If can be confusing to consider what happens when Americans visit an E.U. country in relation to the European Union’s General Data Protection Regulation (GDPR). Are they protected by the legislation?
They are, obviously, not E.U. citizens but are temporarily located in the E.U. ‘European Union citizen’ is a term often employed in talking about GDPR requirements, but what happens when a U.S. citizen visits the E.U.? Does GDPR apply to U.S. citizens living in the E.U.?
GDPR is not is not directly concerned with whether or not an individual is an EU citizen. Anyone which is based or visiting an EU country is safeguarded by GDPR. If an American travelled to Germany, made a purchase in a store and was required to supply their name and address for an invoice, their personal data would need to be secured in line with GDPR obligations and they be given the same rights and freedoms under GDPR as all EU citizens.
GDPR allocates certain rights and freedoms to individuals. GDPR places certain limits on what companies can do with the personal data of individuals living in the EU. It does not matter where the company is located and whether or not a business has an office in an EU country. GDPR rules apply if the business gathers or processes the personal data of an individual living in the EU.
At present there is no legislation that safeguards the privacy of all individuals in the United States, only specific groups of people. The Health Insurance Portability and Accountability Act (HIPAA) requires security measures to be established to secure the privacy of patients and health plan members, but only when linked to protected health information (PHI) and only if PHI is collected, stored, used, or sent by a HIPAA-covered entity.
For HIPAA-covered groups, compliance with GDPR will be more simple if they use the same requirements for safeguarding PHI to all people and all personal data. Taking a more synergetic approach to data protection makes compliance with GDPR more straightforward.