Are EU Citizens Residing in the US Protected by GDPR?

Responsibilities of GDPR Data Controllers and Data Processors

The General Data Protection Regulation (GDPR) generally applies to European Union citizens living in the EU. But how does the GDPR apply when an EU citizen leaves his country and live in the US or other non-EU countries? What if an EU citizen go on a vacation in a non-EU country? Another related question is what if a non-EU citizen temporarily resides in the EU? How will the GDPR apply to a US citizen visiting the EU for business, pleasure or education? Let’s look at each situation and see how the regulation will apply.

EU Citizens Residing in the US

The GDPR is actually not concerned with citizenship. What matters is if a person is located or residing in the EU.  If a person is residing in an EU country, his personal data is protected by the GDPR. If a person with EU citizenship leaves the EU, he is no longer covered by the GDPR. Even if he travels to the US, for example, and interacts with an EU business that collects his personal data, GDPR would not apply but the US federal and state laws would.

US Citizens Residing in an EU Country

The personal data of anyone who is located in an EU country is protected by GDPR. An American who goes to Germany, for example, and provides his personal data to a business for some reason, would get the same GDPR protection as an EU citizen.

Is the Location of the Business Important?

The GDPR imposes requirements on businesses to protect the personal data of people residing in the EU. So, it is not important if the business is physically located in an EU country. If a business collects or processes the personal data of a person residing in the EU, it must follow the GDPR rules.

For EU citizens who have come to live in the United States, there’s no specific law that protects personal data privacy. The Health Insurance Portability and Accountability Act (HIPAA) only protects the health information of patients and health plan members when collected, stored or transmitted by a HIPAA covered entity. An option for covered entities to be in compliance with GDPR is to apply the same requirements and level of protection to all PHI as with personal data. With this approach, EU citizens living in the US get the same personal data protection as those living in the EU.