How widely does the GDPR apply?

It’s no secret that the European emperors of old had ambitions to extend their reach beyond the borders of Europe. Some of the same aims (though with far less aggressive tactics!) could be said to be behind certain aspect of European law as it seeks to regulate organisations located outside Europe. In the world of data protection, this was first expressed in the 1995 EU Data Protection Directive through a rule that the law applied to controllers not established in the EU but who ‘make use of equipment’ situated in the EU (save for transit only). This formulation no longer appears in the General Data Protection Regulation (GDPR) – the comprehensive data protection law of the EU that, earlier this year, replaced the 1995 Directive.

Data Privacy

Instead, the European policymakers have introduced the concept of ‘targeting’ individuals in the EU which sits alongside the existing legal rule that, if you are established in the EU, you must comply with EU data protection law. The European Data Protection Board (EDPB), the group of data protection regulators created under the GDPR, recently published draft guidelines for public consultation on the territorial scope of the GDPR. Any organisation looking to understand whether, or the extent to which, the GDPR applies to them should start by considering what the EDPB says – their views on the interpretation of the GDPR are influential.

The guidelines from the EDPB divide the rules on the application of the GDPR into three: (i) the establishment criterion under Article 3 (1), (ii) the targeting criterion under Article 3 (2), and (iii) the rules relating to public international law under Article 3 (3). Taking the last one of these briefly first: the key rule is that the GDPR will apply to personal data processing carried out by EU Member States’ embassies and consulates wherever they are in the world.

It is important to note, when considering the scope of the GDPR application provisions, the main reason behind them. EU data protection law and those EU institutions that uphold it are firmly committed to the notion that data protection and privacy are fundamental rights (as outlined in the EU Charter of Fundamental Rights) available to all individuals in the EU and therefore the interpretation of these provisions is more likely to expand to protect individuals’ privacy (within reason) than contract to enable business efficiencies.

1. Establishment criterion

This provision is closely based on the language of the 1995 Directive but now applies to processors as well as controllers established in the EU. The EDPB recommends a three step approach for determining whether you are caught by this provision:

A. Are you an establishment in the EU?

It has long been accepted under EU law that for an establishment to exist does not require there to be a specific legal entity (e.g. subsidiary or branch) in the EU. The GDPR itself states that an establishment ‘implies the effective and real exercise of activities through stable arrangements’ (recital 22). Any real and effective activity (even minimal ones such as a single employee based in the EU) may be sufficient. The key issues to consider are the degree of stability of the arrangements in the EU and the effective exercise of activities in the EU. The EDPB remarks that the threshold for ‘stable arrangements’ can be quite low especially when the centre of activities of a controller concerns the provision of services online. Consequently, an establishment could be said to exist if a non-EU organisation has a specific programme of services dedicated to EU customers and has permanent EU sales representatives in the EU that support those services.

B. Are you processing personal data carried out in the context of the activities of that establishment?

Perhaps surprisingly, EU law states that it is not necessary for the processing of personal data to be carried out by the specific EU establishment (so in the example above, by the EU sales representatives) in order for the processing to be caught by the GDPR. The language used is ‘processing of personal data in the context of the activities of an establishment of a controller or processor in the EU’ and the EDPB confirms that this must not be interpreted restrictively. However, this does not mean that any presence in the EU with even very remote links to data processing of a non-EU entity will be enough to trigger the application of the GDPR to this processing. So, for instance, it would surely be absurd for the presence periodically for business purposes of US executives from a US company in the EU (with no other presence in the EU) to trigger the application of the GDPR to the US company’s HR database held in the US.

The two aspects that the EDPB focus on are:

  • the relationship between the controller/processor outside the EU and the local establishment in the EU; and
  • any revenue raising in the EU

With respect to the first aspect, a local EU establishment can behave in a way that its activities are inextricably linked to the data processing activities of a non-EU controller or processor. This is what the Court of Justice of the EU (CJEU) held when it examined Google Inc.’s activities (as a search engine) as related to its local Spanish company (selling online advertising) in the 2014 Google Spain decision. This interpretation was the case even if the local EU establishment was not taking any role in the processing itself. But this ‘inextricable link’ analysis must take place on a case by case basis.

With the second aspect, the EDPB points out that revenue raising in the EU by a local establishment may be indicative of processing by a non-EU organisation being carried out in the context of the activities of an EU establishment. The key is whether the revenue raising activity is inextricably linked to the processing of personal data occurring outside the EU. What the EDPB doesn’t comment on is whether additional forms of benefit (so not revenue) would also be treated in the same way. Nevertheless, a non-EU organisation is expected to identify potential links between the activity for which data is being processed and the activities of any presence of the organisation in the EU.

C. Confirming that the GDPR will apply regardless of whether the processing in question takes place in the EU or not.

The place where the data processing takes place is not a significant factor in determining whether the GDPR applies. Instead, it is the presence of an establishment in the EU and the fact that processing takes place in the context of the activities of that establishment (and the context aspect is broadly construed) that triggers the GDPR applying. One example the EDPB gives is where an EU company locates all its data processing activities with regards to certain processing in its branch in Singapore. If the branch is not a legally distinct entity and the EU company is a controller, then even though the processing takes place in Singapore, the processing is carried out in the context of the activities of a controller in the EU and the GDPR applies to such processing. But what the EDPB doesn’t explore is the interpretation if the Singapore entity is a separate legal entity. Presumably then the GDPR would not apply directly to the processing activities by the Singaporean entity even though the contractual restrictions that the EU company may wish to impose on the Singapore entity may effectively amount to the GDPR applying.

2. Targeting criterion

In order for the rules under Article 3 (2) to apply, the organisation must have no establishment in the EU. The EDPB indicates that the GDPR can apply under Article 3 (2) due to targeting criteria focused on what the processing activities are related to. The EDPB recommends a twofold approach as set out below.

A. Individuals in the EU

As mentioned earlier, the EU prioritises the protection of all individuals in the EU regardless of citizenship, nationality or residency status. The requirement that the individual be located in the EU must be assessed, according to the EDPB, at the moment when the relevant trigger activity takes place regardless of the duration of the offer made or monitoring undertaken. In other words, the non-EU organisation must have some knowledge of who they are targeting (which seems from the drafting to be only individuals and not businesses) and the fact that these are individuals in the EU and not simply all individuals indiscriminately.

B. Offering goods or services, or monitoring behaviour

With this provision, the GDPR moves away from the notion of making use of equipment situated in the EU and firmly to the concept of following the intention of the non-EU organisation. If the non-EU organisation intends to offer goods or services to individuals in the EU or to monitor their activities, then such processing activities will be subject to the GDPR.

The offering of a good or service is not dependent on payment being made. The EDPB is also clear (as is the GDPR) that mere accessibility of a website to individuals in the EU is not in itself sufficient. Instead, the non-EU organisation must be deliberately offering or ‘directing activity’ (in accordance with related CJEU case law that the EDPB considers can be of assistance) at EU individuals. This could be evidenced by certain facts such as referring to the EU or a specific EU country, paying a search engine for an internet referencing service to facilitate access to its site by consumers in the EU, launching a marketing campaign directed at EU individuals, referring to dedicated addresses or phone numbers to be reached from an EU country, use of a language or currency used in the EU, and including EU customers in testimonials. The EDPB recognises that one of these factors in isolation may not amount to an intention of the non-EU organisation to offer goods or services to individuals in the EU but a concrete analysis should be undertaken to determine whether the combination of factors indicates an intention to direct goods or services at EU individuals.

The trigger under the second aspect is where the processing activities are related to the monitoring of the behaviour of individuals in the EU as far as their behaviour takes place within the EU. The EDPB clarifies that while the supporting recital to this provision only refers to online monitoring, they consider tracking through other types of networks or technology would also be caught. Additionally the EDPB considers that while the provision is not expressed to include any intention to target, the use of the word ‘monitoring’ implies that the organisation has a specific purpose in mind. While not every online collection of personal data would automatically be considered to be monitoring, the EDPB considers it is necessary to consider the purpose for collecting the data and any subsequent behavioural analysis or profiling that may be carried out. The types of monitoring activities considered by the EDPB include behavioural advertising, geo-localisation activities and online tracking.

This means that, in the example given by the EDPB, if a Canadian app developer with no establishment in the EU monitors the behaviour of individuals in the EU, it is therefore subject to the GDPR and must fully comply with all requirements including when appointing a processor who could be based outside the EU. What the EDPB doesn’t explore is what amounts to monitoring of an individual’s behaviour as far as their behaviour takes place within the EU. What if the non-EU organisation has no knowledge that the end users it tracks are located in the EU? Or if it has knowledge but doesn’t act specifically on that knowledge in a way that monitors the EU individuals any differently from the individuals who it monitors from other parts of the world? Or what about a scenario where a US organisation monitors US individuals through an app regardless of where those US individuals are based which could include any visits they make to the EU?

3. Representatives in the EU

Significantly, if an organisation is required to comply with the GDPR under Article 3 (2) it must appoint a representative in the EU. The representative should be established in one of the Member States where the individuals whose personal data the organisation processes are based. There is an exception from this requirement to appoint a representative if (i) the organisation is a public authority or (ii) the processing is occasional, does not include processing on a large scale of special categories of data or criminal data and such processing is unlikely to result in a risk to the rights of individuals.

While on one level the way a representative is appointed seems logical – they must be located in the country where those whose personal data you are processing is based – this may not always be straightforward. What if you are a non-EU organisation caught by Article 3 (2) but with a shifting demographic of individuals whose personal data you process? One year this group may be in France but the next year in the Netherlands – is an organisation expected to change the representative in response?

4. Additional clarifications

The EDPB makes it clear that a non-EU controller engaging an EU based processor will not be considered to have an establishment in the EU purely by virtue of engaging an EU processor. The guidelines also confirm that an EU controller using a non-EU processor needs to comply with Article 28 (rules around the contract between a controller and processor) as well as the rules around transfer of personal data outside the EU. Regrettably not much leeway is granted to an EU processor who is engaged by a non-EU controller. While this arrangement doesn’t mean the non-EU controller will be subject to the GDPR simply because it uses a processor in the EU, an EU processor will still have to comply with all of its obligations under the GDPR regardless of what the non-EU controller might think. This could potentially complicate contract negotiations for EU processors who will have to explain to non-EU controllers why certain provisions and arrangements are necessary.

5. The international data transfer dimension

One further angle that the EDPB guidelines don’t comment on is the way that Article 3 interacts with Chapter V of the GDPR around international data transfers. The UK’s Information Commissioner’s Office (ICO) has already indicated in guidance that data transfers from the EU to an organisation outside the EU that is subject to the GDPR under Article 3 are not ‘restricted transfers’. A transfer that is not a restricted transfer is then not subject to rules under Chapter V i.e. no need for standard contractual clauses, BCR or Privacy Shield. It would be helpful for the EDPB to comment on this position whether in this guidance on Article 3 or whether in subsequent guidance on data transfers.

6. But do the rules on application of the GDPR extraterritorially have teeth?

Just like the European emperors of old who sought to extend their influence outside Europe, the real test will come when the EU data protection regulators attempt to enforce the application of the GDPR beyond EU borders. For instance, how will a data protection authority enforce the GDPR on an organisation with no establishment in the EU and who has not appointed a representative (whether in direct contravention of the law’s requirements or because they can rely on the exception)? Certainly, the EDPB draft guidelines provide useful pointers and illustrations but the guidelines also raise a number of questions still to be settled.

10 December 2018

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of December 10, 2018.