Does the GDPR apply to US companies?

Yes. The GDPR was designed to capture US companies, especially US tech companies. Even if a company is not a tech company, it can easily be brought under the wider territorial scope of the GDPR.

Per Article 3(1), the GDPR applies to the processing personal data “in the context of the activities of an establishment” of any organization with the EU.  “Establishment” means the “…effective and real exercise of activity through stable arrangements”. Importantly, the “…legal form of such arrangements…is not the determining factor”. See Recital 22. This language could be broadly interpreted by EU authorities to include not only a locally functioning subsidiary but potentially something as small as the activities of a single salesperson.

The Court of Justice of the European Union has found that Google was “established” in the EU with its Spanish-based sales and advertising operations. See Google Spain SL, Google Inc. v AEPD, Mario Costeja Gonzalez (C-131/12). It also has found that a Slovakian property website was subject to Hungarian data protection laws because it was “established” in Hungary. See Weltimmo v NAIH (C-230/14).

More and more companies are becoming digital in the sense of using websites, apps, services and other technologies that span the globe.  US companies should error on the side of caution by preparing for the possibility of having the GDPR applied to them.

Leave a Reply

Your email address will not be published. Required fields are marked *