Do companies based in Europe have to comply with US privacy laws?

Asked by: Prof. Laverna Schaden MD  |  Last update: May 31, 2026
Score: 4.9/5 (56 votes)

Yes, European companies must comply with relevant US privacy laws if they target US residents or handle their data, just as US companies must follow GDPR for EU residents, with compliance often depending on who the data belongs to (US vs. EU citizen) and if the company offers services to them, using mechanisms like the EU-U.S. Data Privacy Framework (DPF) for data transfers or adhering to specific US state laws when processing data of those residents.

Do companies in Europe have to comply with US privacy laws?

The country where the company collecting data is located doesn't matter, and EU companies must comply with US privacy laws if they meet the relevant criteria.

Does GDPR apply to US-based companies?

GDPR's extraterritorial reach means that U.S. businesses are not exempt from its requirements. If your company processes personal data of EU citizens—whether through offering goods or services, employing EU residents, or monitoring EU citizens' online behavior—your organization is subject to GDPR.

What is the difference between EU and US privacy laws?

Key Differences Between GDPR and U.S. Data Privacy Laws. The regulatory approaches to data privacy in the EU and the U.S. diverge considerably, with the EU adopting a comprehensive framework through the GDPR, while the U.S. relies on a patchwork of sector-specific and state-level laws.

Which companies need to comply with EU data protection rules?

Answer

  • a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or.
  • a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

The EU's AI Act Explained

45 related questions found

Is GDPR mandatory in Europe?

The GDPR applies to any organization that processes the personal data of EU/UK citizens, regardless of where the organization is located. This means that even if your organization is based outside of the EU/UK, you will still need to comply with the GDPR if you process the personal data of EU/UK citizens.

Which countries require GDPR compliance?

The EU countries covered by GDPR include:

  • Austria.
  • Belgium.
  • Bulgaria.
  • Croatia.
  • Cyprus.
  • Czech Republic.
  • Denmark.
  • Estonia.

What privacy laws we must comply with only exist in Europe?

General Data Protection Regulation (GDPR) is designed to protect Personal Information of individuals residing in the European Union (EU). If you have customers in any EU country, you must comply with the GDPR.

What are the 7 rules of GDPR?

The 7 principles of GDPR are: Lawfulness, Fairness, and Transparency (process data legally and openly); Purpose Limitation (use data only for stated reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct); Storage Limitation (don't keep data forever); Integrity and Confidentiality (secure the data); and Accountability (prove compliance). These form the core rules for handling personal data ethically and legally under the EU's General Data Protection Regulation.
 

What has replaced the EU-U.S. Privacy Shield?

The DPF is the successor to the EU-U.S. Privacy Shield (the Privacy Shield), which was declared invalid in 2020 by the CJEU following litigation by privacy advocate Maximilian Schrems, acting through not-for-profit NOYB (none of your business), in the landmark case Schrems II.

Which organisations are exempt from GDPR?

These exemptions mainly apply to non-EU companies and those companies established in non-EU countries. For companies based outside the EU, GDPR does not apply if their processing activities do not involve offering goods or services to individuals in the EU, or monitoring the behavior of individuals who are in the EU.

What is the closest law to GDPR in the USA?

The US equivalent of the GDPR is the CCPA or California Consumer Privacy Act. It was inspired by the GDPR, and both laws protect the personal data of consumers.

Can European data be stored in the US?

On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.

Do foreign companies have to follow US laws?

Your company must comply with all US laws when selling its products and/or services to the United States.

Does GDPR apply to EU companies processing US data?

The GDPR does apply outside Europe

The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

Is there a difference between GDPR and EU GDPR?

Legal Framework: The EU GDPR is an EU regulation that applies to all EU member states. In contrast, the UK GDPR is the data protection law specific to the United Kingdom. This distinction in legal frameworks necessitates compliance with different regulations depending on the jurisdiction.

What are the six lawful bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

What are the exemptions to GDPR?

Key GDPR exemptions relate to: special purposes (archiving, research, statistics), household and personal use, law enforcement and crime prevention, and national and public security. Even if an exemption applies, organizations must generally still uphold the core GDPR principles.

How does GDPR differ from other privacy laws?

The GDPR then provides rules about how that consent must be collected, including prohibiting the use of “dark patterns” designed to influence consumer choice (for example, making the “accept” button more brightly colored). U.S. privacy laws do not require these consent banners (in most cases).

Which countries are not GDPR compliant?

The following European countries have not adopted the GDPR:

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Croatia.
  • Kosovo.
  • Moldova.
  • Montenegro.
  • North Macedonia.

What is the new privacy law in Europe?

GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for the movement of data.

What is the difference between GDPR and CCPA?

GDPR requires companies to have legal basis before processing data about residents. CCPA does not. GDPR applies to all businesses that meet the legal basis requirement mentioned above. CCPA applies only to businesses with an annual gross revenue of more than $25 million.

Does the USA have to comply with the GDPR?

Are US companies subject to GDPR? Yes, the GDPR can apply to businesses in the US or any business outside the European Union. As per Article 3 of the GDPR, the territorial scope of the GDPR applies to businesses regardless of whether the processing takes place in the European Economic Area (EEA).

Which country has the most strict privacy laws?

Switzerland. Switzerland has guaranteed its citizens the right to privacy under its constitution and enacted regulations.

What is GDPR compliance in Europe?

GDPR compliance* refers to adhering to the regulations set forth in the General Data Protection Regulation (GDPR). The GDPR is a legal framework established by the European Union to ensure the privacy and protection of personal data.