GDPR has been called “extra-territorial” in scope because it potentially reaches companies not domiciled in the EU. You may have noticed a barrage of Terms of Service updates from Google, Yahoo, Microsoft and other multinationals that are bringing their contracts into GDPR compliance.
Should a US or Canadian ag data platform — whose farmers are located only in North America — become GDPR compliant? Here are the questions you should ask to determine the answer.
Does the ag tech company have an established presence in the EU? This is known as the “establishment” test and means that GDPR may apply even though a company is located outside of the EU. An example is Google. Although Google is a US company, it maintains search sites that process data from EU member countries, and Google derives revenue from advertisements related to EU processed data. “Established” is a broader concept than “domiciled” and may apply even where a US or Canadian company has only small presence in an EU-member state (such as subsidiary or representative).
Does the ag tech company process data related to offering goods and services to data subjects in EU? What is important here is whether there is intent to draw EU customer's into a e-commerce website. If a company is actively targeting EU customers, I think it is safe to assume the GDPR would apply even if that company is located outside of an EU member state.
Does the ag tech company process data related to monitoring the behavior of natural persons in the EU? When answering this question, keep in mind that GDPR applies to identifying data collected from natural persons, not machines or livestock.
If your company answers “yes” to any of these three questions, the GDPR applies even if the company is located outside of the EU. Of course, you should consult an attorney to determine whether your specific situation requires GDPR compliance.