Companies outside the European Union now have some much-needed guidance on the territorial scope of the EU’s General Data Protection Regulation to determine whether they are directly subject to the GDPR’s stringent data-privacy protection requirements.
On Nov. 23, 2018, the European Data Protection Board (EDPB)—the European Commission body tasked with ensuring that the GDPR is applied consistently across the EU—released the first official guidance on how the GDPR will be applied in practice. Although still in draft form, the guidelines provide important insight on how the regulation applies to companies and activities outside the European Union.
Since taking effect in May 2018, the GDPR has left many companies flummoxed. “The GDPR’s territorial scope of application has become one of the most difficult issues to pin down,” Eduardo Ustaran, a partner in the global Privacy and Cybersecurity practice of Hogan Lovells, wrote in a...