One of the requirements under the new EU Regulation on Data Protection is that non-EU companies will have to obey the requirements under the Regulation and all the relative EU data protection requirements. This is a significant change from the former position under EU law whereby the applicability of data protection laws depended on the establishment of the controller in the EU, and where the controller is situated in a third country, the equipment used for processing is located in the EU. However, with the new Regulation, companies targeting EU citizens, irrespective of their location, will have to respect EU data protection rules. This would apply in particular if the undertaking is offering goods or services to EU residents or monitoring the behaviour of EU residents. This means that non-EU undertakings will no longer be able to get round the rules by processing data outside the EU or by having a physical presence outside the EU. Non-EU companies targeting EU nationals will also have to make sure their processing activities comply with EU data protection laws and face the possibility of fines in default.
Camilleri Preziosi provides regular advice on the implications of the new data protection Regulation so that undertakings are compliant prior to the implementation of the Regulation which is anticipated to be in force by 2016.
Latest draft of the Regulation can be found on: http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf