Whether you know it or not, on May 25, 2018 the data privacy regulatory landscape for many companies changed dramatically. This was the implementation date for the European Union’s General Data Protection Regulation. (GDPR). The GDPR is intended to be a comprehensive and unified data privacy regulation applicable across all European Union member states. A large goal is to create uniform rules and enforcement. The GDPR imposes many requirements on entities that collect, store, use or share personal data of individuals. The detailed requirements are beyond the scope of this article, but generally, the mandates seek to give individuals more control over personal data and encourage companies to handle personal data appropriately. There is little doubt that the GDPR will place burdens on many companies, and the penalties for noncompliance can be colossal. Yet, many companies may not even realize that the GDPR applies to them.

Two types of entities fall under the auspices of the GDPR.

The first is relatively simple: Companies located in the European Union who collect, store, use, transfer or otherwise process personal data are subject to the GDPR. While seemingly simple, there is one subtlety that should be considered in this category. In today’s connected IT environment, companies not located in the European Union may process personal data located in the European Union and not even know it. Cloud providers or physical servers may be located in European countries. Vendors or partners may be located in Europe. European Union regulators are expected to apply the GDPR as broadly as possible. Companies may be considered “in” the European Union if they process personal data in the European Union even if they are based elsewhere.

The second category leaves more to interpretation but is also much more important and inclusive. It is this second category that purports to apply to many, many companies worldwide. For the second category to apply, two elements must be met:

It is widely expected that the supervisory authorities responsible for enforcing the GDPR and European citizens bringing private suits will cast the net as widely as possible. While the GDPR recitals state that simply having a website is not enough to fall under the GDPR, arguably any company with a website is available to offer goods and services to citizens of the European Union. Therefore, it helps to consider some things that may suggest a company is offering goods and service to customers in the European Union. Is the company advertising in Europe? Is a website available in European languages? What type of goods or services does the company offer, and would they be of interest to citizens of Europe? What percentage of a company’s customers are actually from the European Union?

Taken in its broadest sense, this second category could apply to many companies with any significant internet presence; the large, consumer companies to which the GPDR would not apply may be the exception rather than the rule. This is especially true of the hospitality industry, which by its very nature caters to and offers services to travelers in diverse locations, including the European Union. The purported scope of the GDPR is very broad, but it is obvious that the farther removed from the European Union and its citizens the less likely European Union regulators will pay attention. However, for most larger companies in the hospitality industry, the best practice is to do a reasonable assessment of the company's activities and customer base rather than assume geographic location means the GDPR does not apply. Simply ignoring the GDPR could lead to an unwelcome surprise enforcement action from regulators or a private suit from an European citizen.
 

Sean Cox, CIPP/US, is an attorney in the Atlanta office of Hall Booth Smith. His practice involves both domestic and global data privacy and security regulation.