Skip to main content
close search
site logo
Dive Brief

Where does GDPR apply? The answer isn't so simple

Published May 16, 2018
By
Associate Editor

Dive Brief:

  • GDPR will likely be challenged in U.S. courts by an American company receiving a fine, and objection to the regulation may come down to a decades-old piece of legislation. The Civil Rights Act of 1964 outlaws national origin discrimination in places of public accommodation, such as an office or a store. Websites have been qualified as places of public accommodation before, and if the courts rule this is the case with GDPR, then the ban on national origin discrimination may cause friction with the EU's upcoming regulation, according to an Attorney IO report based off interviews with 129 law professors about GDPR.

  • GDPR gives rights to individuals whose data is being processed or transmitted in the EU, from native EU citizens to American tourists who visit an EU country, use a service like Facebook while on the trip and then return home, according to the report.

  • GDPR would disproportionately benefit EU citizens who move to the U.S. over American natives, which could invoke the "disparate impact" doctrine by conferring an advantage to a protected class, according to the report. 

Dive Insight:

Though there are less than 10 days until the regulation takes effect, confusion still abounds about where and upon whom GDPR applies. Application rests on the EU as the point of processing or transmission, regardless of whether a company is located in the EU or not.

EU citizens abroad using digital services located outside of the EU will not benefit from GDPR's protections unless the data crosses into EU borders.

While most businesses with an EU footprint have conceded — albeit reluctantly for many — that adhering to GDPR's mandates is a business necessity, some still stand in defiance of the regulation's extraterritorial scope.

Some companies, such as Unroll.me and Verve, have opted to shut down European operations instead of complying with GDPR. For companies with a minimal European footprint or heavy personal data processing or controlling, such measures may be more cost effective and practical in the short-term.

Other companies, such as McDonald's, have opted for geographic segmentation, ensuring that GDPR mandates are met in the EU and that all data processed and transmitted in the region does not leave, according to Abhi Bhatt, director of data and analytics at McDonald's, speaking at Talend Connect last week.

American legislators and regulators have taken note of GDPR, though it may be many years — if ever — until the U.S. passes an equivalent, sweeping data protection regulation.

The real effects of GDPR in changing the way customers and businesses approach and use data won't be felt for many years. Companies choosing not to comply with the regulation now or stepping out of the EU may still face a reckoning when this shift is completed, potentially necessitating a change in data practices and privacy policies as individuals hold corporate bodies more accountable.

Recommended Reading

Filed Under: IT Strategy

Editors' picks

Company Announcements

View all | Post a press release
truCX Launches Groundbreaking Partner Portal, Empowering CX Consultants and Trusted Advisors w…
From truCX
October 30, 2024
Newgen Recognized in Gartner® Magic Quadrant™ for Enterprise Low-code Application Platforms Fi…
From Newgen Software
October 30, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell