New guidelines on the territorial scope of the GDPR

The GDPR has created new obligations for non-European businesses in certain circumstances. Since the Regulations were first published there has been uncertainty in relation to the full extent of the territorial scope of the GDPR itself.

That uncertainty has continued after the GDPR’s implementation, but finally in November 2018, the European Data Protection Board (the EDPB) published new guidelines on the extent of its territorial scope of the GDPR (available here).

The GDPR recognises that in today’s business world data flows are not restricted by country borders, in today’s world data flows know no geographic boundaries and are truly worldwide; and whilst the old rules did try and deal with such matters, Article 3 of the GDPR intends to create a framework of comprehensive protection of data subjects’ rights and establish a level playing field for businesses to operate.

So, how does the GDPR determine its’ the territorial extent? Or to put it another way – when might the GDPR apply to your business despite not being based in the EU?

Article 3 sets out that the GDPR will apply in three separate sets of circumstances:

  1. Where the organisation has an establishment in the EU
  2. Where the GDPR may apply is where your organisation offers goods or services to or monitors the behaviour of data subjects in the EU
  3. Where member state law applies by virtue of Public International Law

For the purposes of this article, let us look at each of these circumstances.

 

  1. Where the organisation has an establishment in the EU.

This is not as straight forward as it may first appear and there has been much discussion around what is meant by the term “establishment” and how it is to be applied for the purposes of the GDPR.

The EDPB guidance provides that, if there is an inextricable link between the activities of an establishment within the EU and the activities of a data controller or processor[1] established outside the EU, the GDPR may be applicable, even if the establishment is not involved in data processing.

So how can we determine whether an entity based outside the Union has an establishment in a Member State?

We have to ask the question: - Can there be a determination of any effective and real exercise of activities through stable arrangements in the EU?

This is not simply about determining whether there is a branch or a subsidiary with a legal personality in the EU; it goes much further than this – is there real and effective activity being exercised through those “stable arrangements”. For example does the non-EU based entity employ an agent who operates in the EU or a regular basis – if yes then this would likely be sufficient to determine a stable arrangement with the agent falling into the definition of an “establishment” within the EU.

Simply having a website that is accessible in the EU will not of itself result in a non-EU business being deemed to have an establishment in the EU; more will be required to meet that threshold of “an effective and real exercise of activities through stable arrangements”

The key aspects of this principle that your organisation should be aware of are as follows:

  • a non-EU organisation will not be deemed to have an establishment within the EU merely due to its website being accessible by individuals within the EU;
  • the mere existence of a non-EU organisation’s presence in the EU is not enough to bring the organisation within the scope of the GDPR;
  • where a controller is established in the EU, the GDPR will not necessarily be applicable to the controller’s processor who is not established in the EU (and vice-versa); and
  • although the notion of “establishment” is wide, it is not indefinite. The applicability of the GDPR should be considered on a case-by-case basis.

 

  1. The GDPR may apply where your organisation offers goods or services to or monitors the behaviour of data subjects in the EU

Targeting by offering goods and services

The EDPB has now clarified that, to come within the scope of the GDPR, the “offer of goods or services must be directed at a person in the Union”. This means that the organisation must clearly intend to engage in business with those within the EU and direct their activities to the EU market.

Whether this test is met must be considered on a case-by-case basis and the following considerations may be of assistance:

  • whether there is any reference of the European Union or a Member State;
  • whether the organisation pays a search engine operator in order to direct their marketing to those within EU Member States;
  • whether a language of an EU Member State is used; and
  • whether the currency of one or more Member States is used.

It is important to note that the GDPR is only applicable where data subjects who are in the union are targeted. EDPB clarifies that this criterion is not determined by citizenship or residency or any other type of legal status, so this broad criterion applies regardless of residency or citizenship – if data subjects are in the EU, the GDPR is applicable

Targeting by monitoring behaviour

The EDPB has offered some clarification in terms of whether the activities of organisations will be deemed to constitute “monitoring”. “Monitoring” takes place where:

  • the behaviour being monitored relates to a data subject in the EU; and
  • the monitoring occurs within the EU.

The EDPB suggests that the organisation must have a pre-determined purpose for the gathering and reuse of the data. Mere collection and analysis does not suffice – the organisation’s purpose must be ascertained.

The EDPB also considers the scope of “monitoring” and states that this concept includes behavioural advertising, CCTV usage, online tracking and the use of market surveys, among other activities.

 

  1. Member state law applies by virtue of Public International Law

The GDPR applies to processing of personal data by an organisation not established in the EU, where that processing occurs in a territory where Member State law is applicable due to the rules of public international law. In this situation, the GDPR would apply to a Member State’s diplomatic mission or consular post.

The EDPB offers an illustrative example of the operation of this rule in practice – where a German registered cruise ship, which processes guest data sails on international waters, it is subject to the GDPR. Since the ship is registered in Germany, the rules of public international law mean that the GDPR is applicable, despite the fact that the processing is taking place outwith the EU, on international waters.

Whilst it is clear that the territorial scope of European data protection laws has most certainly been extended by the GDPR; you do need to consider the individual facts and circumstances to establish whether the territorial scope is engaged.

Should you have any difficulty in establishing whether you are impacted by the territorial scope of the GDPR our team are here to help.

 

[1] NB controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Latest updates from @MacRoberts