The term ‘European Union citizen’ is often referenced when trying to describe General Data Protection Regulation (GDPR) legal obligations, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living abroad?
Using the term European Union citizen is not helpful when trying to describe GDPR because GDPR is not focused on specific citizenship, instead it relates to where a person is located. The term EU resident is more pertinent or a person is based in the EU.
GDPR requires the personal data of an individual living in an EU Member State to be governed using certain safeguards and their data rights and freedoms must be secure. When an individual leaves an EU country and goes to a non-EU country, they are no longer safeguarded by GDPR.
If an EU citizen went to the United States and interacted with an EU firm which required the collection of their personal data, their data rights and freedoms would be governed by US federal and state laws. GDPR would not be applicable.
GDPR applies to people and allocates them specific rights and freedoms. GDPR places certain limits on what businesses can do with the personal data of individuals living in the EU. It does not matter where the firm is physically based and whether or not a business has a base in an EU country. GDPR rules apply if the business collects or processes the personal data of an individual based in the EU.
Sadly, to date there is no law that protects the privacy of all people in the United States, only certain groups of individuals. The Health Insurance Portability and Accountability Act (HIPAA) requires safeguards to be used to safeguard the privacy of patients and health plan subscribers, but only in relation to protected health information (PHI) and only if PHI is collected, stored, used, or transmitted by a HIPAA-covered outfit.
For HIPAA-covered outfits, compliance with GDPR will be more simple if they apply the same requirements for securing PHI to all individuals and all personal data. Using a more holistic approach to data protection makes compliance with GDPR much more simple.
If that approach is adapted, then it is probably that EU citizens residing in the US will be given the same safeguards as those living in an EU country.