Do I Need to Comply with the GDPR?

The General Data Protection Regulation (GDPR) is a new set of privacy laws protecting residents of the European Union. The GDPR states that any entity which collects or processes the personal data of residents of the EU must comply with the regulations set forth by the GDPR.

The GDPR is very straightforward in saying that any entity which collects or processes personal data from residents of the EU must be compliant with the GDPR. This new level of reach is intended to ensure that the rights and privacy of citizens in the EU remain protected no matter where they are on the internet.

It does not matter if the company collecting the data is based outside of the EU, or if the majority of a website's users are not residents of the EU. The GDPR is designed to protect the rights and privacy of its residents regardless of who is handling their personal information.

Am I under the jurisdiction of the GDPR?

Let's say you are a United States-based app developer releasing a mobile game. For your game, users are prompted to create an account. During registration, user information is requested including the user's name, age, and email address. This game is available via your website as well as the Google Play Store.

So, would your app be subject to the GDPR?

Maybe.

Since your app collects personal data from its users (name, age, and email address), it is regulated by privacy laws. Since you are based in the US, you must comply with US privacy laws, such as CalOPPA (CalOPPA protects the data collection of residents of California, similarly to the GDPR for the EU).

The real question then is, do you have users in the EU?

If you released your game on both US and EU app stores, then you must comply with the GDPR. If you only released your game in US app stores which are unavailable to international users, then you do not need to comply with the GDPR.

However, if your app was also made available on your website and your website is available worldwide, then you should comply with the GDPR as it is possible that residents of the EU may download and register their information in your game.

Likewise, if you offer shipping to the EU, mention the EU on your website, or sell products in EU currency, this will be seen as targeting residents of the EU and will therefore require compliance with the GDPR.

The following questions can help you determine if you are under the jurisdiction of the GDPR:

• Do you have users or subjects in the EU?
• Do you collect or process any personal data from those users or subjects?
• Do you target residents of the EU or are residents of the EU part of your intended market?

If you answered yes to any of these questions, you should comply fully with the GDPR.

The distinction between "users" and "subjects" in this case is that the GDPR applies to data processors as well as their parent company. What that means is, even if your company is a data processor or third-party tool without users of its own, if you process the data that another entity has collected from its users in the EU then you are still under the jurisdiction of the GDPR.

While that data may not come directly from users of your app or website, they are the users of another app or website and you are processing their personal data as subjects of your service.

This distinction helps to avoid companies outsourcing data processing services in order to bypass the GDPR, hence the distinction of applying to any entity that collects or processes the personal data of residents of the EU.

What the law says

Article 3 of the GDPR discusses the concept of territorial scope, explaining who falls under its jurisdiction:

The GDPR is abundantly clear in its stating that geographic location is a non-issue so long as the company in question is offering goods and services or simply monitoring behavior. Because the latter is not overly specific, general consensus is that any collection or processing or personal data from outside the EU should be backed by compliance with the Regulation.

Recital 23 clarifies to what extent intent of the company plays in determining the responsibility for compliance with the GDPR:

But while this section gives us some examples of what might constitute intent to target residents of the EU, it is not abundantly clear under what circumstances companies are not required to comply. Until we receive further clarification, it is not advised to risk failing to comply based on an argument over your level of intent.

When in doubt, comply.

Where are my users located?

As you have probably already figured out, the need to comply with the GDPR hinges on the location of your users and not on your location. If your website is based in the US, operates exclusively out of the US, and only collects personal data from residents of the US, then you probably don't need to comply with the GDPR.

However, if your website is based out of an EU country, operates in some facet from an EU country, or collects personal data from residents of the EU (regardless of where it is located), then you need to be compliant with the GDPR.

Even if your website is not intending to serve users of the EU, it is important to know how much EU traffic you are getting and if it is enough to warrant compliance with the GDPR. Currently, the following countries are a part of the European Union and protected under the GDPR:

• Austria
• Belgium
• Bulgaria
• Croatia
• Republic of Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom

If your analytics tools or web hosting service reports traffic originating from any of the countries listed above, and you collect or process personal information, then you should be compliant with the GDPR.

In some cases it is more obvious than others to tell where users are located. For example, certain app stores or websites only serve residents of a certain country (think Amazon US vs Amazon UK). In these cases, the app or website is only intended for users in a certain country, making the distinction clear.

In other cases, however, a website may be available worldwide, meaning users may or may not come from any given country. If you run such a website, and that website collects personal data from its users, you must find out whether any of your traffic is coming from the EU in order to determine if you must comply with the GDPR.

Best practice when serving users worldwide is to be compliant with the GDPR regardless of your current traffic. The reason is that you may not have users in the EU currently, but if you begin to attract users from the European market then you would be violating the GDPR by collecting data from those individuals without being compliant with their privacy laws.

Fortunately, since this essentially boils down to a question of whether or not your users are located within the EU, there are ways you can find out this information from analytics tools such as Google Analytics or your web hosting service.

Conclusion

The scope of the GDPR reaches far and wide, affecting both domestic and international companies. Whether you collect or process personal data, use a third-party service that does, have few or many users who reside in the EU, or simply plan to expand into the European market in the future, it makes sense to be compliant with the GDPR to avoid potential hefty fines and future complications.

If you website is truly designed and intended strictly for a non-European user base (such as the US) and you do not collect or process the data of residents of the EU, then you do not need to comply with the GDPR. However, in the modern age of the internet it is easy to send and receive information anywhere in the world in the blink of an eye, and the GDPR does not leave much room for negotiation. If there is any question as to whether or not you should comply with the GDPR, it may be safer to simply follow the regulations and take advantage of the European market.

Looking to the future

Even if you are not currently required to comply with the GDPR, there is certainly no harm in doing so. Companies planning on expanding into the European market in the future may opt to become compliant now along with those who are required to do so. There are currently a lot of resources available for becoming compliant with the GDPR, so if you plan on becoming compliant in the future, taking advantage of these resources now is not a bad idea.

You can also expect other countries to follow suit with the EU by updating their own privacy laws. The GDPR is the most modern and one of the strongest sets of privacy laws to date, setting a good example for countries around the world.

It also simply looks good for companies to be GDPR-compliant even if they don't have users from the EU. Compliance with the GDPR shows that you value the privacy of your users and take the utmost care to protect their rights and personal information, even beyond the means to which you are legally required.