Where does GDPR apply? The answer isn't so simple
GDPR will likely be challenged in U.S. courts by an American company receiving a fine, and objection to the regulation may come down to a decades-old piece of legislation. The Civil Rights Act of 1964 outlaws national origin discrimination in places of public accommodation, such as an office or a store. Websites have been qualified as places of public accommodation before, and if the courts rule this is the case with GDPR, then the ban on national origin discrimination may cause friction with the EU's upcoming regulation, according to an Attorney IO report based off interviews with 129 law professors about GDPR.
GDPR gives rights to individuals whose data is being processed or transmitted in the EU, from native EU citizens to American tourists who visit an EU country, use a service like Facebook while on the trip and then return home, according to the report.
GDPR would disproportionately benefit EU citizens who move to the U.S. over American natives, which could invoke the "disparate impact" doctrine by conferring an advantage to a protected class, according to the report.
Though there are less than 10 days until the regulation takes effect, confusion still abounds about where and upon whom GDPR applies. Application rests on the EU as the point of processing or transmission, regardless of whether a company is located in the EU or not.
EU citizens abroad using digital services located outside of the EU will not benefit from GDPR's protections unless the data crosses into EU borders.
While most businesses with an EU footprint have conceded — albeit reluctantly for many — that adhering to GDPR's mandates is a business necessity, some still stand in defiance of the regulation's extraterritorial scope.
Some companies, such as Unroll.me and Verve, have opted to shut down European operations instead of complying with GDPR. For companies with a minimal European footprint or heavy personal data processing or controlling, such measures may be more cost effective and practical in the short-term.
Other companies, such as McDonald's, have opted for geographic segmentation, ensuring that GDPR mandates are met in the EU and that all data processed and transmitted in the region does not leave, according to Abhi Bhatt, director of data and analytics at McDonald's, speaking at Talend Connect last week.
American legislators and regulators have taken note of GDPR, though it may be many years — if ever — until the U.S. passes an equivalent, sweeping data protection regulation.
The real effects of GDPR in changing the way customers and businesses approach and use data won't be felt for many years. Companies choosing not to comply with the regulation now or stepping out of the EU may still face a reckoning when this shift is completed, potentially necessitating a change in data practices and privacy policies as individuals hold corporate bodies more accountable.
- Attorney IO What is the GDPR?
- The Irish Times Net Results: Many US tech firms still dismissive of GDPR
Follow Alex Hickey on Twitter