On 15 November 2019, the European Data Protection Board ('EDPB') published its finalized Guidelines on the Territorial Scope of the GDPR.
The revisions to the Guidelines - highlighted in bold below - followed a period of open public consultation which ran until 18 January 2019.
The GDPR applies to:
- European Economic Area (‘EEA’) established organizations (pursuant to Article 3(1) GDPR); and
- on a long-arm, extraterritorial basis to organizations which are not established in the EEA but which offer to sell goods or services to or who monitor individuals in the EEA (pursuant to Article 3(2) GDPR).
These principles, while clear on paper, are not always easy to apply in practice, and the finalization of the EDPB’s guidance will be welcomed by those grappling with this.
The key updates introduced to the guidelines include:
- The EDPB emphasises that Article 3 GDPR is designed to determine whether a specific processing activity - rather than an entity - falls within the scope of GDPR. The EDPB therefore stresses that while some of an organisation’s processing activities may be caught by the GDPR, other processing activities may not be.
- Where a controller’s activities fall within Article 3(1) GDPR, this processing will not fall outside the scope of the GDPR simply because the controller instructs a processor in a non-EEA jurisdiction. The place of processing is not relevant in determining whether or not the processing carried out ‘in the context of the activities of an EU establishment’, falls within the scope of the GDPR.
- The EDPB re-iterates through a number of examples that for the offer of goods or services under Article 3(2) GDPR to apply, the provision of services must be intentionally targeting individuals in the EEA: inadvertent or incidental provision of services to an individual who happens to be in the EEA is not enough.
- Where a data processor is not established in the EEA only the processing which is related to the activities of the controller in targeting data subjects in the EEA will fall within the scope of the GDPR under Article 3(2). However, the bar for this is low, to take an example, according to the EDPB, if a controller caught by the ‘targeting’ criterion under Article 3(2) GDPR procures a non-EEA based data processor to host this data then the processing activity by the non-EEA based processor also falls within Article 3(2).
- It is not clear from the GDPR whether non-EEA organisations that offer goods and services to data subjects because of their role working for a business in the EEA, as opposed to those that offer goods and services to consumers, fall within the scope of Article 3(2)(a). The revised EDPB Guidelines, unhelpfully, still offer no clarity on this point.
- The EDPB provides welcome clarity on the liability of EEA representatives. The GDPR does not, according to the EDPB, establish substitutive liability for representatives: EEA representatives can only be held directly liable for their direct obligations under the GDPR i.e. - Article 30 and Article 58(1) GDPR - and not for the wider obligations of the data controller or data processor.
Interaction with International Transfer:
- The EDPB notes that they are continuing to assess the interplay between the territorial scope rules of the GDPR and the provisions on international transfer, and further guidance may be issued on this front in the future.
1. The EDPB confirms an expansive view of when an organisation will be considered to be 'established'
To determine whether the GDPR applies because of an organisation's establishment, the EDPB offers a three-part test:
- first, assess if the organisation is established;
- second, determine whether personal data is processed in the context of the establishment; and
- third, the application of the GDPR to the establishment applies regardless of whether the processing takes place in the EEA.
a) The threshold for an establishment is ‘quite low’ - the presence of a single employee or agent could suffice
Recital 22 of the GDPR explains that ‘establishment implies the effective and real exercise of activities through stable arrangements’. The guidelines explain that this represents a departure from ‘a formalistic approach whereby undertakings are established solely in the place where they are registered’ instead ‘both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered’.
This is a fact-specific inquiry, which requires an organisation to consider the nature of its contact and presence in the EEA. As explained in Recital 22 GDPR, ‘the legal form of such arrangements, whether through a branch or subsidiary with a legal personality, is not the determining factor’.
The guidelines from the EDPB are in line with the ruling of Court of Justice of the European Union (‘CJEU’) in the Weltimmo case where the CJEU confirmed that establishment is a ‘broad’ and ‘flexible’ phrase that should not depend on legal form. An organisation may be established where it exercises ‘through stable arrangements in the territory of that member state, a real and effective activity even a minimal one’. The presence of a single representative may be sufficient to satisfy there being an establishment. In that case, Weltimmo was considered to be established in Hungary notwithstanding that it was incorporated in Slovakia.
The EDPB guidelines extend this principle further for online organisations, finding that ‘the threshold for 'stable arrangement' can be quite low when the centre of activities of a controller concerns the provision of services online. In some cases, ‘the presence of a single employee or agent [that] acts with a sufficient degree of stability’ will suffice.
However the EDPB clarifies in their updated guidelines that the ‘mere presence’ of an employee in the EEA may not be enough for the processing to fall within the scope of the GDPR, the processing must also be carried out in the context of the activities of this employee. The EDPB gives the example of an employee within the EEA where the processing relates to activities of the controller outside the EEA as an example of circumstances where the presence of the EEA employee alone is not enough for the processing to satisfy Article 3(1) GDPR.
b) Revenue raising by the EEA presence could be enough, but the mere accessibility of a website is not
For an organisation to be considered established in the EEA, the processing must be ‘in the context of the activities of an establishment’ in the EEA - but that establishment does not need to be involved in the processing. The guidelines confirm that this test is met where ‘there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller’. One factor to consider is whether the EEA establishment is involved in revenue raising activities on behalf of the non-EEA entity.
The EDPB gives, what is a common example in practice, of a non-EEA based company, such as a Chinese e-commerce website with an office in Berlin running commercial prospection and marketing campaigns towards EEA markets. Because the Berlin office helps make the e-commerce activity profitable in the EEA, the EDPB states that this would be sufficient to consider the Chinese company to be processing personal data in the context of its German establishment as far as the EU related sales are concerned.
As the EDPB summarises: ‘any foreign operator with a sales office or some other presence in the EU, even if that office has no role in the actual data processing’ could be subject to the GDPR. Here, again, the guidelines reflect a broad view of the case law. In the CJEU Google Spain case, which concerned a request from a Spanish citizen requiring Google not to display certain information that related to him in response to a search against his name, it was found the activities of Google Spain in promoting and selling advertising space in Spain on behalf of Google Inc. were sufficient to satisfy Article 4(1)(a) of the Directive (i.e. the pre-GDPR legislation). This was the case notwithstanding that Google Spain SL was not itself involved with the functionalities of the search engine and, thus, the actual processing of the data. The CJEU held there was sufficient connection between the activities of Google Spain SL and the search engine’s data processing activities that:
‘… the activities … in [Spain] … are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine … economically profitable and that engine is, at the same time, the means enabling those activities to be performed’.
Building on these provisions, the EDPB notes that ‘if a case by case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data.’
By contrast, the guidelines clarify, in line with case law such as VKI v Amazon, that the accessibility of a website is not enough alone to constitute an establishment in the EEA.
The EDPB provides the example of a South African hotel chain that targets EEA consumers through its website (which is available in English, German, French and Spanish), but has no presence in the EEA. The correct analysis in this case would be the application of the GDPR under Article 3(2) (the extraterritorial provisions), not Article 3(1) as the mere availability of the website to a European audience is not enough to constitute an establishment under the GDPR.
c) The GDPR applies to processing activities - it may be the case that only some of an organisation's activities are caught
The guidelines confirm that just because an organisation may be considered ‘established’ for one activity will not render all of its activities subject to the GDPR. Therefore, international organisations must consider their activities on a case-by-case basis.
The guidelines provide the example of a US headquartered car manufacturer with a fully-owned branch in Belgium overseeing marketing. The company's Belgian branch could render some of the US company's customer-facing activities to be subject to the GDPR, but that will not mean that the GDPR applies to US employee data.
2. The EDPB offers tentative limits to the extraterritorial application of GDPR
The GDPR applies to organisations - both controllers and processors - not established in the EEA where they process personal data related to (a) the offering of goods or services in the EEA or (b) the monitoring of behaviour that takes place in the EEA.
a) Offering requires intention
An important question prior to the release of the initial guidelines was whether ‘offering’ goods and services was meant to include ‘providing’ services too - or whether only the intention at the time of the offer was relevant.
Importantly the guidelines clarify - what can be a common misconception in practice - that the territorial application of GDPR is not
predicated on the ‘nationality or legal status of a data subject
The EDPB gives the example of a bank in Taiwan with customers that live in Taiwan but hold German citizenship. The bank’s processing of personal data of their German customers is not subject to the GDPR as the bank only operates in Taiwan and is not targeting the EEA market.
The guidelines clarify that ‘the requirement that the data subject be located in the Union must be assessed at the moment of offering goods or services or the moment when the behaviour is monitored, regardless of the duration of the offer made or the monitoring undertaken’.
This means that an organisation that does not intend to offer a service in the EEA, but which might be accessible in the EEA, will not be subject to GDPR. The revised EDPB guidance includes a number of examples to illustrate this point:
For example an Australian company that offers mobile news and video content exclusively to users in Australia and who must give an Australian phone number when subscribing will not be caught by the extra-territorial provisions of the GDPR merely because one of their Australian subscribers travels to Germany on holiday and continues using the service.
On the employment front, the EDPB gives the example of a US company without any EEA establishment processing personal data of their employees while on a temporary business trip to France for the purposes of reimbursing the employees’ expenses. In this situation, while the processing activity is specifically connected to persons in the EEA, it does not relate to an offer of services and is therefore not subject to the provisions of the GDPR.
Accordingly, in order for the GDPR to apply, there must be signs of ‘targeting’. Relevant factors include:
- References to the EEA or a Member State in promotional material;
- Paying a search engine to facilitate access to a website in the EEA or launching a marketing campaign directed at an EEA audience;
- The international nature of the activity, such as tourism-related activities;
- Providing local phone numbers or addresses in association with a product or service;
- Using top-level domain names that refer to the EEA or a Member State (e.g. ‘.eu’ or ‘.de’);
- Providing travel instructions from a Member State;
- Mentioning international clientele or providing customer testimonials in promotional material, in particular where the customers are based in the EEA;
- Using an EEA language or currency; and
- Offering delivery services in the EEA.
The guidelines do not state that any or all of these factors must be present for the GDPR to apply, but rather that these are the sorts of indicators data protection authorities will look at when deciding if there is a sufficient intention to target individuals in the EEA.
To illustrate the point, the EDPB gives the example of a Swiss University in Zurich offering a masters program, which is open to any students with good knowledge of English or German. The GDPR will not apply to this offer because ‘there is no distinction or specification for students from the Union in the application or selection process’. However, the Swiss University's summer course in international relations, which is specifically advertised to German and Austrian universities, will trigger the application of the GDPR to any related processing activities.
b) Monitoring requires a purpose
In contrast to offering goods and services, the ‘monitoring’ limb of Article 3(2)(b) in the GDPR does not ‘expressly’ require indication of intent. Nonetheless, the guidelines state that ‘the use of the word 'monitoring' implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behaviour within the EU
The EDPB gives the example of an app developer in Canada with no EEA presence but who monitors the behaviour of data subjects in the EEA and is, therefore, caught by Article 3(2)(b) GDPR.
The ‘key consideration’ for identifying monitoring is the presence of ‘any subsequent behavioural analysis or profiling techniques’. Profiling, as defined by the GDPR, requires automated processing and the evaluation of ‘personal aspects relating to a natural person’, such as predicting health, personal preferences, economic situation, work performance or location or movements.
In other words, the passive collection over time of personal data concerning an individual's behaviour in the EEA is not enough to constitute monitoring: there must be an evaluative purpose. The guidance provides a list of examples, which include:
- Behavioural advertising and geolocalisation of content (particularly for advertising purposes);
- Online tracking through cookies and device fingerprinting;
- An online personalised diet and health analytics service;
- Market surveys and other behavioural studies based on individual profiles; and
- Monitoring or regular reporting on an individual's health status.
While the EDPB states that monitoring is not exclusive to the online world, it's interesting that most of the examples the EDPB provides are examples of online tracking. Other common use cases we see in practice, such as anti-money laundering checks, email monitoring in the employment context and fraud prevention are not referenced.
c) Processors not established in the EEA
Where the processor is not established in the EEA, for its processing to be caught by Article 3(2) GDPR, the processing must be related to the targeting activities of the controller. In cases where the controller's processing activities relate to the offering of goods or services or to the monitoring of data subjects' behaviour in the EEA, the ‘EDPB considers that…any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of Article 3(2)’.
The EDPB gives the example, among others, of a US company that has developed a health and lifestyle app that is made available to data subjects in the EEA. The US controller carries out the processing and uses a US cloud provider for data storage. The processing by the controller falls within the scope of the GDPR under Article 3(2) as the controller is targeting individuals in the EEA. According to the EDPB, it follows, that the cloud provider processing the personal data on behalf of the controller is carrying out a processing activity relating to the targeting of individuals in the EEA. Therefore this processing activity by the non-EEA based processor will also fall within the scope of Article 3(2).
d) Interaction with other legislation
Controllers or processors not established in the EEA will be required to comply with their own third country national laws in relation to the processing of personal data. However, where such processing relates to the targeting of individuals in the EEA, as per Article 3(2) GDPR, these organisations will, in addition to being subject to their country’s national law, be required to comply with the GDPR.
3. EEA-based processors must comply with GDPR, even if the controller is not subject – but how are they going to address data transfer restrictions?
One of the anomalies organisations have encountered in their implementation of the GDPR is what to do in a situation where a controller not subject to the GDPR engages a processor based in the EEA. Given the requirement to put in place a data processing agreement seemingly applies to both the controller and processor, is the processor required to insist on providing contractual protections which the controller may not need or want?
The guidelines clarify that where a processor is subject to GDPR, it must comply with all provisions applicable to it, including the need to put in place Article 28 compliant agreements (save for the obligations relating providing GDPR assistance to the data controller). This is consistent with guidance from other data protection authorities (notably that of the CNIL, ICO and Irish DPC).
The EDPB guidelines also importantly confirm that the mere act of engaging a processor in the EEA will not render the controller also subject to the GDPR.
In addition to mandatory contracts, the guidance states that EEA-based processors must also comply with the GDPR's processor obligations such as restrictions on transfers. But how the processor is meant to comply is unclear. Is there a requirement to have a transfer mechanism in place between the controller and EEA-processor if the processor transfers data back to the controller?
Such a result would be unusual because (a) no standard contractual clauses (‘SCCs’) currently exist for transfers from EEA-based processors to non EEA-based controllers and (b) we normally think of controllers as being the party which initiates the transfer, since the controller decides the purposes and means of the processing. Thus, it may be that this is not a transfer from the EEA but rather just a transfer to the EEA - which is not restricted. Alternatively the EDPB may only intend to address downstream transfers here (i.e. from the EEA processor to non-EEA subprocessors). However, the issue is unclear and further clarification from the EDPB on this question would have been welcome in the revised guidelines.
More generally, the EDPB notes that it will assess the interplay between the territorial scope and the international transfer provisions of the GDPR and further guidance may be issued on this front in the future. The interplay to be considered here may relate to the theory of the so called ‘GDPR bubble’ i.e. the extent to which a data importer in a third country, that is itself already caught by the territorial scope of the GDPR, is still required to observe an adequacy mechanism under Chapter V GDPR when receiving personal data from an EEA controller.
4. The GDPR is not restricted to individuals in the EEA.
The GDPR is not restricted to the processing of personal data of individuals who are in the EEA. Instead, the GDPR applies to EEA based organisations collecting personal data of natural persons whatever their nationality or place of residence.
This is clearly confirmed by the EDPB with the example of a French company running a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. In this case, even though the processing relates to the personal data of app users who are not in the EEA, the provisions of the GDPR will apply to the processing carried out by the French company.
The GDPR also applies to organisations established in a place where EEA or Member State law applies by virtue of public international law: the examples given by the EDPB are embassies and consulates. A cruise ship flying a German flag (because of its incorporation) in international waters will, according to the guidelines, also be subject to the GDPR. A similar parallel could be made here with aircrafts.
On a related matter, the EDPB points out that the GDPR is without prejudice to the provisions of international law, such as those governing the privileges and immunities of non-EEA diplomatic missions and consular posts and international organisations (for example, the Vienna Convention on Diplomatic Relations). However, the EDPB reminds us that such immunities only cover the embassy or consulate and not third party controllers that are subject to the GDPR and which exchange personal data with such entities, bodies and organisations.
5. EEA representatives can't also be processors of controllers, are exposed to liability and see their role possibly extended
a) EEA representatives can't also be processors of non-EEA controllers
Given the possible conflict of obligation and interests in cases of enforcement proceedings, the guidelines state that a processor cannot also serve as a representative for the controller.
b) Representative liability
The language of Recital 80 GDPR suggests that a representative could be held directly liable for the failings of the foreign controller or processor that they represent - a position which is at odds with the general legal principle that one can only be liable for one's own acts or omissions
The revised EDPB guidelines clarify that the GDPR does not establish ‘a substitutive liability of the representative’ i.e. holding a representative directly liable is limited to the representative’s direct obligations in articles 30 and 58(1) of the GDPR. This is a helpful clarification and suggests that data protection authorities would not, in practice, assert the power referenced in Recital 80.
The EDPB further notes that international cooperation mechanisms may be central to enforcing the GDPR against controllers and processors not established in the EEA and the development of further international co-operation on this front is being considered.
c) The EDPB extends the EEA representative role beyond the requirements of the GDPR
The guidelines offer further detail on other aspects of the role of representatives:
- The representative role is not compatible with the role of an external DPO. On this point the EDPB notes: 'the representative is mandated by the controller or processor it represents and therefore acts on its behalf in exercising its tasks, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner'.
- While the representative could be an organisation and not necessarily a person, the guidelines recommend having a lead person serving in the role.
- Where there are several processing activities that fall within the scope of article 3(2) there is no need to designate separate representatives for each activity.
- The representative needs to be named in privacy notices, but not specifically notified to data protection authorities.
- The representative must be located in a Member State where data subjects are present, and should, as a matter of best practice, be located where the highest concentration of data subjects can be found.
- The representative must facilitate communication between the controller/processor and data subjects or data protection authorities. To do so, the EDPB states that 'communication should in principle take place in the language or languages used by the supervisory authorities or data subjects concerned' unless this would be a disproportionate effort in which case other means can be used by the representative.
- The guidelines state that maintaining a record of processing is a 'joint obligation' on the controller/processor and the representative. The controller or processor is responsible for the primary content and updating the record. However 'it is the representative's own responsibility to be able to provide it…when being addressed by a supervisory authority'
The guidelines also suggest that the parties can collaborate in fulfilling the responsibilities above. Having a detailed agreement delegating certain tasks back to the controller or processor could be one way to meet the criteria above without needing to construct a significant EEA presence.