What Countries is GDPR Applicable in?

One of the most common question in relation to the General Data Protection Regulation (GDPR) remains what countries is it applicable in.

GDPR is a European Union (EU) data protection legislation that was passed on April 27, 2016 and became enforceable on May 25, 2018. Despite the fact that it is EU legislation, institutions that are not located in the EU must be aware of its implications and be cautious to avoid breaching it. The physical location of the company or group does not exempt or shield it from facing the penalties for non-compliance.

Firms with bases in an EU country or that gather, process or store the personal data of anyone who lives within an EU country must comply with the GDPR. As businesses and other organizations usually have an international focus and reach, it is quite probable your body will be required to adhere with GDPR – especially if it is an body that operates or offers services over the Internet.

As previously stated, the geographical location of the institution, organization or business is less important in determining the need to adhere with the GDPR compared to the physical location of the data subject – the person whose data is being gathered, processed or saved. Most organizations will find themselves subject to or affected by the GDPR. However, organizations located within the EU will likely see their practices change more significantly. This is due to the fact that they are much more likely to process a larger amount of data belonging to people located in the EU. Groups in the following countries, the EU member states, will probably be most impacted the GDPR: Austria,Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.

As the it will be a member of the European Union when the GDPR comes into active, the regulation will become part of the UK’s domestic law under Clause 3 of the European Union (Withdrawal) Bill. The British Government is also currently debating a new Data Protection Bill which is closely linked to the GDPR with a few small exceptions (for example the right of individuals to have all social media postings from their childhood deleted) and exemptions (for example an  exemption from the Data protection Bill for journalists and whistle-blowers in certain instances).

Other EU Member States are also establishing their own national laws to compliment the introduction of the GDPR. Most of them closely match the privacy and security obligations of GDPR and, where they deviate, the changes mostly relates to the age of consent for children, the need to obtain employees’ permission before processing their data, minor restrictions on the Rights of Individuals, and an extension of “special categories” when it is in the public interest.

GDPR will have a worldwide impact even with the relatively small and localized nature of the EU. Despite EU Member States being more likely to see the most change, non-EU countries are likely to see greater changes following the introduction of the GDPR. This is due to the fact that groups located within the EU are more likely to be prepared for the changes as they as more likely to be knowledgeable regarding the introduction of the GDPR. A large number of groups from outside of the EU are still unaware of the coming change or are of the opinion that they are exempt or will not be impacted.

There is also a sociological difference to consider: non-EU societies such as the United States (US) and others do not have the same expectation of privacy as many EU societies. Privacy laws have been developed for certain types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates healthcare data; or the Gramm-Leach-Bliley Act, which concerns financial information; but “general” data does not enjoy the same protections. Due to this, only US-based organizations and businesses that have Privacy Shield certification will be able to transfer data outside of the EU.

The need to put in place, staff and operate run parallel systems may introduce too much complexity and drive costs through the roof for US-based organizations and businesses to continue offering their services to the EU market. A possible strategy may be for US-based actors to implement an “all or nothing” approach that protects “general” data in a way currently kept for “sensitive” data. This may permit the same system to be used to adhere with both HIPAA and the GDPR. As of now, it is not known whether many US groups will try to do this.

The GDPR imposes stringent controls on data transferred to non-EU countries or international groups. These are listed in Chapter V of the Regulation. Data is allowed to be moved only when the EU Commission has ruled that the transfer destination “ensures an adequate level of protection”.

Data transfers can also happen in situations where the receiving body can show that they meet this “adequate level of protection”, subject to a review every four years. The necessary protections may incorporate:

• Data protection clauses approved by the EU Commission
• Public authority-related legally binding agreements
• Certification approved by the EU Commission approved
• Corporate regulations that are enforced across different bodies within the same corporate group

The transfer of data is strictly controlled so as to offer each person in the EU the same protections and rights under EU law irrespective of where data storage or processing occurs. This has major implications for groups in the U.S. that gather, process or store the personal information of EU data subjects. U.S. data protection legislation is not thought of as adequately strong enough by the EU to provide the required protection and only groups certified under the EU-US Privacy Shield agreement will be deemed as being compliant with GDPR when it comes into force .