The General Data Protection Regulation (GDPR) is the most detailed data privacy legislation that Europe has ever passed. It took effect on May 25, 2018, and flipped the digital landscape.
In this legislation, all individuals and institutions in Europe are bound to GDPR compliance in protecting the personal information of its clients. The European Union created this regulation to ensure that the personal privacy rights of European citizens are protected at the EU level GDPR requirements create a uniform system of rules for data processing activities.
This article will further discuss the scopes and limitations of GDPR as it is applied to the US and its citizens.
United States (US) Inclusion to GDPR
While it is based on European Union (EU) legislation, this ground-breaking data security and privacy regulation extends significantly beyond the EU’s and the European Economic Area’s geographical borders (EEA). In some areas, it encompasses the United States of America, the EU’s second largest trade partner.
The GDPR’s entire purpose is to safeguard the personal data of EU citizens and residents. As a result, the legislation extends to entities that manage certain data regardless of whether they are in the EU, a concept recognized as an “extra-territorial effect.”
As specified in Article 3 of the GDPR, the law’s geographical reach is not limited to businesses in the EU/EEA. The legislation extends the GDPR’s processing rules to businesses based outside of the
EU/EEA if the following two requirements are met:
- Provides goods or services to EU/EEA citizens (even in the absence of commercial transactions); or
- Controls or tracks the activities of consumers inside the EU/EEA.
Therefore, organizations in the USA and other countries worldwide are covered under this regulation as long as they meet one of the above-mentioned conditions.
If a US business is required to comply with the GDPR requirements, it has the same stringent conditions as businesses based in the EU.
The GDPR regulates personal data processing activities in a variety of ways. Personal data can include identities, contact numbers, computer details (e.g., IP addresses, position data), biometric data, images, and videos.
US Citizens Inclusion to GDPR
Does GDPR apply to US residents? It’s perplexing to think about what occurs when Americans enter a country in the European Union considering the EU’s General Data Protection Regulation (GDPR). Does this legislation cover them?
Since the GDPR is a European Union law, it is easy to think that it just refers to all citizens of the Union. That is not entirely the case. Citizenship has little bearing on the GDPR’s geographical scope, and the GDPR never uses the terms “citizens” or “residents.” Instead, the GDPR simply refers to data subjects “in the Union,” with data subjects defined as “an identified or identifiable natural person.”
GDPR is not expressly concerned with an individual’s status as an EU resident. GDPR protects someone who lives in or visits an EU region. If an American travels to France, make a transaction in a shop, and are asked to include their name and address on an invoice, the shop must protect their information per GDPR requirements. They must be granted the same GDPR privileges and freedoms as all EU residents.
Individuals are granted certain privileges and liberties under the GDPR. The legislation imposes some restrictions on how businesses can use the personal details. It makes no difference where the business is located or has an office in any EU country. The regulations of GDPR exist whether a company collects or handles the personal data in the Union.
There is currently no law in the United States that protects the privacy of all citizens, only select categories of people, or industries. The Health Insurance Portability and Accountability Act (HIPAA), for example, establishes security measures to safeguard the privacy of patients and health plan members. It is applicable only with confidential health information gathered, processed, used, or transmitted by a HIPAA-covered body.
GDPR compliance will be easier for HIPAA-covered organizations if they apply the same standards in protecting all concerned individuals and their records. Adopting a more holistic approach to data security is more important to meet the GDPR requirements.
Relationship Between Location and Citizenship
The GDPR is location-based, not citizenship-based. The distinction between citizenship and place exists when we discuss non-EU people residing in the EU versus EU citizens residing beyond the EU, or when the good or service is provided inside or outside the boundaries of the EU.
Recital 14 of the GDPR notes that “This Regulation shall extend to all natural persons, regardless of their ethnicity or place of residence, concerning the collection of their personal details.” Below are example scenarios where GDPR can be applied:
A US citizen is on holiday in Germany. He places an online order for dinner from a Berlin restaurant and delivers it to the hotel where he is staying.
The GDPR legislation applies to this scenario since the ‘data subject’ (US citizen) is in an EU country and is supplying personal data for a good or service in the EU. The citizenry of the data subject is not significant.
A US citizen residing in Spain visits the website of a US clothing retailer and places an order for a dress, specifying her EU delivery address. The US clothing retailer advertises that it sells to Spain and offers the dress for sale in Euros.
The GDPR applies since the (i) data subject is currently residing in the EU, (ii) orders using an EU address and (iii) the US clothing retailer offers its goods to individuals in the EU. In this scenario, both the citizenship of the data subject and the store’s location are not significant.
GDPR plays an important role because it strengthens the security of European data subjects’ rights and clarifies the obligations of businesses who handle personal data to respect these rights.
The GDPR requirements center on the data processing activities, not citizenship, it includes personal data and information gathered from any EU country and includes either an EU or non-EU resident who is living or visiting an EU.
Any US business or company serving customers in the EU/EEA — or tracks their behaviour within this region — should consider GDPR compliance. The legislation protects US citizens who use their information abroad in the EU.
GDPR compliance comes with strict measures to penalize non-compliant businesses and organization if they fail to meet the GDPR requirements. giving this legislation a fang to regulate and protect EU data privacy values against violators.