establishments if they ‘target’ people in the Union]

Now, the Assumed ‘Facts’:

  1. If your personal data is collected and processed while you are physically IN the Union, and Article 3(1) or 3(2) apply, it does not matter what your nationality is, nor does it matter where you live normally. GDPR applies.;
    o
    Scenario: A US citizen is on holiday in the UK and orders something from an e-commerce merchant ‘established’ in the Union. The site collects personal information. GDPR applies.
    o
  2. For processing of personal data outside of Article 3(1) and 3(2), it doesn’t matter whether you’re an EU citizen or not, GDPR does NOT [necessarily] apply;
    o
    Scenario: Someone ‘in the Union’ orders online from a merchant based in the US, who has made no effort whatsoever to market/aim their services to anyone outside of the US. All payments must be in USD. Just because they agree to ship the merchandise to the EU does not, by itself, put the merchant ‘in-scope’ for GDPR, even if they do collect personal data.
    o
  3. Even if you are not ‘in the Union’, the processing of your personal data by an establishment whose activities provide the context for the processing are in the Union, is in scope for the GDPR;
    o
    Scenario: A citizen, including non-EU, is on holiday in the US and orders online from an e-commerce merchant ‘established’ in the Union. GDPR applies.

In the end it’s becoming clear that being an EU citizen does not give you rights anywhere outside of the boundaries of Union law. It is also clear that regardless of your nationality, or where you live, doing business with Union-based organisations may give you rights that it’s quite possible you are not receiving in your own country (especially in the US).

And not that I’m particularly bright, but for me to make such a fundamental mistake in interpretation further supports my contention that you should only ever take guidance from proven privacy experts. This is just too important to rely on people who have only recently jumped on the bandwagon.

Again, I am not saying that any of my assumptions/interpretations are facts. I actually expect to be corrected. About the only benefit you can get from this is you should now have your own questions to ask.

[If you liked this article, please share! Want more like it, subscribe!]

31 thoughts on “GDPR: It’s Not Just About EU Citizens, or Residents

  1. Good one David… from the PCI perspetive of the authorisation/clearing is done outisde the EU but settlement is done in the EU then where does GDPR apply?

    • First, the usual caveat; I’m not an expert and you really should run this past one.

      That said, it’s unlikely that supervisory authorities are going to get involved as the card brands already have the PCI standards to cover the protection of cardholder data, and an organisational structure to effect ‘administrative fines’ and penalties.

      Unless the acquiring bank is using the auth/settlement data for for something other than auth/settlement, there’s really nothing else they can do for GDPR.

  2. Good article, David. I would just emphasise the word “necessarily” (as in “not necessarily apply” in your assumed ‘fact’ 2. The wording “offering of goods and services” to someone in the EU may well cover sales made to someone in the EU, even without targeting. The wording of Recital 23 that appears to restrict the interpretation of “offering” has a dubious legal basis.

  3. Good article.
    Can you add a few more scenarios? For e.g. an EU citizen living and working outside the Union, let’s say in Japan and uses a local Japanese bank for their financial needs. Does the local bank have to be GDPR compliant? (the bank doesn’t have any EU subsidiaries)

    • GDPR applies, but intra-company transfers are handled slightly differently. You’ll definitely need to speak to a qualified person for this one.

  4. Hey David,

    Let me firstly appreciate the brilliance and simplicity of your article. What, in your considered view, are the implications of this Regulation on Telecom service providers OUTSIDE the EU? For instance, do you think Mobile Network Providers need to be GDPR-compliant when EU Citizens roam on their networks outside the EU?

    I would truly appreciate your perspective/insight on this scenario. Thank you.

    • Many thanks James.

      Recital 21 states: “This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.”

      Directive 2000/31/EC of the European Parliament and of the Council, 8-Jun-00: – on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), refers to;

      Article 12 – Mere conduit
      Article 13 – Caching
      Article 14 – Hosting
      Article 15 – No general obligation to monitor”

      In other words, these ‘intermediaries’ can be considered out of scope for GDPR. Telecoms would be classified as a “mere conduit” unless they are in some way processing personal data outside of that definition.

      Hope this helps.

      David

  5. Hi David,

    I have a sample scenario too. An EU based e-commerce company sells goods outside of EU with its affiliate company. As a result, trade is between non-EU citizens and a non-EU company. But all data are collected and stored in the servers that are physically in EU. Does GDPR apply in this scenario?

    Many thanks,

    Bora

    • Hi Bora,

      Again, I’m not a data protection expert, but reading of this is that yes, GDPR applies. Not so much to the enforcement of data subject rights, but even storage counts as processing. There would need to be some for of intra-company data processing agreement in place.

      Run this by a real expert though.

      David

  6. Thank you for the article David.

    The UK branch of a Japanese bank offering a personal loan to a Japanese customer based in Japan. This would be a straightforward example where GDPR applies, Article 3(1), even though the Japanese customer would never set foot in the EU?

  7. If a local Asian brokerage firm has some EU citizens as customers, these customers are now living in this Asian country, does this brokerage firm has to comply with GDPR?

  8. Great article! There is a lot of supposition and thinly interpreted clickbait blogs out there that are leading to confusion. Here is a scenario I am pondering:

    An event for BrandX takes place in the US. BrandX is an American company with offices around the globe. Current and potential customers and partners register and pay for a badge to attend to learn more about BrandX’s products and services. Attendees travel from around the world to attend the event. During the event information is collected such as preferences, surveys, interests etc.

    Would GDPR apply to attendees from the EU in this case? My general take on this is that it would, particularly if they had been invited by BrandX or if BrandX operates regional offices in the EU. However if BrandX is solely based in the US with no international offices it gets fuzzy.

    Would love your thoughts. Many thanks!

  9. After reading so many articles on this matter, finally finding some practical examples, thanks!

    here is my case; what about an online reservation service established and located in Barbados which stores individuals personal data which is collected through phone calls or by web form posts which in both cases can originate from EU countries; no payment is involved bu the individual can physically be in EU during the data collection.
    this seems very similar to your Fact #2 example in addition nothing get shipped to EU and no money moves, only information.

    thanks!

    • Hi Paolo,

      Payment is irrelevant to GDPR (Article 3(2)(a)).

      I don’t have enough info here to really help, it really depend on how you advertise and what services you are offering.

  10. David,

    Great advice. What if you are a US based B2B. You sell services, such as writing, and don’t specifically target EU. From the EU, a citizen visits your website and you start tracking their behavior on your website. Must you have their permission? And if they fill out a whutepaper form, but you don’t know their country, are you in violation if you send them an email about your services?

    Thanks again

      • David,

        Thanks for your reply. I can see how your Scenario 2 does cover this.

        One more question if you have a moment. If you are US based (not established in the union) and advertise online, does GDPR apply if your ads are seen by people in the EU and they click through to your U.S. website (on which data is collected, but has nothing, such as language, currency, contact information, etc. that targets any EU geography )? And does it matter if you have or haven’t used the advertiser’s controls to exclude viewers outside of the United States from seeing the ad.

        Thanks again for all the great advice.

        John

      • Again, this is scenario 2. Just because the site can be seen in the EU does not necessarily put you in scope. However the devil is always in the detail.

  11. Hi David,

    thank you for excellent piece as usual. We (SaaS company with offices in EU and US) were told exactly same thing, you just need read Article 3 carefully and it’s really clear, that location of Processor also matters.

    What bothers me most is that absolute majority of sources, including so called GDPR “trainings”, especially one from IT Governance (NOT recommended at all, BTW – half baked if not to say more) are pushing that “EU citizens only” thing as absolute true.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.