GDPR applies to US companies. This is not a theoretical possibility – it is an enforcement reality. Since 2020, European data protection authorities have imposed fines exceeding EUR 4 billion on US-headquartered companies, including Meta (EUR 1.2 billion, DPC, May 2023), Amazon (EUR 746 million, CNPD Luxembourg, July 2021), and Clearview AI (EUR 20 million, CNIL, October 2022). The regulation’s territorial scope under Art. 3(2) GDPR extends to any company that offers goods or services to individuals in the EU or monitors their behaviour, regardless of where the company is established. This article explains when GDPR applies to US companies, what compliance requires, and what happens when US businesses ignore it.
Key Takeaways
- Art. 3(2) GDPR applies to US companies that offer goods or services to EU residents or monitor their behaviour, even without an EU establishment.
- US companies subject to GDPR must appoint an EU representative under Art. 27 GDPR unless an exemption applies.
- Enforcement against US companies is real and escalating – fines have been imposed on Meta, Clearview AI, TikTok, and others.
- The EU-US Data Privacy Framework (DPF) addresses data transfers but does not exempt US companies from GDPR obligations.
When GDPR Applies to US Companies
The GDPR’s territorial scope is defined in Art. 3 GDPR. Two pathways bring US companies within its reach.
Art. 3(1): Establishment in the EU
If a US company has an office, subsidiary, or branch in the EU, the GDPR applies to all processing carried out “in the context of the activities of” that establishment. The CJEU has interpreted this broadly. In Google Spain (C-131/12, 13 May 2014), the Court held that Google Inc.'s Spanish advertising subsidiary was sufficient to trigger EU jurisdiction over the entire search engine’s data processing – even though the data processing occurred on US servers.
A US company with a sales office in Dublin, a marketing team in Berlin, or even a single employee in Paris likely has an establishment under Art. 3(1).
Art. 3(2): Targeting or monitoring EU individuals
Even without any EU presence, GDPR applies to US companies when their processing relates to:
(a) Offering goods or services to individuals in the EU. Recital 23 GDPR clarifies that mere accessibility of a website from the EU is not sufficient. But if the US company uses EU languages (other than English), EU currencies, mentions EU delivery, or targets advertising at EU audiences, it is offering goods or services within the meaning of Art. 3(2)(a).
(b) Monitoring the behaviour of individuals in the EU. If the US company tracks EU users via cookies, device fingerprinting, behavioural advertising, or location tracking, it falls under Art. 3(2)(b). Recital 24 GDPR specifically references internet tracking and profiling as examples of monitoring.
The EDPB Guidelines 3/2018 on territorial scope provide further criteria: accepting payments in euros, having a .eu or country-code domain, or referencing EU customers in marketing materials all indicate targeting.
For a deeper analysis of GDPR’s extraterritorial reach, see our guide on whether GDPR applies outside the EU.
The EU Representative Requirement Under Art. 27
US companies subject to GDPR under Art. 3(2) that do not have an establishment in the EU must designate a representative in the EU under Art. 27(1) GDPR. This representative acts as a contact point for supervisory authorities and data subjects.
Who qualifies as a representative? The representative must be a natural or legal person established in one of the EU member states where the data subjects whose data is processed are located. The representative can be an individual, a law firm, or a specialized compliance service.
What does the representative do? Under Art. 27(4), the representative can be addressed by supervisory authorities and data subjects on all issues related to processing. The representative does not absorb the controller’s liability, but their contact details must appear in the privacy notice alongside or instead of the controller’s address.
Exemptions. Art. 27(2) exempts: (a) processing that is occasional, does not include large-scale processing of special category data under Art. 9(1) or criminal offence data under Art. 10, and is unlikely to result in a risk to rights and freedoms; and (b) public authorities.
Penalties for non-designation. Failure to appoint an EU representative is itself an infringement under Art. 83(4)(a) GDPR, subject to fines of up to EUR 10 million or 2% of global annual turnover. The AEPD fined Equifax Iberica EUR 30,000 in Decision PS/00413/2020 (14 March 2021) partly for failing to designate a representative.
What Compliance Requires for US Companies
A US company within the GDPR’s scope faces the same obligations as an EU-based controller. There is no lighter regime for non-EU entities. Key requirements include:
1. Lawful basis for processing. Every processing activity must have a legal basis under Art. 6(1) GDPR. For US companies targeting EU consumers, consent under Art. 6(1)(a) and legitimate interest under Art. 6(1)(f) are the most common bases. Our guide covers the GDPR legitimate interest balancing test.
2. Transparency obligations. Art. 13 and Art. 14 GDPR require comprehensive privacy notices disclosing the identity of the controller, purposes, legal bases, retention periods, data subject rights, and the identity of the EU representative.
3. Data subject rights. US companies must respond to access requests (Art. 15), erasure requests (Art. 17), and other data subject rights within one month. The lack of a physical EU presence does not extend response deadlines.
4. Data processing agreements. When using EU-based processors or when EU personal data flows to US sub-processors, Art. 28(3) GDPR requires a data processing agreement meeting specific contractual requirements.
5. Data transfers. Transferring personal data from the EU to the US requires an adequate transfer mechanism. The EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023 (Adequacy Decision C(2023) 4745), provides one pathway for certified US organizations. Alternatively, Standard Contractual Clauses (SCCs) under Art. 46(2)© or Binding Corporate Rules under Art. 47 apply.
6. Breach notification. Art. 33 GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. US companies must have a breach response process that meets this timeline, regardless of US state notification laws.
Enforcement Against US Companies
European DPAs have demonstrated willingness and ability to enforce against US companies.
Meta Platforms (DPC Ireland), Decision IN-21-7-3, 22 May 2023, EUR 1.2 billion. The DPC fined Meta for transferring EU user data to the US without adequate safeguards following the Schrems II decision. This remains the largest GDPR fine ever imposed.
Amazon Europe (CNPD Luxembourg), Decision 15/2021, 16 July 2021, EUR 746 million. The CNPD found Amazon’s advertising targeting system violated transparency and consent requirements under GDPR.
Clearview AI (CNIL), Deliberation SAN-2022-019, 20 October 2022, EUR 20 million. The CNIL fined Clearview AI, a US facial recognition company with no EU presence, for scraping facial images of EU residents without a legal basis. Clearview AI had no EU representative and did not respond to the CNIL’s investigation.
TikTok (DPC Ireland), Decision IN-22-10-2, 1 September 2023, EUR 345 million. The DPC fined TikTok for transparency failures and unlawful processing of children’s data across the EU.
Google LLC (CNIL), Deliberation SAN-2022-002, 6 January 2022, EUR 150 million. The CNIL found that Google’s cookie consent mechanism on google.fr and youtube.com did not allow users to refuse cookies as easily as accepting them.
These cases establish that US companies cannot avoid GDPR enforcement by lacking an EU presence. Supervisory authorities use mutual cooperation mechanisms under Art. 60-66 GDPR and, in the case of Clearview AI, simply issued the fine and made it public.
Practical Steps for US Companies
For US companies that need to comply with GDPR, the following steps provide a structured path:
-
Assess applicability. Determine whether Art. 3(1) or Art. 3(2) applies by reviewing your customer base, website analytics, marketing materials, and tracking technologies for EU targeting or monitoring.
-
Appoint an EU representative. If Art. 3(2) applies and no EU establishment exists, designate a representative under Art. 27 in a member state where your EU users are concentrated.
-
Conduct a data mapping exercise. Identify all processing activities involving EU personal data. Document them in a record of processing activities as required by Art. 30.
-
Establish transfer mechanisms. Self-certify under the EU-US Data Privacy Framework or implement SCCs with a Transfer Impact Assessment for all EU-to-US data flows.
-
Update privacy notices. Ensure your privacy policy meets Art. 13 requirements, including disclosure of the EU representative, all legal bases, and data subject rights.
-
Implement a breach response process. Build a 72-hour notification capability that accounts for time zone differences between US operations and EU supervisory authorities.
-
Train your team. US employees handling EU data must understand GDPR obligations, which differ substantially from US privacy frameworks.
FAQ
Does GDPR apply to all US companies?
No. GDPR applies to US companies only when Art. 3(1) or Art. 3(2) is triggered. A US company that has no EU establishment, does not target EU individuals with goods or services, and does not monitor EU behaviour is outside the GDPR’s scope. However, the thresholds are low – a US SaaS company with EU customers paying in euros almost certainly falls within scope.
Can European DPAs actually enforce fines against US companies?
Yes. While cross-border enforcement of administrative fines faces practical challenges, European DPAs have multiple mechanisms: mutual legal assistance treaties, EU-US judicial cooperation agreements, and the practical reality that most US companies with EU exposure have EU assets, bank accounts, or subsidiaries that can be targeted. The Clearview AI case demonstrates that even companies that refuse to engage face published fines that affect their commercial reputation and ability to operate in the EU.
Does the EU-US Data Privacy Framework eliminate the need for GDPR compliance?
No. The DPF addresses the legality of data transfers from the EU to the US under Art. 45 GDPR. It does not exempt US companies from any other GDPR obligation – consent requirements, transparency, data subject rights, breach notification, and all other controller duties still apply in full. The DPF is a transfer mechanism, not a compliance exemption.
What is the cost of GDPR compliance for a mid-size US company?
For a US company with 50-200 employees and EU customers, initial GDPR compliance typically costs USD 50,000-150,000 including legal assessment, privacy notice updates, DPA review, and process implementation. Ongoing annual costs range from USD 25,000-75,000 for an external DPO or privacy counsel, transfer mechanism maintenance, and compliance monitoring. Our guide on GDPR compliance costs provides detailed breakdowns.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
