In fact, the main reason for the Non-EU business to look at GDPR is because of the extension of the territorial scope of GDPR. In order to know if as a non-EU based business you need to be GDPR compliant, according to the Article 3 of this regulation, you have three main questions to answer:
1. Is your company established in EU?
2. Is your non-EU established organisation offering goods or services to data subjects who are in the Union?
3. Is your non-EU established organisation monitoring the behaviour of data subjects who are in the Union?
For more details you may read in the (ISC)² blog a paper about these questions.
You can also join us at Secure Summit Mena in Dubai to discuss your and other members’ experiences in implementing these requirements.
The Court of Justice of the EU has provided the criteria to be used to determine if an activity is targeted towards the EU:
The following matters, the list of which is not exhaustive, are capable of constituting evidence from which it may be concluded that the trader’s activity is directed to the Member State of the consumer’s domicile, namely the international nature of the activity, mention of itineraries from other Member States for going to the place where the trader is established, use of a language or a currency other than the language or currency generally used in the Member State in which the trader is established with the possibility of making and confirming the reservation in that other language, mention of telephone numbers with an international code, outlay of expenditure on an internet referencing service in order to facilitate access to the trader’s site or that of its intermediary by consumers domiciled in other Member States, use of a top-level domain name other than that of the Member State in which the trader is established, and mention of an international clientele composed of customers domiciled in various Member States. It is for the national courts to ascertain whether such evidence exists.
I would like to know if there is a real chance of any company outside the EU actually being fined for non-compliance? Especially those companies that do not have legal representation/office in the EU.
Will the EU have any powers to impose fines on companies in Japan, Australia or U.S.? For those countries, EU fines would actually mean transferring money from their economies into the EU economy.
I am pretty certain that the U.S. will find any way possible to stall implementation, first through political pressure, then through economic countermeasures, and finally by voting legislative that will actually ban the enforcement of the GDPR.
Enforcing sanctions of such big proportion in another country's jurisdiction would actually be a precedent.
You probably have not heard about Foreign Account Tax Compliance Act (FATCA) which US is enforcing sanctions on organisations based outside of US eg. EU for not complying with the Act. Perhaps, GDPR has turned the tide with this development.
As of this moment, there is also the Privacy Shield which is enforced by Federal Trade Commission (FTC) to demonstrate US based organisations processing data about individuals in EU are adhering to EU data protection practices.
Once the 25 May 2018 enforcement timeline is upon us, it is highly that the Privacy Shield aligns with GDPR expectations too. Enforcement can come in 2 ways for organisations in Japan, Australia or US if they continue to process data about individuals in EU:
Hope this helps.
The title should read "Why non-EU based businesses WILL be affected by the EU GDPR?"
It's very difficult to see a business that does not have a supply chain dependency on Europe, somewhere.
So you will be affected.