The use of the words ‘European Union citizen’ can be confusing, when discussing the General Data Protection Regulation (GDPR). It makes more sense to talk about people who are located within the EU. This is because GDPR stipulations only apply when personal data is collected from an individual who is located in an EU country when the data is collected and processed. This applies to any individual, not just EU citizens. It also does not apply to EU citizens who have data collected and processed outside of the EU.
How does this Work?
Think about it this way; there are EU citizens living, or travelling, in countries across the globe. If they deal with a business or organisation in those countries, any personal data they provide is not covered by GDPR rules because they are not located within the EU at the time. It is not the citizenship of the person that is important but where they are situated.
Looking at another example helps to further illustrate who the GDPR applies to. A US citizen is temporarily residing in France, which is an EU country. They make a purchase from a local store and provide personal information during the transaction. This personal information is covered by GDPR as the person is living within the EU.
From these examples you can see that the personal data of an EU citizen residing in the US would be dealt with according to individual protection laws within the US and would not be subject to GDPR compliance. Whereas the personal data of a US citizen residing in the EU would be subject to GDPR regulations
Does it Matter where the Business or Organisation is Located?
It is the location of the individual that is important, when considering whether GDPR rules apply. Any business or organisation that processes the data of people living within the EU should comply with GDPR stipulations, or face being fined for non-compliance. This can be a complex situation for a business or organisation that is located in a non-EU country and is involved with processing the personal data of people who reside the EU and people who do not.
For instance, in the US there is no overall law that governs the privacy of an individual. Instead, laws such as the Health Insurance Portability and Accountability Act (HIPAA) protect data in certain areas.
In HIPAA’s case the area is medical information. Given that using two separate processes and two lots of procedures would be costly and time consuming for US businesses and organisations, it makes sense that they should have a more holistic approach to data protection. By ensuring that all personal data is protected effectively they will find it easier to comply with GDPR regulations and should find it easier to implement and operate processes and procedures. Whether US businesses will choose to do this remains to be seen. If they do, EU citizens based in the US may see the benefit of the GDPR even though they are not actually covered by it.