The General Data Protection Regulation (GDPR) is a new European privacy law with a global impact. The regulation became effective on May 25, 2018, and regulates how organizations use and treat the personal data of individuals residing in the EU, regardless of whether the organization responsible for the data collection or processing is physically located in the EU. The GDPR gives individuals residing in the EU certain additional rights over how their personal data is handled.
Article 3 of the GDPR describes the territorial scope of the regulation. Article 3 makes it clear that organizations located in the EU clearly fall within the scope of GDPR. It seems obvious enough that a company physically located in the EU would be required to comply with EU regulations. So, why has the GDPR been dubbed a “global privacy law?” The answer to this question can be found in the second paragraph of GDPR Article 3 which breaks down the elements triggering GDPR applicability to organizations located outside the EU. In summary:
IF, a company has no physical presence within the EU,
that company offers its goods and services to EU residents,
Monitors EU residents’ behavior (to the extent that behavior is taking place within the EU)
a company is required to comply with the GDPR.
So, the key takeaway is even if a company isn’t located within the EU, if it offers “goods/services to EU residents” it would still be on the hook for complying with the GDPR.
Many financial institutions are impacted by the GDPR based on their international presence and physical locations within the EU. One of the many GDPR obligations facing GDPR-impacted organizations is the requirement to enter into data processing agreements with all vendors that process EU personal data on their behalf. Understandably, some companies are anxious about this requirement and have reached out to vendors indiscriminately asking them to sign data processing agreements without consideration of the products and services offered in the arrangement.
This is where the triggering territorial scope elements described above become key and a deep understanding of the data flows and interactions are critical to properly assessing responsibilities and appropriate approaches.
Here are some practical scenarios that a financial institution might run into where there could be questions about the scope of GDPR:
Checking Accounts and Products for Accounts opened in the US
Financial Institutions regularly open accounts for US-based customers. Financial Institutions know quite a bit about the retail customer through their KYC processes and typically a US address is obtained at the time a customer opens their US account. Let’s imagine that the banking customer later moves to the European Union and wishes to maintain their US-based checking account. The banking customer is free to do so. However, the mere act of now residing in the EU and requesting checks be mailed to an EU address does not necessarily trigger GDPR obligations. In other words, the GDPR does not supersede the US terms and laws the banking customer previously agreed to when opening the account.
Remote Deposit Capture
I lived in Ireland for a year while completing my LL.M studies at University College Dublin. While living in Ireland, my dad mailed me a check from his US checking account. I am a big fan of remote deposit capture and took a photo of the check and deposited the check to my US-based checking account. Even though my transaction took place while within the EU, my action did not trigger GDPR compliance.
The European Commission has issued some very helpful guidance for why neither of the above-referenced scenarios trigger GDPR compliance. The guidance can be found here in the article called, “Who does the data protection law apply to?”
The pertinent information from the guidance is as follows:
When the regulation [GDPR] does not apply
Your company is a service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
While there remains quite a bit of confusion (and frankly misdirection and misinformation) in the market, based upon the European Commission’s guidance, it’s clear that just because a service such as remote deposit capture, mailing a payment, or receiving checks, can be utilized while within the EU, it does not automatically follow that these actions trigger GDPR compliance obligations on behalf of the organization offering the services. For organizations located outside of the EU and not engaged in behavior monitoring of EU residents, the true test of whether an organization located outside the EU would fall under GDPR-scope is whether the organization is targeting its services at individuals residing in the EU.