Have you ever wondered if the privacy rights you enjoyed in Europe will still protect you when you move to the US? Well, that is exactly what we are answering today. This blog offers authoritative legal insights, drawing on the text of GDPR, European Data Protection Board guidelines, and other seminal sources. So, does GDPR apply to EU citizens living in the US? Let’s find out.
Overview of GDPR’s jurisdiction
Let’s start with some of the most-asked questions related to GDPR’s protection for EU citizens.
- If I’m an EU citizen residing in the US, do I still enjoy the data protection rights guaranteed by the GDPR?
- When does a US-based business fall within the extraterritorial scope of the GDPR?
The answers require a nuanced understanding of the GDPR’s territorial reach, the concept of data subjects, and the specific conditions under which the regulation applies to activities such as online services, cookie consent, and cross-border data transfers. Let us now look into the specifics.
85% of Websites Use Cookie Banners-Do You?
Become GDPR-compliant with CookieYes CMP
Sign up for a free trial14-day free trialCancel anytime
What are the key GDPR provisions for EU citizens abroad?
The GDPR’s extraterritorial application is one of its most debated aspects. Article 3 of the Regulation defines its territorial scope.
The GDPR protects the personal data of individuals in the EU, no matter where the business handling their data is located. It applies to companies within the EU and those outside that offer goods or services to EU residents or track their behaviour within the EU.
However, it does not automatically protect EU citizens living outside the EU. Instead, they are covered by the privacy laws of the country or US state where they reside.
| Feature | GDPR | US privacy laws |
|---|---|---|
| Scope | Generally applies to any organisation processing EU residents’ data, regardless of location or thresholds | Vary by state laws and typically apply based on a business’s revenue or the volume of consumer data processed. |
| Legal basis for processing | Requires a lawful basis (e.g., consent, contract, legitimate interest). | Typically allows data collection unless consumers opt out |
Consent requirements | Generally follows an opt-in consent model | Generally follows an opt-out consent model |
| Data subject rights | Grants rights to information, access, correct, delete, data portability, object and restrict data processing along with rights against automated decision-making rights | Grants the right to know, delete, opt-out, correct, and non-discrimination |
| Data transfer restrictions | Restricts transfers outside the EU unless protection is ensured (e.g., SCCs, adequacy decisions) | No strict federal restrictions; some states impose data-sharing limits. |
| Enforcement | Enforced by national Data Protection Authorities (DPAs) | Enforced by state attorneys general and agencies like the CPPA |
| Fines | Up to €20 million or 4% of global revenue, whichever is higher. | Generally ranges from $2500 to $7500 |
The Recital 14 of GDPR says that the regulation’s purpose is to protect the personal data of individuals within the EU’s territory regardless of their citizenship or place of residence.
Businesses must, therefore, consider factors such as data mapping, risk assessments, and the deployment of clear cookie banners to ensure global compliance.
Interpretation of “Data Subject” in a global context
One of the pivotal elements in GDPR compliance is the concept of data subject. According to Article 4, a data subject is a natural person who can be identified, directly or indirectly by personal data such as a name or an identification number of that person.
GDPR application to data subjects is not generally based on citizenship or place of residence. The regulation protects any natural person whose data is processed while they are physically present in the European Union. This includes US citizens vacationing on the cliffs of Moher in Ireland as well.
However, an EU citizen who has relocated to the US may not automatically benefit from GDPR protections unless the data processing is based in the union.
Limitations and exclusions: What is not covered under GDPR
It is equally important to recognise the limits of GDPR’s jurisdiction. The regulation does not extend to:
- Purely domestic activities: Personal data processing by individuals for personal or household activities remains outside the scope of GDPR.
- Non-targeted data processing: If a US-based business incidentally processes data of EU residents without any intention of offering services or targeting individuals in the EU, GDPR obligations may not be triggered.
This demarcation ensures that businesses are not unduly burdened with heightened legal obligations when their operations do not intersect with the EU market.
Scenarios where GDPR applies to EU citizens in the US
#1 Online services and targeting EU residents
GDPR Article 3(1) clarifies that whenever a company is established in the EU, its data processing activities generally must comply with the GDPR—even if the data subject is physically outside the EU.
Learn about the scope of GDPR outside the EU
Once an EU citizen leaves the union, their personal data is not automatically protected under GDPR solely based on their citizenship. Instead, the relevant state laws of their current location will determine the applicable data protection rules.
But here is another scenario- If an EU citizen is travelling temporarily and uses a service based in the EU, the business must comply with GDPR, ensuring the citizen’s data remains protected. Why? Simply because the processing is based in the EU.
Example
A German social media company processes EU citizens’ personal data for analytics while she lives in the US. This still falls under GDPR because the business is operating “in the context” of an EU establishment (Germany).
#2 Cross-border data transfers and processing
Another significant scenario is the cross-border transfer of personal data. When a US company processes data originating from the EU, it must implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other recognised mechanisms, to ensure GDPR compliance.
EU citizens in the US who buy online from an EU-based retailer (one that is clearly established in the EU or shipping from an EU location) may still have their purchase details covered by GDPR.
Example
Take a scenario of ordering from an Italian boutique that operates under an Italian business licence. The boutique’s data processing is “in the context of” its EU establishment, so GDPR rules apply to how it handles an EU citizen in the US’s order information—whether she’s in Milan or Miami.
#3 Dual residency: Legal complexities
In today’s mobile world, many individuals maintain dual residencies or continued ties with the EU even after relocating to the US. In such instances, determining the applicable legal framework becomes complex.
Data controllers must carefully assess whether their data processing activities fall within the scope of EU regulations, particularly if the services are offered to individuals in the EU. This includes reviewing cookie consent data and overall data mapping practices. Failing to do so may expose businesses to regulatory scrutiny and substantial fines.
Similarly, if your website is hosted in the EU or targets EU residents, regardless of its location, and uses non-essential cookies, it must comply with GDPR requirements.
Run a cookie audit and see if you need to take any action.
Enforcement and legal remedies
Enforcement of GDPR is a serious matter. Data protection authorities in the EU have demonstrated a commitment to imposing significant fines for non-compliance.
Case study: Uber’s €290 million fine for GDPR violation
The Dutch Data Protection Authority (AP) has penalised Uber €290 million for failing to protect European taxi drivers’ personal data when transferring it to the U.S. The company stored sensitive information—including account details, location data, and even medical and criminal records—on US servers without implementing the required safeguards. This violation persisted for over two years, with Uber neglecting to adopt model contracts after the EU-US Privacy Shield was revoked in 2020.
The fine followed an investigation prompted by complaints from 170 French drivers, conducted in collaboration with European privacy regulators. While Uber has since taken corrective action, the AP considered the breach severe, reinforcing the need for stringent data protection in international transfers.
This highlights the real-world risks of non-compliance and the importance of proactive GDPR adherence for businesses handling EU user data.
EU-based companies must be able to demonstrate their compliance with the GDPR standards for data processing. Also, for US businesses targeting EU citizens, understanding the enforcement mechanisms—including potential fines, reputational damage, and legal challenges—is crucial.
A proactive approach to GDPR compliance, combined with comprehensive risk assessments and a commitment to data privacy law best practices, can provide a strong legal defence and enhance consumer trust.
What GDPR compliance challenges do businesses face?
Best practices for managing GDPR compliance in these cases
Though this blog focuses on how GDPR applies to EU citizens in the US, businesses seeking clarity also benefit from these guidelines. Below are recommendations drawn from both the GDPR’s extraterritorial scope and the EDPB’s interpretations.
For citizens
#1 Know where you (the data subject) stand
EU citizens living in the US should remember that your physical location typically determines GDPR applicability for “targeting” activities (Article 3(2)). If you are not in the EU, many services you engage with are unlikely to be caught by the GDPR unless they are run by an EU-based establishment.
#2 Understand establishments
If you are concerned about your data rights, check if the organisation has a real presence in an EU Member State. If so, they must generally follow GDPR, regardless of where customers live. This is particularly relevant if you still do business with companies in your EU home country.
#3 Exercise Your data subject rights with EU controllers
When an EU establishment processes your data, you typically retain GDPR rights such as access, rectification, erasure, and objection—even while living in the US or other non-EU countries. If a conflict arises, you can contact the company’s Data Protection Officer (DPO) or representative in the EU.
For businesses
#1 Evaluate “targeting” behaviour
Non-EU companies should carefully assess whether they intentionally target or monitor individuals in the EU. If yes, you may need to comply with the GDPR for that subset of data processing. The EDPB emphasises that mere website accessibility from Europe is not enough; there must be evidence of deliberate facilitation such as marketing strategies that address EU audiences.
#2 Designate an EU representative when required
Controllers or processors falling under Article 3(2) must usually appoint an EU representative. That representative serves as a local point of contact for data subjects and supervisory authorities. Check Article 27 to see if you meet the criteria or qualify for a narrow exemption.
#3 Data mapping and risk assessments
An essential first step is conducting comprehensive data mapping exercises. Identify where data flows originate, where they are processed, and whether they intersect with EU territories. Regular risk assessments enable businesses to detect vulnerabilities in their data processing activities and ensure that GDPR compliance measures are appropriately tailored, thus mitigating the risk of costly fines.
#4 Implementing robust consent mechanisms
Developing a robust consent framework is critical for GDPR compliance. This includes utilising advanced cookie consent and consent management solutions to obtain explicit, informed consent for data processing.
Choose the Best CMP for Your Website
Join CookieYes-Trusted by 1.5M+ businesses like yours
Sign up for a free trial14-day free trialCancel anytime
By clearly communicating the purposes for which data is collected and processed—often through prominently displayed cookie banners and detailed privacy notices—businesses not only meet GDPR requirements but also build trust with their international audiences.
#5 Regular audits and employee training
Data compliance is an ongoing process. Regular internal audits and periodic employee training programmes help ensure that GDPR policies are adhered to across all levels of the organisation. These measures, coupled with the use of data mapping and risk assessment tools, provide a robust defence against potential breaches and demonstrate a commitment to data protection.
#6 Clear privacy policy and transparency
Transparency is a hallmark of GDPR compliance. Businesses must provide a clear and concise privacy policy that informs how personal data is collected, used, and shared. This openness not only meets regulatory expectations but also reinforces consumer confidence in an organisation’s commitment to data protection, especially when cookie consent and data processing practices are in full view.
#7 Collaboration with legal experts and technology providers
Given the evolving nature of data protection laws, collaboration with specialised legal experts and technology providers is indispensable.
Leveraging expertise in both legal interpretation and compliance technology—such as cookie consent management platforms offered by CookieYes—helps businesses stay ahead of regulatory changes. This proactive stance ensures that their data processing activities remain within the ambit of GDPR while achieving global compliance.
FAQ on GDPR’s application to EU citizens living in the US
No, GDPR protections are based on your location, not citizenship. If you are physically outside the EU, GDPR generally does not apply unless:
- Your data is processed by a company based in the EU.
- The data processing is conducted “in the context of an EU establishment” (e.g., an EU-based retailer or service provider handling your data).
- Your data is being transferred from the EU to the US and falls under GDPR’s cross-border transfer rules.
Your rights under GDPR do not automatically follow you abroad. However, you may be able to still exercise GDPR rights if:
- Your data was collected while you were in the EU.
- The company processing your data has an establishment in the EU.
- Otherwise, you must rely on US state privacy laws (e.g., CCPA for California residents) or company privacy policies.
US businesses should comply with GDPR if they target EU residents or process EU-based data. Key compliance steps include:
- Conducting data mapping to track personal data flows.
- Implementing Standard Contractual Clauses (SCCs) for cross-border data transfers.
- Appointing an EU Representative if required under Article 27.
- Using a robust consent management platform (e.g., CookieYes) to obtain explicit consent for data collection.
- Providing a clear privacy policy.
Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.
