Companies outside the European Union now have some much-needed guidance on the territorial scope of the EU’s General Data Protection Regulation to determine whether they are directly subject to the GDPR’s stringent data-privacy protection requirements.
On Nov. 23, 2018, the European Data Protection Board (EDPB)—the European Commission body tasked with ensuring that the GDPR is applied consistently across the EU—released the first official guidance on how the GDPR will be applied in practice. Although still in draft form, the guidelines provide important insight on how the regulation applies to companies and activities outside the European Union.
Since taking effect in May 2018, the GDPR has left many companies flummoxed. “The GDPR’s territorial scope of application has become one of the most difficult issues to pin down,” Eduardo Ustaran, a partner in the global Privacy and Cybersecurity practice of Hogan Lovells, wrote in a blog post. “Therefore, the publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.”
Much of the 23-page draft guidance addresses the two main criteria under Article 3: the “establishment” criterion and the “targeting” criterion. The draft guidelines further provide practical examples under each criterion, but the EDPB recommends that companies carefully analyze their own specific circumstances on a case-by-case basis.
Key points of the guidance are summarized below:
Under Article 3(1) of the GDPR, the establishment criterion, the processing of personal data applies “in the context of the activities of an establishment” of a controller or processor in the European Union, regardless of whether the processing itself takes place in the European Union. In determining whether the processing of personal data falls within the scope of Article 3(1), the EDPB recommends a threefold approach:
Consideration 1: An establishment in the Union. To determine whether an entity based outside the European Union has an establishment in an EU member state, the EDPB references Recital 22 of the GDPR, which clarifies that an establishment “implies the effective and real exercise of activities through stable arrangements.” Note that the threshold for a “stable arrangement” can be quite low: In some circumstances, the presence of just one employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability, the guidance states.
The EDPB offers an example of a car manufacturing company with U.S. headquarters that has a fully owned branch and office located in Brussels overseeing all its operations in Europe, including marketing and advertisement. The Belgian branch can be considered a stable arrangement and, therefore, could be considered an establishment in the European Union within the meaning of the GDPR.
Consideration 2: Processing of personal data carried out “in the context of the activities of” an establishment. Where the activities of an EU establishment are “inextricably linked” to the processing of data carried out by the non-EU controller—whether the EU establishment plays a role in that data processing or not—the GDPR will apply, the guidance states.
“The publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.”
Eduardo Ustaran, Partner, Privacy and Cybersecurity Practice, Hogan Lovells
The guidance also states that revenue-generation by a local EU establishment may be indicative of processing by a non-EU controller or processor being carried out “in the context of the activities of the EU establishment” if such activities are “inextricably linked” to the processing of personal data taking place outside the European Union and individuals in the European Union.
In practice, non-EU organizations should assess their processing activities, the EDPB recommends, “first by determining whether personal data are being processed, and secondly by identifying potential links between the activity for which the data is being processed and the activities of any presence of the organization in the Union.”
Consideration 3: Application of the GDPR to the establishment of a controller or a processor in the European Union. The EDPB clarifies in the guidance that “it is the presence, through an establishment, of a data controller or processor in the EU and the fact that a processing takes place in the context of the activities of this establishment that trigger the application of the GDPR to its processing activities. The place of processing is, therefore, not relevant in determining whether or not the processing, carried out in the context of the activities of an EU establishment, falls within the scope of the GDPR.”
The EDPB further stated in determining the territorial scope of the GDPR, geographical location will be important under Article 3(1) regarding the place of establishment of the controller or processor itself; and whether a non-EU controller or processor has a business presence in the European Union. Geographical location is not important for the purposes of Article 3(1) regarding the place in which processing is carried out or with regard to the location of the data subjects in question.
The second part of the draft guidelines addresses Article 3(2) of GDPR, the targeting criterion. Article 3(2) provides that the GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the EU, “where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.”
The guidance states that application of the “targeting criterion” toward data subjects in the European Union can be triggered by two distinct and alternative types of activities carried out by a controller or processor not established in the European Union. In assessing the conditions for the application of the criteria, the EDPB recommends a twofold approach:
Consideration 1: Data subjects in the European Union. The location of the data subject determines whether Article 3(2) should be applied (not their nationality, place of residence, or legal status). The data subject’s location should be assessed the moment the relevant “trigger activity” takes place (i.e. the moment of offering of goods or services or the moment when the behavior is monitored), the guidance states.
Consideration 2: Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the European Union. The primary way to determine whether the targeting criterion is met is to assess whether the conduct of the controller or processor indicates its intention to offer goods or services to a data subject in the European Union, (i.e. whether the offer is directed at a person in the European Union). “Processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the Union,” the guidance states.
For Article 3(2)(b) to trigger application of the GDPR, the behavior monitored must first relate to a data subject in the European Union and, as a cumulative criterion, the monitored behavior must take place within the territory of the European Union. The EDPB references Recital 24, the monitoring of behavior through the tracking of a person on the internet.
According to the guidance, the following activities could constitute monitoring:
- Behavioral advertising;
- Geo-localization activities, particularly for marketing purposes;
- Online tracking using cookies or other tracking techniques such as fingerprinting;
- Personalized diet and health analytics services online;
- Market surveys and other behavioral studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
The final section of the guidelines emphasizes that both data controllers and processors subject to Article 3(2) of the GDPR should designate a representative in the European Union. A controller or processor not established in the European Union that is subject to the GDPR that fails to designate a representative would be in breach of the regulation.
In practice, the guidance states, the function of the representative can be exercised based on a service contract concluded with an individual or organization—such as law firms, consultancies, and private companies—provided that such entities are established in the European Union. One representative can also act on behalf of several non-EU controllers and processors. The EDPB further recommends that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented.
Overall, the guidelines signal that the long arm of the GDPR extends far beyond the European Union and that any company that thinks its exempt based on earlier readings of the regulation should carefully review this latest guidance and let your concerns be known. The comment period on the draft guidelines closes Jan. 18, 2019.