I don’t know about you, but I’ve seen plenty of people saying that the upcoming GDPR only applies to EU Citizens. Nope. This is a major misconception. Let me clear this up a bit.
The GDPR applies:
a) to the processing of personal data in the context of the activities of an establishment of a data controller or a processor in the EU, regardless of whether the processing takes place in the Union or not.
b) on a long-arm, extraterritorial basis to organisations which offer to sell goods or services to or who monitor individuals in the EU.
“Establishment” means the effective and real exercise of activity through stable arrangements. (the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect).
And what does “in the context of activities of an establishment” mean? I think the Google Spain case decided by the Court of Justice of the European Union is really helpful here.
In that case, which concerned a request from a Spanish citizen requiring Google not display certain information that related to him in response to a search against his name, it was found the activities of Google Spain SL in promoting and selling advertising space in Spain on behalf of Google Inc. was enough for the context of activities criteria to be satisfied in the data protection directive.
This was the case notwithstanding that Google Spain SL was not itself involved with the functionalities of the search engine and, therefore, the actual processing of the data. The CJEU held there was sufficient connection between the activities of Google Spain SL and the search engine’s data processing activities that: ‘… the activities … in [Spain] … are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine … economically profitable and that engine is, at the same time, the means enabling those activities to be performed’.
As you’ve probably noticed, nowhere so far has the term “EU Citizen” even been mentioned. That’s because it’s not anywhere in the GDPR. What matters is establishment in the EU (including activities that are inextricably linked to that establishment) and selling to and monitoring data subjects in the EU. That’s the data processing that the GDPR applies to. Which is why, practically, it has a far larger scope than just EU citizens. Don’t get caught short.