The new EU GDPR privacy rules can apply to businesses outside of the EU that provide goods and services to EU data subjects. It is important for businesses outside of the EU to know when they are subject to the GDPR, as penalties for non-compliance are significant. An occasional sale to someone in the EU probably won’t be an issue – but what will?
The European Data Protection Board just released for public consultation draft guidelines on when the GDPR applies to those without a presence in the EU.
Article 3(2) of the GDPR says it applies to businesses without an EU presence with activities relating to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
The guideline’s examples under the targeting criteria in (a) include:
- Having a website with an EU based TLD (such as .eu)
- Mentioning EU countries by name
- Having marketing aimed at an EU audience
- Using EU currency
- Offering delivery to the EU
The guideline’s examples under the behavioural monitoring criteria in (b) include:
- Behavioural advertisements
- Geo-localisation activities, in particular for marketing purposes
- Personalised diet and health analytics services online
- Market surveys and other behavioural studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status
The guideline says that to be caught as “monitoring”, it must be with a specific purpose in mind for the collection and use of data on EU subjects.
Canadian companies should look at their websites, social media, and other marketing materials to see if they might cross the thresholds outlined in the guideline. And check again when the guideline is final. The choice is to either alter their practices to avoid the thresholds, or become GDPR compliant.
The guidelines are available here. Comments are being accepted until January 18.