Companies not based in the European Union (EU) now have additional guidance to help them determine whether they have to comply with the General Data Protection Regulation (GDPR). The European Data Protection Board (EDPB), the agency responsible for administering the GDPR, recently released draft guidelines on the extra-territorial scope of the GDPR. While these guidelines are not final (they are subject to a comment period that ends on January 18, 2019), they indicate that the reach of the GDPR spreads far beyond the EU. American businesses that had concluded that they were likely exempt from the GDPR based on previous interpretations should review the new guidelines outlined below to confirm that they are not subject to the GDPR’s requirements, given the likelihood of increased enforcement under the GDPR in 2019 and the potential for steep fines.
Speed read
The guidelines focus primarily on the extra-territorial scope provisions of Article 3 of the GDPR, in particular the two criteria underpinning the GDPR’s extra-territorial provisions, which the EDPB has labeled: the “Establishment Criterion” (Article 3(1)); and the “Targeting Criterion” (Article 3(2)).
However, the guidelines also contain some wider points of interest relative to monitoring, processor obligations under GDPR, and the requirement for non-EU-based controllers and processors to appoint a legal representative. The most valuable commentary in the guidelines includes confirmation that:
-
An EU-based processor is not an EU “establishment” of a non-EU controller merely by virtue of its processor status. Therefore, the appointment of an EU-based processor will not, by itself, trigger the application of the GDPR to the non-EU controller. The EU-based processor will still be required to comply with the GDPR’s processor obligations (including those related to transfers). (Guidelines at s 9-10)
-
Pre-GDPR case law (such as Google Spain) is still relevant when interpreting the GDPR.
-
Simply processing personal data of an individual in the EU will not, on its own, trigger the application of GDPR to processing activities of controllers or processors not established in the EU—an element of “targeting” the individuals must always be present too (in the context of offering goods or services to them or by monitoring their behaviour).
-
Examples of monitoring can include: behavioural advertisement; geo-localization activities, in particular for marketing purposes; online tracking through the use of cookies or other tracking techniques such as fingerprinting; personalized diet and health analytics services online; CCTV; market surveys and other behavioural studies based on individual profiles; and monitoring or regular reporting on an individual’s health status.
-
Enforcement action can be taken against a legal representative in the same way as against controllers or processors (including the possibility to impose fines and penalties, and to hold representatives liable).
That said, there remains a lack of clarity on certain points, including:
-
How EU-based processors are expected to comply with the GDPR restrictions on transfers occurring with the European Economic Area (EEA);
-
What constitutes an “inextricable link” between a non-EU controller or processor and an EU establishment for the purposes of determining whether processing of personal data is carried out “in the context of the activities of” an establishment; and
-
How firms can address the complex administrative and contractual issues that will arise as a result of representatives being liable to enforcement action under the GDPR (including fines and penalties).
The Establishment Criterion
The GDPR applies to the “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Article 3(1) GDPR). This “Establishment Criterion” has three distinct elements, each of which the EDPB expands upon.
-
An “establishment in the Union”
When determining whether an entity has an “establishment” in the EU, the EDPB references Recital 22 of the GDPR, which clarifies that establishment suggests “the effective and real exercise of activities through stable arrangements”. The bar need not be high: non-EU companies can be established in the EU through the presence of a single employee with sufficient economic ties. However, a company will not be deemed to be established in the EU simply because it has an online website that is accessible in the EU. In addition, simply being registered in the EU will not necessarily trigger an establishment in the EU.
|
EDPB example: A car manufacturing company based in the United States with a marketing branch in Belgium would have its Belgian branch be considered an establishment in the EU for purposes of the GDPR.
|
-
Processing of personal data carried out “in the context of the activities of” an establishment
If a controller or processor established outside the EU exercises “a real and effective activity—even a minimal one”—through “stable arrangements”, regardless of its legal form (e.g. subsidiary, branch, office…), in the territory of an EU Member State, the controller or processor can be considered to have an establishment in the EU. Therefore, organizations must consider—on a case-by-case basis—whether their personal data processing activities take place “in the context of the activities of” such an establishment.
Where the activities of a local EU establishment are “inextricably linked” to the processing activities of the non-EU controller or processor, whether or not the EU establishment actually plays a role in that processing of data, the GDPR may be triggered. The guidelines do not elaborate on what factors signify an inextricable link between a controller or processor outside the EU and a local establishment in the EU.
Revenue-generation by the local EU establishment can indicate that processing is carried out “in the context of the activities of the EU establishment” if it is inextricably linked to the processing of personal data taking place outside the EU and individuals in the EU.
Non-EU organizations should assess their operations to determine what their personal data processing activities are and identify any potential links between those activities and the activities of any EU presence of their organization.
|
EDPB example: An e-commerce company based in China that establishes a Berlin office to market to EU citizens. The activities of the Berlin office are inextricably linked to the Chinese e-commerce website because the marketing activities of the Berlin office serve to make the service offered by the e-commerce website profitable. Therefore, the processing of personal data by the Chinese company will be considered as being carried out in the context of the activities of an establishment in the EU (the Berlin office) and will fall within the GDPR. |
-
Regardless of whether the processing takes place “in the Union or not”
The geographical location of the processing activities and the geographical location and nationality of the data subjects in question are all irrelevant when determining whether GDPR applies under Article 3(1).
Geographical location is relevant to the place of establishment only as it pertains to:
-
The controller or processor itself (i.e. is it established inside or outside the EU?); and
-
Any business presence of a non-EU controller or processor (i.e. does it have an establishment in the EU?).
|
EDPB example: A French company that exclusively processes the data of non-EU residents is still subject to the GDPR if this data processing occurs in France. |
|
EDPB example: A Stockholm-based pharmaceutical company that exports all of its data processing to its Singapore branch must still comply with the GDPR to the extent that the data processing occurs “in the context of” the activities of the Stockholm-based company. |
Applying the Establishment Criterion in Practice
The guidelines provide some much-needed clarification and guidance for non-EU-based companies and EU-based companies that conduct business with each other.
-
EU-based controllers appointing non-EU-based processors
Where an EU-based controller (subject to the GDPR) appoints a non-EU processor (not subject to the GDPR), the controller will need to comply with its Article 28 obligation to put in place a contract with the processor that requires the processor to provide GDPR protections. Therefore the non-EU processor will become indirectly subject to GDPR through its Article 28 contractual obligations.
|
EDPB example: A Canadian company processing data on behalf of a Finnish controller that targets EU citizens would not directly fall under the purview of the GDPR. However, the Canadian company in this scenario will still likely be required to comply with the GDPR as a result of the requirements in Article 28 GDPR governing processor appointments. |
-
Non-EU controllers dealing with EU-based processors
Where a non-EU-based controller appoints an EU-based processor, the appointment will not in itself trigger the application of the GDPR to the non-EU controller. The EU-based processor is not an EU “establishment” of a non-EU controller merely by virtue of its processor status. This means that the non-EU controller will not become subject to GDPR simply because it chooses a processor in the EU.
However, EU-based processors will be established in the EU (as per Article 3(1)) and so will be required to comply with the GDPR’s processor obligations, including those relating to international data transfers.
|
EDPB example: A controller based in Mexico that uses an EU-based processor, but otherwise is not established in the EU and does not target EU residents, would not need to comply with the GDPR’s obligations for controllers, but the EU-based processor would have to comply with the GDPR’s obligations for processors. |
The guidance falls short here as it does not explain how the EU-based processor will comply with their GDPR obligations. In particular, there is no clarity around how an EU-based processor is expected to comply with the rules around ex-EEA data transfers. The EU model clauses have not been designed with processor data exporters in mind. In fact, regulatory guidance from the Article 29 Working Party in 2010 expressly confirmed that EU-based processors must not be considered “data exporters” since the definition used in the clauses provides that data exporters act as data controllers. Updated versions for the GDPR have yet to emerge.
The Targeting Criterion
In the absence of an establishment in the EU, a controller or processor cannot benefit from the one-stop-shop (the GDPR’s cooperation and consistency mechanism).
However, the absence of an establishment in the EU does not mean that GDPR will definitely not apply to the relevant controller or processor. Article 3(2) of the GDPR states that the law “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” This “Targeting Criterion” also has three elements.
-
Data subjects in the Union
The location of the data subject determines whether Article 3(2) should be applied (not their nationality, place of residence or legal status). The data subject’s location should be assessed at the moment when the relevant “trigger activity” takes place (i.e. at the moment of offering of goods or services or the moment when the behaviour is monitored).
|
EDPB example: a US-based start-up offers a city-mapping mobile app. The company has no EU presence, but it processes personal data relating to the location of customers using the app once they start using the app in the city they visit, in order to provide them with targeted advertisements for restaurant or hotel recommendations in the city. The app is available for tourists visiting New York, San Francisco, Toronto, London, Paris and Rome. The company is offering services to individuals in the EU, therefore the processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of GDPR. |
In addition, simply processing personal data of an individual in the EU will not, on its own, trigger the application of GDPR to processing activities of controllers or processors not established in the EU—an element of “targeting” the individuals must always be present too (in the context of offering goods or services to them or by monitoring their behaviour).
|
EDPB example: A US tourist is travelling through Europe. While in Europe, he downloads and uses a news app offered by a US company. The app is exclusively directed at the US market. The collection of the US tourist’s personal data via the app by the US company is not subject to the GDPR. |
The processing of personal data of EU citizens outside of the EU will not trigger the GDPR so long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the EU. So, data processing that occurs in a third country that happens to include EU citizens without active targeting on the part of the processor or controller will not fall under the GDPR.
|
EDPB example: A Taiwanese bank has customers who happen to be German citizens residing in Taiwan. Its activities are not directed at the EU market and therefore its processing of personal data is not subject to GDPR. |
-
Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union
Whether the activity of a controller or processor not established in the EU is to be considered as an offer of a good or a service does not depend on whether payment is made in exchange for the goods or services provided.
The primary way to determine whether the Targeting Criterion is met is to assess whether the conduct of the controller or processor indicates its intention to offer goods or services to a data subject in the EU, i.e. whether the offer is directed at a person in the EU.
Processing activities that are “related” to the activity that triggers Article 3(2) are in scope of GDPR. This requires a connection between the processing activity and the offering of goods or services, and both direct and indirect connections are relevant.
EU case law based on Regulation 44/2001 and the recognition and enforcement of judgments in civil and commercial matters provide a number of factors that may be relevant when assessing whether a trader can be considered to be “directing” its activity to a Member State. The EDPB suggests that the following factors might be of assistance when deciding whether a controller or processor is offering goods or services to data subjects in the EU:
-
Whether the EU or a Member State is referenced by name relative to a good or service offered;
-
Whether the controller or processor pays a search engine operator for an internet referencing service to facilitate access to its site by consumers in the EU; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
-
The international nature of the activity at issue, including certain tourist activities;
-
The mention of dedicated addresses or phone numbers to be reached from an EU country;
-
The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
-
The description of travel instructions from one or more other EU Member States to the place where the service is provided;
-
The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
-
The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states; and
-
Whether the controller offers the delivery of goods in EU Member States.
The guidelines do confirm that the mere accessibility of a website in the EU, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, will not, on its own, show the controller’s or the processor’s intention to offer goods or services to a data subject located in the EU.
|
EDPB example: A Turkish website that offers services for the creation, edition, printing, and shipping of personalized family photo album. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can be delivered only by post mail in the UK, France, Belgium, Netherlands, Luxembourg, and Germany. The website is available in four EU languages and can be delivered by mail to six EU countries, which indicates that there is an intention on the part of the Turkish website to offer its services to individuals in the EU. As a result, the processing carried out by the Turkish website relates to the offering of a service to data subjects in the EU and is therefore subject to the GDPR. |
-
Monitoring of data subjects’ behaviour
In addition to offering goods and services to EU data subjects, companies can fall under the GDPR based on the Targeting Criterion if they monitor the behaviour of data subjects in the EU as far as their behaviour takes place within the EU’s borders.
The behaviour must first relate to a data subject in the EU, and the monitored behaviour must take place within the EU. Tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behaviour monitoring, for example, through wearable and other smart devices.
There is no explicit requirement for an “intention to target” to determine whether the monitoring activity would trigger application of the GDPR. However, the EDPB states that the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. That said, the online collection or analysis of personal data of individuals in the EU does not automatically mean “monitoring”. It’s not entirely clear how this commentary sits alongside the EDPB’s more robust remarks earlier in the guidelines, that ‘an element of “targeting” the individuals must always be present too (in the context of offering goods or services to them or by monitoring their behavior)’.
The controller’s purpose for processing and, in particular, any subsequent behavioural analysis or profiling techniques involving the relevant data, must be considered when deciding whether a particular activity is monitoring.
The guidelines indicate that the following are examples of monitoring activities: behavioural advertisement; geo-localization activities, in particular for marketing purposes; online tracking through the use of cookies or other tracking techniques such as fingerprinting; personalized diet and health analytics services online; CCTV; market surveys and other behavioural studies based on individual profiles; and monitoring or regular reporting on an individual’s health status.
|
EDPB example: A marketing company in the United States advises a retail company in France on the layout of its French shopping centre by analyzing customer movements through Wi-Fi tracking. The analysis of customers’ movements in this way will amount to the monitoring of individuals’ behaviour. The US marketing company would therefore be responsible for complying with the GDPR in respect of the processing of personal data for this purpose. |
Processing in a place where EU Member State law applies by virtue of public international law
Article 3(3) GDPR provides that the GDPR “applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”.
The guidelines confirm that GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates, insofar as such processing falls within the material scope of the GDPR, as defined in its Article 2.
Representative of non-EU-based controllers or processors
The last chapter of the guidelines explores the requirement under Article 27 GDPR for controllers and processors subject to GDPR by way of Article 3(2) to designate a “representative in the Union” (referred to here as a representative). The chapter contains some helpful information relative to the requirement, summarized as follows:
-
A non-EU-based controller or processor who has designated in writing a representative, does not fall within the scope of Article 3(1), meaning that the presence of the representative within the EU does not constitute an “establishment” of a controller or processor by virtue of Article 3(1).
-
The written mandate referred to in Recital 80 of the GDPR governs the relations and obligations between the representative and the non-EU-based controller or processor, while not affecting the responsibility or liability of the controller or processor.
-
The function of the representative can be exercised based on a service contract concluded with an individual or organization (e.g. law firms, consultancies, private companies, etc.) provided that such entities are established in the EU. One representative can also act on behalf of several non-EU controllers and processors.
-
The EDPB recommends that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented.
-
The function of representative is not compatible with the role of an external data protection officer (DPO), which would be established in the EU. The requirement for a DPO to have a sufficient degree of autonomy and independence is not compatible with the function of representative, which is subject to a mandate by a controller/processor and acts on its behalf and under its direct instruction. There are also potential conflicts of interests if an external DPO is asked to represent the controller or processor.
-
Controllers must provide data subjects information as to the identity of their representative (under Articles 13(1) (a) and 14(1) (a)). A controller not established in the EU but falling under Article 3(2) and failing to inform data subjects who are in the EU of the identity of its representative would be in breach of its transparency obligations as per the GDPR. Such information should furthermore be easily accessible to supervisory authorities to facilitate the establishment of a contact for cooperation needs.
-
When assessing what constitutes “large scale processing” for the purposes of the exemption from the requirement to appoint a representative (under Article 27(2)(a)), the EDPB recommends considering factors contained in its guidelines WP243 on DPOs, in particular: the number of data subjects concerned—either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity.
-
In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, it is good practice that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored.
-
The criterion for establishment of the representative is the location of data subjects (not the place of processing).
In terms of the representative’s obligations and responsibilities, the guidelines confirm that the representative:
-
Must facilitate communication between data subjects and the controller or processor represented, to make the exercise of data subjects’ rights effective;
-
Must maintain a record of processing activities under the responsibility of the controller or processor. This is a joint obligation—the controller or processor not established in the EU must provide all accurate and updated information needed to the representative so they can maintain the record;
-
Should perform its tasks according to the mandate received from the relevant controller/processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure GDPR compliance; and
-
Must be able to communicate efficiently with the relevant data subjects and cooperate with supervisory authorities, which means that communication must be in the language or languages used by the supervisory authorities and the data subjects concerned.
The EDPB confirms that designation of a representative does not affect the responsibility and liability of the controller or of the processor under the GDPR and is without prejudice to legal actions initiated against the controller or the processor themselves.
The guidelines conclude by emphasizing that the aim of the Article 27 representative requirement was to ensure enforcement of the GDPR against controllers or processors that fall under Article 3(2) GDPR. Therefore, enforcers may initiate enforcement action against a representative in the same way as against controllers or processors (including to impose fines and penalties, and to hold representatives liable). However, the EDPB does not elaborate on how firms can address the complex administrative and contractual issues that will arise as a result of this interpretation.
[View source.]
