One of the more complex issues with the new GDPR is what’s being called “extraterritoriality.” As proposed by EU Parliament, the GDPR will apply to any data transferred outside the EU zone.
So under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there!
Legal experts note this may not be that easy to enforce, but if a large enough multinational breaks one of the rules — such as the DPR’s new strict breach notification requirement — my guesstimate is that the EU regulators will likely target it.
Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc.
You can map these to your own favorite app to figure out who would be affected.
Under the old rules in the Data Protection Directive (DPD), there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU.
The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply.
Companies such as Google, Facebook, and other social networking companies were following this approach.
Not so fast!
Google was famously making this argument when a Spanish DPA asked it to remove a listing in a search result. The case eventually made its way to the EU’s highest court, the ECJ, which ruled against Google last year.
The long arm of EU law prevailed: the specific search listing was removed.
Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.