Where does the GDPR apply? European Data Protection Board finally weighs in
At long last, the European Data Protection Board ("EDPB") draft guidelines on the territorial scope of the General Data Protection Regulation 2016/679 ("GDPR") are here. Please find certain highlights below. Should you like to respond to the public consultation or discuss this further, just let us know.
|
Reminder: The GDPR can apply to an organisation in one of two ways: either (1) because the organisation is established in the EU (or another place that EU law applies – e.g. embassies) and processes personal data "in the context of" that establishment or (2) for organisations not established in the EU because they offer goods or services to or monitor the behaviour of individuals in the EU. |
Click the link below to jump to each highlight:
2. The EDPB offers tentative limits to the extraterritorial application of GDPR
4. Incorporation matters, choose the flag for your vessel carefully and other anomalies
To determine whether the GDPR applies because of an organisation's establishment, the EDPB offers a two-part test: first, assess if the organisation is established; second, determine whether personal data is processed in the context of the establishment. The guidelines suggest that organisations should read both requirements broadly.
a) The threshold for an establishment is "quite low" – the presence of a single employee or agent could be enough
Recital 22 of the GDPR explains that "establishment implies the effective and real exercise of activities through stable arrangements". The guidelines explain that "both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered".
This is a highly fact-specific inquiry, which requires an organisation to consider the nature of its contact and presence in the EU. As explained in Recital 22, "the legal form of such arrangements, whether through a branch or subsidiary with a legal personality, is not the determining factor".
The guidelines align with the definition of establishment the Court of Justice of the EU ("CJEU") offered in the Weltimmo case, where it found that even a "minimal" activity could be enough. However, that case was very fact-specific: it was small company (essentially a one-person operation), the owner lived in Hungary and the company was principally designed to serve the Hungarian market, but happened to be incorporated elsewhere.
The guidelines extend this principle further for online organisations, finding that "the threshold for 'stable arrangement' can be quite low when the centre of activities of a controller concerns the provision of services online". In some cases, "the presence of a single employee or agent acts with a sufficient degree of stability".
b) Revenue raising by the EU presence could be enough, but the mere accessibility of a website is not
For an organisation to be considered established in the EU, the processing must be "in the context of the activities of an establishment" in the EU – but that establishment does not need to be involved in the processing. The guidelines confirm that this test is met where "there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller". One factor to consider is whether the EU establishment is involved in revenue raising activities on behalf of the non-EU entity.
The EDPB offers the example of a Chinese e-commerce website with an office in Berlin running commercial prospection and marketing campaigns towards EU markets. Because the Berlin office helps make the e-commerce activity profitable in the EU, the EDPB states that this would be sufficient to consider the Chinese company to be processing personal data in the context of its German establishment.
Footnote 16 offers the most direct statement: "any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing" could be subject to GDPR. Here, again, the guidelines reflect a broad view of the case law. In the CJEU Google Spain case, Google’s sales subsidiary in Spain caused its search business in the US to be considered established, but one could have read the holding more narrowly because the Spanish subsidiary sold advertising products of the parent targeted to the Spanish market.
By contrast, the guidelines clarify that the accessibility of a website alone is not an establishment in the EU. This also mirrors case law – VKI v Amazon – which previously found that a website is not an establishment. The EDPB provides the example of a hotel chain that targets EU consumers but has no presence in the EU. The correct analysis would be under Article 3(2) (the extraterritorial provisions), not Article 3(1).
c) The GDPR applies to processing activities – it may be the case that 0nly some of an organisation's activities are caught
The guidelines confirm that just because an organisation may be considered "established" for one activity will not render all of its activities subject to GDPR. Therefore, international organisations must consider their activities on a case-by-case basis. The guidelines provide the example of a US headquartered car manufacturer with a fully-owned branch in Belgium overseeing marketing. The company's Belgian branch could render some of the US company's customer-facing activities to be subject to GDPR, but that will not mean that GDPR applies to US employee data.
2. The EDPB offers tentative limits to the extraterritorial application of GDPR
The GDPR applies to organisations not established in the EU where they process personal data related to (a) the offering of goods or services in the EU or (b) the monitoring of behaviour that takes place in the EU.
a) Offering means offering – and look for signs of intent
An important question prior to the release of the guidelines was whether "offering" goods and services was meant to include "providing" services too – or whether only the intention at the time of the offer was relevant.
The guidelines clarify that "the requirement that the data subject be located in the Union must be assessed at the moment of offering goods or services or the moment when the behaviour is monitored, regardless of the duration of the offer made or the monitoring undertaken".
This means that an organisation that does not intend to offer a service in the EU, but which might be accessible in the EU, will not be subject to GDPR. For example, an organisation intending to offer an app in the US will not be subject to GDPR merely because some of its US customers access the app while traveling through Europe.
In order for the GDPR to apply, there must be signs of "targeting". Relevant factors include:
- References to the EU or a Member State in promotional material;
- Paying a search engine to facilitate access to a website in the EU or launching a marketing campaign directed at an EU audience;
- The international nature of the activity, such as tourism-related activities;
- Providing local phone numbers or addresses in association with a product or service;
- Using top-level domain names that refer to the EU or a Member State (e.g. ".eu" or ".de");
- Providing travel instructions from a Member State;
- Mentioning international clientele or providing customer testimonials in promotional material, in particular where the customers are based in the EU;
- Using an EU language or currency; and
- Offering delivery services in the EU.
The guidelines do not state that any or all of these factors must be present for GDPR to apply, but rather that these are the sorts of indicators data protection authorities will look at when deciding if there is a sufficient intention to target individuals in the EU.
A useful example is that of the Swiss University in Zurich, which is open to any students with sufficient knowledge of English or German. In that case, the GDPR will not apply because "there is no distinction or specification for students from the Union in the application or selection process". However, the Swiss University's summer course in international relations, which is specifically advertised to German and Austrian universities, will trigger the application of the GDPR to any related processing activities.
b) Monitoring requires a purpose
In contrast to offering goods and services, the monitoring prong of Article 3(2) does not specifically require any indication of intent. Nonetheless, the guidelines state that "the use of the word 'monitoring' implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behaviour within the EU".
The "key consideration" for identifying monitoring is the presence of "any subsequent behavioural analysis or profiling techniques". Profiling, as defined by GDPR, requires automated processing and the evaluation of "personal aspects relating to a natural person", such as predicting health, personal preferences, economic situation, work performance or location or movements.
In other words, the passive collection over time of personal data concerning an individual's behaviour in the EU is not enough to constitute monitoring – there must be an evaluative purpose. The guidance provides a list of examples, which include:
- Behavioural advertising and geolocalisation of content (particularly for advertising);
- Online tracking through cookies and device fingerprinting;
- An online personalised diet and health analytics service;
- CCTV;
- Market surveys and other behavioural studies based on individual profiles; and
- Monitoring or regular reporting on an individual's health status.
While the EDPB states that monitoring does not have to happen only online (for example wearable technologies and other smart devices are clearly called out by the EDPB), it's interesting that most of the examples they provide are examples of online tracking. Other common use cases, such as anti-money laundering checks, email monitoring in the employment context and fraud prevention are not referenced. It remains to be seen whether the above list provided by the EDPB will be expanded in the final version of the guidelines.
One of the odd cases organisations have encountered in their implementation of GDPR is what to do in a situation where a controller not subject to GDPR engages a processor based in the EU. As the requirement to put in place a data processing agreement seemingly applies to both the controller and processor, is the processor required to insist on providing contractual protections the controller neither needs nor wants?
In short, yes. The guidelines clarify that where a processor is subject to GDPR, it must comply with all provisions applicable to it, including the need to put in place Art 28 compliant agreements (minus the obligations relating to the assistance of the data controller in complying with its (the controller’s) own obligations under the GDPR), even if the controller will not be subject to GDPR. This is consistent with certain national data protection authorities GDPR guidelines discussing processor obligations (e.g. CNIL, ICO, Irish DPC). At the same time, the EDPB guidelines confirm that the mere fact of engaging a processor in the EU will not render the controller also subject to GDPR. This should help assure controllers that they can conclude such agreements without increasing their own legal exposure.
In addition to mandatory contracts, the guidelines state that EU-based processors must also comply with the GDPR's processor obligations such as restrictions on transfers. But how the processor is meant to comply is unclear:
- First, is there a requirement to have a transfer mechanism in place between the controller and EU-processor if the processor sends data back to the controller? The result would seem anomalous because (a) no standard contractual clauses ("SCCs") currently exists for transfers from EU-based processors to non EU-based controllers and (b) we normally think of controllers as being the ones who initiate the transfer, since they decide the purposes and means. Thus, it may be that this is not a transfer from the EU but rather just a transfer to the EU – which is not restricted. Clarification from the EDPB would be welcome.
- Second, even if the EDPB only means to address downstream transfers (i.e. from the EU processor to a non-EU subprocessor), SCCs would still be a clumsy tool. The European Commission's previous attempts to draft processor-processor clauses have foundered, but the need may be all the more urgent now that transfer provisions apply directly to EU-based processors.
4. Incorporation matters, choose the flag for your vessel carefully and other anomalies
As stated by the establishment criteria, the GDPR is not restricted to the processing of personal data of individuals who are in the Union. Instead, the GDPR applies to EU based organisations collecting personal data of natural persons whatever their nationality or place of residence. This is clearly confirmed by the EDPB with the example of a French company running a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. In this case, even though the processing relates to personal data of app users who are not in the EU, the provisions of the GDPR will apply to the processing carried out by the French company. This could make certain EU based organisations only operating in non EEA markets tempted to reconsider their country of incorporation decision.
The GDPR also applies to organisations established in a place where EU or Member State law applies by virtue of public international law, such as to embassies and consulates. A cruise ship flying a German flag (because of its incorporation) in international waters will also be subject to GDPR, according to the guidelines. A similar parallel could be made here with aircrafts.
a) EU representatives can't also be processors of non-EU controllers
Given the possible conflict of obligation and interests in cases of enforcement proceedings, the guidelines state that a processor cannot also serve as a representative for the controller.
This could affect EU processors that also offer representative services as well as processing personal data on behalf non-EU controllers, such as clinical trial providers that simultaneously offer representative services to non-EU sponsors.
b) Representative liability – clarification urgently needed
Recital 80 suggests that a representative could be held liable on behalf of the foreign controller or processor. This would seem to defy general legal principles that one can only be liable for one's own acts or omissions – and given that recitals are not binding, many have wondered whether data protection authorities would assert the power to enforce against representatives.
The guidelines state that representatives could be held liable, but the scope of such liability is far from clear. In the final sentence of the guidelines, without further explanation, the EDPB states that "it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable".
Clearly representatives can be held liable for a failure to perform their own duties. But is this meant to also grant data protection authorities the ability to impose fines on representatives on behalf of the controller or processor? We hope the EDPB will make its position clear when in publishes the final guidelines. The risk of 4% or €20 million fines could make it difficult to find someone to serve in the role.
c) EDPB extend the EU representative role beyond the requirements of the GDPR
The guidelines offer further detail on other aspects of the role of representatives:
- The representative role is not compatible with the role of an external DPO, as this would give rise to a conflict of interest.
- While the representative could be an organisation and not necessarily a person, the guidelines recommend having a lead person serving in the role.
- The representative needs to be named in privacy notices, but not specifically notified to data protection authorities.
- The representative must be located in a Member State where data subjects are present, and should, as a matter of best practice, be located where the highest concentration of data subjects can be found.
- The representative must facilitate communication between the controller/processor and data subjects or data protection authorities. To do so, the EDPB states that "communication must take place in the language or languages used by the supervisory authorities or data subjects concerned".
- The guidelines state that maintaining a record of processing is a "joint obligation" on the controller/processor and the representative.
Some of these requirements appear to extend beyond the text of Article 27 and will prove onerous for many organisations – particularly if liability concerns make it difficult to find qualified candidates. However, the guidelines also suggest that the parties can collaborate in fulfilling the responsibilities. Having a detailed agreement delegating certain tasks back to the controller or processor could be one way to meet the criteria above without needing to construct a significant EU presence.
