In the first case of its kind, the High Court of England & Wales1 has considered the limits on the extraterritorial reach of the European Data Protection Regulation (GDPR). The High Court concluded that GDPR did not apply to a US website where there was no establishment in the UK (or Europe) and where it didn't target UK (or EU) customers.
Note: Although this case was decided by the High Court, the matters complained of occurred prior to Brexit. The High Court ruling therefore deals directly with the GDPR. It will continue to be relevant after Brexit as the UK's data protection legislation substantively mirrors the GDPR provisions.
The European data privacy regulation, the GDPR, has extraterritorial reach in certain circumstances, which means that many businesses based outside Europe find themselves subject to its burdensome obligations for processing personal data.
Until now, businesses have been lacking clarity regarding exactly how far GDPR's extraterritorial reach extends.
Relevant to this case, the GDPR can apply to businesses outside of Europe in any of the following circumstances:
- Where there is the processing of personal data in the context of the activities of an establishment of a business in Europe (even if the processing happens outside of Europe); or
- Where the processing relates to the offering of goods or services, irrespective of whether a payment of an individual is required, to European individuals; or
- Where the processing relates to the monitoring of the behaviour of European individuals, as far as their behaviour takes place within Europe.
Continue reading the full GQ | Littler article here.
1 The High Court of England & Wales is a senior court with jurisdiction in England and Wales only (Scotland, for example, has a separate equivalent court).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.