On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines). The EDPB has opened the guidelines up to public consultation and welcomes comments on the draft until 18 January 2019. After the consultation process, the guidelines will be finalised.
This article reviews the key parts of those guidelines in two sections covering I) the extra-territorial scope of the GDPR and ii) the need for non-European Union (EU) controllers to designate a representative located in the EU.
1 – Territorial scope
The GDPR has extra-territorial effect. This means it can apply to companies based outside of the EU.
GDPR applies to a non-EU-based company where that company:
- Processes personal data in the context of the activities of an EU establishment (the establishment criterion);
- Processes personal data of an individual in the EU, for the purposes of either: (i) offering goods or services to that individual in the EU, or (ii) monitoring the behaviour of that individual in the EU (the targeting criterion); or
- Is subject to EU Member State law by virtue of public international law. This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.
This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.
The establishment criterion
The EDPB breaks this criterion down into three separate considerations.
1 – The meaning of ‘establishment’
The EDPB clarifies that ‘establishment’ refers to the degree of stability of the arrangement between a non-EU-based company and a company located in the EU. The guidelines give the example of a U.S.-headquartered company with a branch and office in the EU to oversee its operations in Europe. This constitutes an EU establishment.
‘Establishment’ will be assessed on the facts, taking into account the specific nature of the economic activities and the provision of services. The mere fact that a company’s website is accessible in the EU does not constitute an establishment in the EU.
2 – The processing must be ‘in the context of’ the establishment’s activities
For GDPR to apply, the activities of the EU establishment and the data processing activities of the non-EU company must be ‘inextricably linked’.
3 – Geographical location
It is irrelevant whether the processing takes place in the EU or whether the individual is located in the EU or is an EU citizen. If the above two considerations are satisfied, the GDPR will apply.
The targeting criterion
The EDPB breaks this criterion down into two separate considerations.
1 – Location of the individual
The individual must be located in the EU. This is a requirement of physical geographical location. Nationality, citizenship, residence and other legal status of the individual are irrelevant.
Location will be assessed at the moment when the triggering activity takes place, regardless of the duration of the triggering activity.
2 – The triggering activity
The triggering activity could be either offering goods or services to individuals in the EU or monitoring the behaviour of individuals in the EU.
The offering goods or services requires an element of intention. The mere fact that a company’s website is accessible from an EU Member State or the mere mention of an email or geographical address on a company’s website is not sufficient evidence of an intention to target individuals in the EU.
The EDPB gives examples of factors that may indicate an intention to offer goods or services to individuals in the EU:
- The EU or EU Member State is referred to by name with reference to the good or service offered;
- A search engine operator has been paid to direct the site at consumers in the EU;
- The goods or services are of an international nature, for example, certain tourist activities;
- Certain addresses and phone numbers are dedicated for people in EU countries to use;
- Domain names are either neutral or for an EU country;
- Travel instructions from one or more EU Member States to the place of service are made available;
- The company specifically refers to its EU clientele;
- The company uses a language or currency used by one or more EU Member States; and
- Delivery of goods to EU Member States is offered.
The facts should be considered together to determine whether a company is offering goods or services to individuals in the EU. There must be a direct or indirect link between this offering and the processing of personal data of an individual in the EU.
Alternatively, the triggering activity could be the monitoring of individuals’ behaviour in the EU. Monitoring can be conducted on the internet or through other types of network or technology.
Unlike the offering of goods and services, monitoring does not require intention to target. However, the EDPB considers that ‘monitoring’ implies a specific purpose. This purpose must be considered carefully to determine whether the triggering activity is satisfied. A key consideration is whether the individual is tracked on the internet and subsequently profiled.
The EDPB gives examples of monitoring activities:
- Behavioural advertisement
- Geo-localisation activities, in particular for marketing purposes
- Online tracking through the use of cookies
- Personalized diet and health analytics services online
- The use of CCTV
- Market surveys and behavioural studies based on individual profiles
- Monitoring or regularly reporting on an individual’s health status
Public international law
The GDPR may also apply to a non-EU company, where that company is subject to EU Member State law by virtue of public international law. This would include, for example, an EU Member State’s diplomatic mission or consular post in a non-EU country.
2 – Appointing a representative
GDPR requires that non-EU controllers or processors of personal data of individuals located in the EU appoint EU-based representatives (EU representative), unless they are exempt. The guidelines divide this requirement into four distinct sections.
The appointment process
The EU representative can be a company or an individual. Where the EU representative is a company, the EDPB recommends that a person in the company is specifically designated as the “lead person”.
The EDPB makes it clear that an EU representative should not carry out the roles of both data protection officer and EU representative. The role of data protection officer requires a level of autonomy and independence that is incompatible with the responsibilities of the EU representative.
The EU representative should be explicitly appointed by a written mandate from the appointing non-EU controller or processor. The mandate should allow the EU representative to act on behalf of the controller or processor in relation to its GDPR obligations.
Where an EU representative is appointed, the GDPR requires that data subjects be notified of the EU representative’s identity. This should be done in the controller or processor’s privacy policy.
Exemptions
A non-EU controller or processor will not be required to appoint an EU representative if either of the two exemptions below apply:
(1) The processing:
i. is occasional;
ii. does not include processing of sensitive personal data or of data relating to criminal convictions on a large scale; and
iii. is unlikely to result in a risk to the rights and freedoms of natural persons.
(2) The controller or processor is a public authority or body.
Where the representative should be established
The EU representative must be established in an EU Member State where affected data subjects are located. Where the actual processing takes place is irrelevant.
The EDPB recommends that the EU representative is established in the Member State where most affected data subjects are located. Bear in mind, however, that the EU representative must still be accessible by all data subjects across the EU.
The representative’s obligations and responsibilities
The EU representative acts on behalf of the controller or processor in relation to its GDPR obligations. In doing so, the EU representative has a number of obligations and responsibilities. These include:
- Facilitating communication between data subjects and the controller or processor.
- Maintaining a record of processing activities. The EDPB believes this to be a joint obligation of both the EU representative and the controller or processor.
- Cooperating with supervisory authorities.
The GDPR responsibilities and liabilities of the non-EU controller or processer do not disappear simply because it appoints an EU representative. However, an EU representative can be held liable for its own failings.
Comment
As a whole, the guidelines clarify the extent to which non-EU controllers or processors are subject to the GDPR. While they may not like the extra-territorial nature of GDPR, the guidelines provide much needed clarity for non-EU companies.
Cynthia O’Donoghue is Vice-Chair and John O’Brien is an associate in Reed Smith’s IP, Tech & Data group. Cynthia is also an SCL Trustee.
This article is adapted from blog posts originally published on the Reed Smith blog.
