Share this article on:
The term ‘European Union citizen’ is often used when explaining General Data Protection Regulation (GDPR) requirements, but what happens when an EU citizen leaves the EU? Does GDPR apply to EU citizens living in the US or in other non-EU countries? Does GDPR apply when EU citizens vacation in non-EU countries?
What happens when Americans visit an EU country? They are clearly not EU citizens but are temporarily located in the EU. How does GDPR apply to US citizens living in an EU country or visiting on vacation or for business.
Does GDPR Apply to EU Citizens Living in the US?
Use of the phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU.
GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR.
If an EU citizen travelled to the United States and interacted with an EU business, which required the collection of their personal data, their data rights and freedoms would be dictated by US federal and state laws. GDPR would not apply.
Does GDPR Apply to US Citizens Living in an EU Country?
GDPR is not concerned with whether or not an individual is an EU citizen. Anyone located in an EU country is protected by GDPR. If an American travelled to Germany, walked into a store, made a purchase and was required to provide their name and address for an invoice, their personal information would need to be protected in line with GDPR requirements and they be given the same rights and freedoms under GDPR as an EU citizen.
Does it Matter Where a Business Is Located?
GDPR applies to individuals and gives them certain rights and freedoms. GDPR places certain restrictions on what businesses can do with the personal data of individuals residing in the EU. It does not matter where the business is located and whether or not a business has a base in an EU country. GDPR rules apply if the business collects or processes the personal data of an individual residing in the EU.
Unfortunately, there is no law that protects the privacy of all individuals in the United States, only specific groups of individuals. The Health Insurance Portability and Accountability Act (HIPAA) requires safeguards to be implemented to protect the privacy of patients and health plan members, but only in relation to protected health information (PHI) and only if PHI is collected, stored, used, or transmitted by a HIPAA-covered entity.
For HIPAA-covered entities, compliance with GDPR will be more straightforward if they apply the same requirements for safeguarding PHI to all individuals and all personal data. Taking a more holistic approach to data protection makes compliance with GDPR easier.
If that approach is taken, then it is likely that EU citizens residing in the US will be given the same protections as those living in an EU country.