The European Union's draft data protection regulation (the Regulation) contains new and controversial extra-territorial provisions extending the Regulation's reach to some companies based outside the European Union.
Organisations processing personal data about European residents will be subject to the Regulation if they:
offer goods or services to data subjects in the European Union; or monitor behaviour of those data subjects (Profiling). These rules will bring many US tech companies within the scope of European data protection law, many of which have kept their data processing in the US in the past to avoid becoming subject to the current Data Protection Directive. International businesses which target residents through tracking, mining and targeted advertising will be brought into scope where previously the law may not have applied to their data processing activities. Given that US tech companies typically generate a third or more of their sales in the European Union, this change will have a major impact on their business models.
Sanctions for breach of the data protection duties under the new regime could include fines of up to 1 million or 2% of annual worldwide turnover for serious compliance failures.
Using Means: the current criterion
Under current European data protection law, if a controller is not established on Community territory, to come within the ambit of the European data protection law regime, it must make use of equipment, automated or otherwise, situated on the territory of the said Member State (unless such equipment is used only for purposes of transit through the territory of the Community), the so-called using means test.
The Regulation attempts to be more specific and more tailored to the protection of Union's data subjects: instead of the using means test, the Regulation will apply whenever there is an offering of goods or services to data subjects in the Union or if the processing activities are related to Profiling.
US lobbying on EU data protection reforms
US lobbyists, many working for large technology companies, have been seeking to limit the territorial extent of the Regulation. The US government itself has also been aggressively lobbying the European Parliament, which is currently reviewing the proposed reforms. The debate has shown how much Europe and the United States differ on privacy rights and their role in the data-driven online economy.
US technology companies are arguing that it would...