Does GDPR apply to EU citizens in the United States

The use of the words ‘citizen of the European Union’ can be confusing in the context of the General Data Protection Regulation (GDPR). For GDPR compliance requirements, it makes more sense to talk about individuals who are located “in the Union” (within the EU), and indeed Controllers or Processors based in the EU. It is difficult to find the word “citizen” in the GDPR text, and it’s only mentioned once in a Recital not in the core Articles.
It’s preferable not to refer to “citizens” when analyzing GDPR. Indeed, the language that is used most consistently throughout the GDPR is “natural person” or “data subject” and “personal data” means any information relating to an identified or identifiable natural person (‘data subject’)
This is because the GDPR stipulations apply when personal data is processed of a data subject who is located in an EU country at the time the data is processed. Therefore, an American passing through a Duty Free shop in Europe would have GDPR apply to his or her data processed during that transaction,
This is not the full extension of GDPR
The Article 3 (1) expands the definition of the Data Subject even wider to potentially include almost anyone in the world by the application of GDPR to EU Data Controllers and Data Processors and their operations even where processing takes place outside the union.
Article 3 (1) states: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Therefore, by a Controller or Processor based in the EU that processes data of data subjects located anywhere in the world, for example a Chinese data subject living in China, and whose data is being processed by an EU-established Data Controller or Processor can also expect GDPR to apply.
A “Controller” under GDPR is the organisation or company that determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.

What about a Data Subject from the EU Living or Visiting the US?
The most important factor for determining GDPR compliance obligation is the controller or processor and where they are established.
As explained earlier, a data subject under the GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, a data subject can also be anyone and anywhere in the world in the context of EU established Data Controllers or Data Processors.
Therefore, a data subject from the EU living in the US would fall under the GDPR should their personal data be processed by an EU established Data Controllers or Data Processors, including where a US based sub processor is acting on the instructions of an EU established Data Controller or Data Processor.
Conversely, a data subject from the EU living in the US would not fall under the GDPR should their personal data be processed by a purely US established Data Controllers or Data Processors. In that case, the data subject would fall under the US regulation on personal data (PII in the US).

What about a US Company with an Establishment in the EU serving EU Customers?
Revisiting Article 3(1) below says yes should a company (or other organisation) have an establishment in the Union GDPR applies and Article 3(2) adds even if they had an establishment outside the Union but are processing or monitoring data subjects in the union takes place GDPR applies.
Article 3 (1) states: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Article 3 (2) states “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.”

Focus on geography rather than citizenship
To conclude, it’s more appropriate not to look at citizenship when interpreting the GDPR but whether the processing of personal data takes place of data subjects “in the Union” at the time of the processing, whether the Data Controllers or Processors are established “in the Union”, and where the Data Controllers or Processors are established outside the union are they processing personal data of data subjects “in the Union”.
The territorial scope of GDPR is vast and indeed there are requirements on non-EU established Controllers and Processors to appoint a representative “in the Union” in some cases.