This question about applicable law is a perennial one.
Where marketers are ‘pushing’ their messages to specific individuals the applicable law currently depends on the channel used.
In the offline world that prevailed when the current Data Protection Directive was drafted the law of ‘origin’ was king; so postal approaches from a US company to a UK citizen did not need to carry opt-outs when collecting data. The key factor was where the data was processed, not where the data subjects lived. Outbound telemarketing calls also operated under the ‘origin’ principle.
Then came the E Commerce Directive which stated that in email marketing the laws of the country where the recipient resided must be applied. To add to the confusion, some European States extended this protection to corporate contacts and some did not.
But what about data personally entered on a US hosted website by an EU citizen? Clearly, this is a transfer of personal data but by whom and can EU laws really apply to the processing of this data is the US?
In the famous Lindqvist case, the European Court of Justice held that there was no transfer of personal data when an individual loaded personal data onto an internet page but a transfer would take place when the data was actually accessed in a third country. This of course provides little comfort for US website owners who would be unlikely to collect data and then not access it.
Opinions amongst privacy professionals range from a flat assertion that the Directive is triggered as soon as you collect data about EU residents to an argument that it is the individual who is actually transferring the data and, by doing so, consenting to processing under US law.
The new Regulation text currently states that it covers processing of data about EU citizens “whether the processing takes place in the Union or not” and asserts that it applies to non EU domiciled controllers and processors who are offering goods or services to EU citizens. Understandably, this possible stretch of EU jurisdiction to the US is not welcomed.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.