Does GDPR Apply to Citizens Outside the EU?
Table of Contents
The GDPR (General Data Protection Regulation) is the primary data protection regulation in the EU, and it governs how companies process European Union citizens’ personal data. It applies to all member states of the EU and countries in the EEA.
The GDPR is valid outside EU territory, which means it safeguards the personal information of EU residents and citizens and impacts all companies that deal with personal data, whether they're in the EU or not.
Does the GDPR apply outside the EU?
Yes, the GDPR applies outside the EU but under specific circumstances. The GDPR safeguards the personal data of EU citizens and residents, even if it’s transferred outside the EU borders. This means that this regulation applies to all EU-based and non-EU companies, that deal with the personal data of European residents and citizens.
An example would be an organization from the United States that gathers data from EU citizens. The legal obligation applies to the organization as if it has its head office in the EU, even if it doesn’t have to have any offices within the borders of any European Union country. This means if the company offers services or goods to EU citizens or tracks the behavior of consumers within the EU, it must comply with GDPR.
For example, the previous agreement known as Privacy Shield governed data transfers between the EU and the US. That has been struck down now, but is an example of how the GDPR applied outside the EU too.
Does GDPR apply to EU citizens living in the US?
The GDPR does not take into account citizenship questions. It is only concerned with the location of the data subject, not the citizenship. So if an American company tracks the data of an EU citizen living in the U.S., it will not have to comply with the GDPR. It is only when the company handles data of folks in the EU is when the GDPR applies.
Luckily, a data subject’s current location overrides their citizenship when establishing if GDPR applies. Thus, the GDPR doesn't apply to EU citizens and residents living or holidaying outside the EU.
If an EU citizen is outside the EU, they’re subject to the laws of the country they’re in. However, if they’re in the European Union territory and provide their personal information remotely--over the phone or online--the GDPR protects them.
Does GDPR apply to non-EU citizens?
The GDPR applies to non-EU citizens if they live in the EU. For example, if a student from India lives in Germany and has their data processed by local companies then, yes, the GDPR will apply. However, the GDPR does not apply for regular Indians living in their home country. As stated above, the GDPR is only concerned with the location of the data subject and not their citizenship status.
Does GDPR apply to US citizens?
The GDPR applies to those US citizens that live and reside in the EU. If they consent to have their data handled, then the GDPR will apply to them. However, the GDPR does not apply to US citizens living in the US or countries outside of the EU. As stated before, the GDPR is concerned with the location of the data subject and not their citizenship status.
Wha are the Rights of EU Citizens Under the GDPR?
There are eight rights for European Citizens under GDPR.GDPR gives individuals the right to be informed about how their data is collected and used, resulting in various information obligations for controllers.
The following are eight rights of European citizens under GDPR:
- The Right to Information: Under GRDP, individuals have rights regarding how companies process their personal data.
- The Right of Access: Data subjects can obtain personal data about them.
- The Right to Rectification: Individuals can ask to complete incomplete data and to correct inaccurate data.
- The Right to Erasure: It’s also known as the right to be forgotten. Citizens can request to delete data permanently if it is no longer needed or it’s illegal to process.
- The Right to Restriction of Processing: Individuals have the right to restrict personal data's processing under certain conditions temporarily.
- The Right to Data Portability: Data subjects can request their data from the data controller in a machine-readable format and send it to another controller or use it for personal needs.
- The Right to Object: Individuals can object to data processing in specific circumstances like marketing, research, or public interest tasks.
- The Right to Avoid Automated Decision-Making: Data subjects have the right to demand human intervention instead of automated processing. Companies must disclose to individuals that they will use algorithm decision-making and inform them to opt for t it.
What Countries Does the GDPR Apply to?
GDPR compliant countries include all 27 European Union member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Other GDPR countries are those in the European Economic Area, such as Lichtenstein, Iceland, and Norway.
The UK is not part of the EU anymore, therefore it is not considered a GDPR compliant country. However, it does have some laws that are similar to GDPR as a whole.
Countries like Albania, Belarus, Bosnia and Herzegovina, Croatia, Kosovo, Moldovia, Montenegro, North Macedonia, Russia, Serbia, Turkey, and Ukraine are part of Europe, but they are not governed by the GDPR. However, if any of their companies process data in the EU, they are bound to comply with GDPR regulations.
Does GDPR Apply to Companies Outside the EU?
Article 3.2 of GDPR states that it applies to companies outside the EU if they are offering goods or services to EU residents and monitor the online behaviors of EU citizens.
Let us discuss both cases:
Offering goods and services outside of the EU
Article 3(2)(a) specifies that if a company outside the EU provides goods or services to EU citizens, then this company falls under the scope of GDPR. For example, a Chicago-based clothing company sells its clothes to EU citizens.
When EU citizens order their items on their website, then GDPR applies to this company as the website will collect and process the personal data of EU citizens. In a nutshell, GDPR is meant to protect EU citizens' online data.
Monitoring the online behavior of EU citizens
As per article 3(2)(b), a data controller monitors the behavior of data subjects within the Union. However, monitoring means controllers have a particular purpose for collecting and using behavioral data. It may include a wide range of monitoring activities, such as
- Regular monitoring or reporting on a data subject's health status
- Behavioral advertisement
- Based on individual profiles, market surveys, and other behavioral studies.
- Geo-localization activities, particularly for marketing purposes
- CCTV
- Using cookies or other tracking techniques like fingerprinting to track online activities
- Personalized diet and health analytics services online
Cyber security content marketer Roy Sarker further explains how GDPR applies to companies outside the EU.
He says, “yes, GDPR applies to companies outside the EU in two ways:
- They need to comply if they have customers in the EU
- They need to comply if they have data centers in the EU
Even if the above doesn't apply, sometimes companies will spend the effort on GDPR compliance for future growth into the EU.
Every company I've worked for had some level of GDPR compliance program, even though they were North America based, because of customers in the EU.”
Examples of General Data Protection Regulation Compliance Outside the European Union
Here are a few examples of data processing by non-EU companies and whether they’re subject to the General Data Protection Regulation.
Example One: A restaurant in Cairo, Egypt, has a website that enables customers to use its takeaway service or book a table. European Union holidaymakers often visit this restaurant and enjoy the food there. Here, the GDPR doesn’t apply because the restaurant targets local customers.
Example Two: A software company in Sydney, Australia, has built a tourist app that monitors users’ locations and suggests nearby points of interest. The app has options for tourists in Rome, London, Paris, and Sydney. The GDPR applies because this app is used by people in the European Union, whether they are visiting from elsewhere or are local.
Example Three: A Canadian citizen is on a business trip to Paris. While in Paris, they download a workout app from their hometown. The GDPR doesn’t apply in this scenario, even if the person was in the EU when their personal information was collected. For the GDPR to apply, the services or goods or tracking must target those in the EU. However, unlike in the second example, where the software company assumes that people in the European Union will use its service, that’s not the case here. The workout app is designed mainly for people living in Canada. However, Canadian citizens may also use the app while in the EU.
Final Thoughts
GDPR is specifically designed to protect the personal information of EU citizens and residents. Therefore, it only applies to EU citizens and residents inside the EU. However, it also applies to all companies that process the personal data of EU citizens, regardless of whether or not a company is based in the EU.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.