The General Data Protection Regulation
(GDPR) will create a global network of EU data protection,
sending a strong message that EU data must be protected around
the world. Non-EU firms using servers or relying on employees
in the EU for data handling, firms processing personal data to
offer goods or services to EU citizens and those monitoring
behaviour in the EU all must comply with GDPR. But the extent
of their obligations is unclear.
GDPR is by far the most comprehensive framework for data
protection and the widest, given its extraterritorial effect.
It remains to be seen how strict the EU will be in enforcing
the regulation but a case from four years ago offers some
clues. The so-called Google Spain decision determined that
Google’s data processing was subject to Spanish
law because it 'orientates its activity towards the inhabitants
of the member state,’ and activities of Google US
and Google Spain were 'inextricably linked’.