Search
Close this search box.

Insight to drive subscription growth

Join

GDPR: New Guidelines Adopted For Jurisdictional Reach

Good News for Non-EU Entities

There is good news for U.S. entities on the privacy front: on November 16, 2018, new draft guidelines were adopted in the EU to provide clarity with respect to the territorial scope of the GDPR, namely how the law will be applied to business entities located in different parts of the world (for our purposes, the United States).

To remind those that need a primer, GDPR went into effect in May 25, 2018 and imposes significant requirements on “data controllers,” (entities that determine the purpose and means of processing personal data), and “data processors,” (third-party businesses that process data on behalf of data controllers). The reach of the law covers entities both within and outside the EU if the organizations: (1) offer goods and services to persons in the EU; or (2) monitor behavior of individuals in the EU.

Since almost all businesses with an online presence profile or monitor the behavior of all visitors to their websites, the jurisdictional reach of the law seemed overreaching, but also seemed clear in its intention. Given the severity of the penalties for violations of the GDPR, this was not good news for U.S. businesses who collected data from individuals in the EU without targeting them intentionally.

Thankfully, the guidelines clarify which entities are considered within the EU and which entities located outside the EU are subject to the GDPR. The guidelines provide, in part, that a data controller located outside the EU will not be deemed to be an EU-based entity for the purposes of GDPR merely because that controller’s website is accessible in the EU. This is wonderful news. There are nuances, of course: you need to analyze your presence, if any, in the EU (even if you have just one employee in the EU); and you also need to ensure you are not “targeting” individuals who reside in the EU. Targeting can be done by offering goods and services to individuals in the EU regardless of whether or not money changes hands, or by specific monitoring of such individuals.

The guidelines also clarify that if a data controller is located outside the EU but uses an EU-based processor, that alone will not make the data controller subject to the GDPR. However, the EU-based processor in this situation will be subject to the relevant GDPR provisions that apply to data processors. And, in this situation, the data controller must still ensure, by written contract, that its data processor processes its data in compliance with the GDPR. Therefore, knowing who is touching your data and where it resides is still a critical business concern.

Similarly, if you are working with a data controller who is subject to the GDPR, it is still necessary for that data controller to ensure by contract that you will process the EU data controller’s data in accordance with the GDPR. Therefore, if you are processing data for clients in the EU you should be prepared for your clients to require that you be contractually bound to various GDPR requirements.

This is merely a brief summary. In order to truly know if your data activities are subject to the GDPR, and the potential liability under that law, it is still advisable to data map and know what data you collect, share and store and where that data resides. If you want to discuss whether you are subject to the GDPR (or how to ensure you are not), feel free to reach out to me.

Next up: What the upcoming California privacy law will mean for you.

In a phrase: Data Mapping is the new normal.

Picture of Lisa B. Dubrow, Esq.

Lisa B. Dubrow, Esq.

Lisa B. Dubrow is a lawyer specializing in advertising and consumer protection with an emphasis on subscriptions and recurring billing business models. She counsels clients on legal issues surrounding the advertising and marketing of goods and services. Her practice also encompasses the negotiation and drafting of contracts pertaining to product development, marketing, and sales, including those with vendors, agencies, fulfillment, distribution, talent, production and media. Ms. Dubrow is a Phi Beta Kappa graduate of SUNY Binghamton. She received her law degree from New York University School of Law. For more information, please visit: www.lisadubrow.com
More Articles By Lisa B. Dubrow, Esq.

Up Next

Register Now For Email Subscription News Updates!

Search this site

You May Be Interested in:

Convert. Retain. Grow.

Useful Links

Policies & Terms

Get In Touch

Facebook-f Linkedin-in Twitter

©2024 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.

Log In

Join Subscription Insider!

Get unlimited access to info, strategy, how-to content, trends, training webinars, and 10 years of archives on growing a profitable subscription business. We cover the unique aspects of running a subscription business including compliance, payments, marketing, retention, market strategy and even choosing the right tech.

Already a Subscription Insider member? 

Log In

Access these premium-exclusive features

  • Unlimited Access to Premium Content, Stats, Trends, Webinars, and News Archives
  • Deep Discounts on Subscription Insider Events and Training Programs.
  • Discounts from Partners, Monthly Office Hours, and More!
  • Member-Only Intel on Recurring Payments & Processing, Subscriber Retention, Subscriber Acquisition & Marketing, Subscriber Management, Legal and Compliance, Enhancing Customer Experience, Product, Pricing & Packaging, Subscription Ops, and More.

Monthly
(Normally $57)

Perfect To Try A Membership!
$ 35
  •  
Join Now
Billed every 30 days.
Cancel any time.

Annually
(Normally $395)

$16.25 Per Month, Paid Annually
$ 195
  •  
Join Now
Billed every 365 days. Cancel any time.
POPULAR

Team
(10 Members)

Normally Five Members
$ 997
  •  
Join Now
Billed every 365 days. Cancel any time.

Interested in a team license? For up to 5 team members, order here.
Need more seats? Please contact us here.