The EU has finally released some clarifying guidelines on when the GDPR applies beyond the EU. In particular:
- Just because people in the EU can view your website doesn’t necessarily mean that GDPR applies to you.
- It applies to you if you are have a branch office or headquarters in the EU but have outsourced processing to cloud services based outside the EU.
- It applies to you if you are using cloud services that have a branch office or headquarters in the EU. This includes situation in which you may collect data exclusively outside of the EU, but process the data via an EU-based cloud service, in which the GDPR applies to the European processor.
- It considers ‘in context’ activities broadly. In other words, if in doubt of whether something might be in context or not, the GDPR probably applies.
- Data linked to business models is protected by the GDPR, even if it only indirectly leads to revenue. For example, this includes personal data collected in exchange for ‘free’ services, that is used for marketing / targeting / reselling.
- EU-based controllers are responsible for getting legal paperwork done to ensure that processors outside of the EU are compliant with the GDPR.
That said, it looks like ‘in context’ and ‘target market’ are still not very clearly defined, and that interpretation is still left open to courts on a case-by-case basis.
For more information, see the Guidelines 3/2018 on the territorial scope of the GDPR.