GDPR and Overseas Businesses: Beware the Standard Contractual Clauses

Most businesses should be aware by now that the General Data Privacy Regulation (GDPR) takes effect this week in the territory of the European Union, and extends its effect to certain overseas businesses. In their attempts to achieve compliance, many companies that know or suspect that they will be transferring data from the EU to third country locations have already begun requesting that their business partners sign data privacy addenda (DPA’s). These DPA’s include the European Commission’s Standard Contractual Clauses (SCC’s), which were originally designed for the 1995 Data Directive.

A business located overseas should look very carefully at any DPA’s they are being requested or demanded to sign. The SCC’s included in many of these DPA’s specifically require the overseas company to consent to the jurisdiction of European courts and the application of European law. This is meant to protect the rights of the original European data subject. However, the mere fact that an overseas business exchanges data with a business that handles data from Europe, does not make compliance with the GDPR necessary. The overseas business may very well be outside the GDPR’s reach.

The GDPR applies to overseas companies only where those companies have “establishments” within the territory of the EU, offer goods or services to persons located in the EU, or “monitor” the activities of persons located in the EU (including the use of cookies and other online tracking tools). These three bases of jurisdiction can be very broad under the guidance given by EU regulators and the decisions of European courts interpreting similar terminology in the 1995 Data Directive. However, the mere fact that an overseas company may be receiving data from a controller or processor of EU-origin data does not necessarily subject the overseas company to the GDPR. Businesses located in the United States, in particular, should be very careful before signing DPA’s that subject them to European data laws, since the difference between U.S. and European data obligations is quite significant, and some of these businesses would not otherwise be subject to European law.