New York City at SunriseDoes the GDPR Apply to Your US-Based Business?

Does the GDPR Apply to Your US-Based Business?

Does the European Union’s General Data Protection Regulation (GDPR) apply to your non-EU company? State-side, this is the million-dollar question that many US based companies are still grappling with today – some 8 months after the GDPR’s enactment.  

Long-promised and much-awaited Guidance from the European Data Protection Board (“Board”) on the territorial scope of the GDPR is here and attempts to provide clarification to that question.  

As adopted by the Board, the Guidance explains that the GDPR applies in situations where the “Establishment Test” or the “Targeting Test” is met – explained below.

The Establishment Test

The Board confirmed that the processing of certain personal data does not have to occur within the EU for the GDPR to apply.  Indeed, the “geographical location [of processing] is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question.”

What is required, as per the Guidance, is that the entity be a processor or controller that is established in the EU and that the processing occur within the context of the activities of that establishment.

Establishment is a threshold of GDPR applicability.  So, what is establishment?  GDPR Article 3 defines establishment as “any effective and real exercise of activities”through “stable arrangements” in the EU.  Art. 3.  The Guidance further interprets the concept of establishment by citation to pre-GDPR case law from the Court of Justice of the European Union (CJEU) which found “establishment” where a company:

      – Had (a) a website in the Hungarian language for the purpose of advertising in Hungary; (b) a representative in Hungary serving as a point of contact between that company and the data subjects; (c) a Hungarian postal address and a letter box; and (d)a bank account intended for the recovery of debts. See Weltimmo v. NAIH;

      – Processed personal data where such processing was “inextricably linked to” and carried out “in the context of … activities” of the company’s subsidiary which was located in an EU member state. See Google v Costeja (Google Spain).

Got it?  Not quite.  The Guidelines also provided a handful of helpful case studies, including the following theoretical:

A China-based e-commerce website conducts data processing activities exclusively in China. The same company has established an office in Berlin to implement commercial prospection and marketing campaigns towards EU markets.

Does the GDPR apply?  Yes, according to the Guidance, the activities of the Berlin office are inextricably linked to the processing of personal data carried out by the Chinese company, insofar as the commercial prospection and marketing campaign towards the European Union markets notably serve to make the service offered by thee-commerce service profitable.

Lest application of the GDPR feel like a law school exam, there is a second test for applicability – the Targeting Test, which the Guidance also helps to clarify.

The Targeting Test

The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union where the processing activities are related to: (a) the offering of goods or services to data subjects in the European Union (regardless of whether or not payment is required); or (b) the monitoring of the data subjects’ behavior as far as their behavior takes place within the European Union.

Let’s break that down.    

In the European Union

The Guidance confirms that the “in the EU” portion of the test does not require citizenship or residence in the EU.  Any data subject located in the European Union is entitled to the rights and privileges afforded by the GDPR, regardless of whether that subject is an EU citizen or resident of a member state.  

Offering Goods and Services

To determine whether your non-EU company is offering goods and services to data subjects located in the EU, the Guidance provides a series of factors for consideration:

     – paying a search engine operator to facilitate access to consumers in the EU;

      – mentioning contact details to be reached from a Member State;

      – using a top-level domain name other than that of the third country where the processor or controller is established;

      – offering the delivery of goods to Member States;

      – using a language or currency other than that generally used in the trader’s country;

      – offering a description of travel instructions from one Member State to the place where the service is provided;  

     – identifying international clientele in various Member States.

This Guidance, plus an earlier Recital of the GDPR, make clear the goods and services part of the Targeting Test remains highly fact-sensitive and subjective.

Monitoring Behavior

The Guidance provides most clarity when it comes to the monitoring behavior grounds of the Targeting Test.  There are numerous methods to monitor online activities including, most notably, the use of first-party cookies.  The use of cookies, or the “online collection or analysis of personal data of individuals in the EU” does not automatically constitute “monitoring” under this test. Rather, the collection must be for purposes of profiling or analyzing the behavior of that person. Specifically, and citing back to an earlier Recital, the Board states that to constitute monitoring, the purpose of the collection should be to “profil[e] a natural person, particularly in order to make decisions concerning her or him or for analy[z]ing or predicting her or his personal preferences, behaviors and attitudes.”  Indeed, the use of the word monitoring“implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.”   Thus, it could be argued that the GDPR would not apply to a non-EU based company that “inadvertently” tracks EU-based persons through website cookies provided that information is not used for profiling and behavior monitoring.  

The Board clarified that other types of technology involving personal data processing, such as wearable and smart devices, may also be a method by which monitoring behavior subject to the GDPR can occur.  In sum, there are no hard and fast rules here.  A case-by-case assessment needs to be performed in order to establish whether “monitoring” is performed.

While some unanswered questions remain, the Guidelines set out to clarify the criteria for determining the applicability of the GDPR to your US-based company.  The attorneys at Beckage PLLC are fully equipped to help companies big and small navigate the territorial scope issues surrounding GDPR applicability and help reduce your risk and exposure under the new law.

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. or

circuit boardThe Importance of an Incident Response Plan

The Importance of an Incident Response Plan

As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.

What is an Incident Response Plan?

An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:  

   1) Policy scope and definitions.

   2) Identify Incident Response Team Members and outline roles for each.

   3) Outline procedures for identifying, reporting and responding to an incident.

   4) Set forth the legal obligations for reporting and notice to potentially impacted persons.

   5) Identify how often the Incident Response Plan will be reviewed and updated.

   6) Post-incident analysis procedures.

Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.

It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Beckage attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.