Who does the GDPR apply to?
3 Common GDPR Myths

The European Union’s General Data Protection Regulation (GDPR) has been one of the most discussed topics in security and privacy as of late. However, there’s been a number of misconceptions that have been repeated across numerous platforms. Here, I’m looking to dispel three of these myths that I’ve seen crop up in various discussions and in contracts relating to the GDPR:

Myth #1: The GDPR Applies only in EU Member States

The GDPR is in effect as a matter of law in all member states of the EU, but also in the European Economic Area/European Free Trade Association (EEA/EFTA) states: Iceland, Lichtenstein and Norway.

The GDPR is not effective as law in Switzerland, which is confusing because Switzerland is an EFTA but not an EEA member.

Myth #2: The GDPR Applies to EU Citizens Only

The GDPR does not apply solely to EU Citizens, but actually to any EU or EEA/EFTA persons. Compare this to the United States’ Bill of Rights, which clearly calls out “no person shall” rather than mentioning citizenship. This means anyone, regardless of their nationality, is protected by the GDPR while they are physically present in an EU member state or EEA country.

It also means businesses based in EU or EEA/EFTA states must comply with the GDPR as well. At the very least, GDPR compliance would be required whenever offering services in EU or EEA/EFTA states, or to persons located in those areas.

Myth #3: The GDPR Applies to EU Citizens Worldwide

The GDPR does not apply to EU Citizens worldwide, but rather only when the person or the business involved are located in or offering services in an EU or EEA/EFTA state. For example, let’s say an EU Citizen were to come to New York and log on to a local food ordering web site to have a pizza delivered to their hotel. The data gathered as a result of this transaction would not be protected by the GDPR, because:

  • The good or service is being offered outside of the countries where the GDPR is effective as law; and
  • The individual was located outside the jurisdiction of GDPR signatory countries during the time the data was gathered; and
  • The food ordering business is based entirely within the United States and does not have any operations in EU or EEA/EFTA countries.

I’ve seen this particular misconception pop up repeatedly, seemingly ignoring long-standing international norms about personhood and national sovereignty.

Closing Thoughts

Since the passage of the GDPR, companies worldwide have been struggling to adopt a compliance strategy. While it’s important to comply with the GDPR when applicable, it’s also important to avoid developing industry best practices in areas where compliance is not in fact required.

It’s important for security and privacy teams outside of Europe to thoroughly understand the GDPR in order to avoid jumping through unnecessary hurdles while achieving the compliance European-based users will certainly expect.