Employee benefit plans in the US hold a significant amount of private data on participants and beneficiaries, and, given the global nature of business, some of those participants may be located in the European Union (“EU”). As a result, concerns have arisen about the possible application of the EU General Data Privacy Regulation (“GDPR”) to US benefit plans, and specifically whether the territorial scope limitations of the Regulation might provide some relief to such plans. Complicating matters has been that some establishments in the EU have been asking US entities to enter into contractual clauses regarding compliance with GDPR that may or may not be applicable depending on GDPR’s territorial scope. We have previously written about GDPR and US plans here: https://www.groom.com/resources/chaotic-rollout-for-european-data-privacy-regulations-raises-questions-for-benefit-plan-administrators/ .
Generally, the territorial scope provisions of GDPR indicate that the processing of personal data of data subjects who are in the EU by a data controller or a processor not established in the EU should be subject to GDPR where the processing activities are related to offering goods or services to such data subjects, irrespective of whether connected to a payment. Recitals under GDPR go on to indicate some factors for determining whether goods or services are offered to EU data subjects, but the provision of employee benefits is not clearly addressed.
We now understand that guidance on the territorial scope of GDPR is on the agenda of the European Data Protection Board (“EDPB”), the Brussels-based body established under the GDPR to work towards the consistent application of the EU data protection rules.
Indications are that guidelines are currently being drafted, and the subject will be on the agenda for the third plenary session of the EDPB to be held in late September 2018. If past practices are followed, the agenda will be published shortly before the meeting, and draft guidelines may then be promulgated.
Entities interested in the application of GDPR to benefit plans outside the EU would be advised to watch these developments closely.
If you have any questions about how GDPR may apply to your benefit plans, please contact your regular Groom lawyer, or David Powell or Kevin Walsh.