Draft guidelines released by the EDPB shed some light on the territorial scope of the GDPR
In September 2018, the European Data Protection Board (EDPB) met to discuss new draft guidelines on the territorial scope of the EU’s General Data Protection Regulation (GDPR). The guidelines are designed to provide “a common interpretation” and clarification of the territorial scope of the GDPR, in particular where the data controller or processor is established outside of the EU.
Given the breadth of the drafting of the extra-territorial provisions of the GDPR, being Articles 3 and 27, and the lack of clarity in this space (particularly with respect to key concepts in the relevant Articles such as “establishment” and “monitoring”), these guidelines are a welcome development for privacy practitioners all over the globe.
Although the guidelines are non-binding, given that the EDPB is primarily composed of representatives from the EU Member States’ national data protection authorities, they will no doubt be highly persuasive when interpreting the scope of Articles 3 and 27. This is particularly so in the context of the UK ICO issuing the first enforcement notice under the GDPR against a non-EU organisation.
The guidelines were formally adopted by the EDPB on 16 November 2018, and published on 23 November 2018. A public consultation process is currently being conducted in respect of the guidelines, which is due to end on 18 January 2019 – which suggests we might expect to see a finalised version sometime in the first half of next year.
The guidelines examine several aspects of the GDPR which relate to its territorial scope, in particular:
• the “establishment” criterion in Article 3(1),
• the “targeting” criterion in Article 3(2), and
• the obligation on data controllers or processors that are subject to the GDPR to designate a representative in the EU in Article 27.
Establishment Criterion - Article 3(1)
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
The EDPB recommends a threefold approach in determining whether or not the processing of personal data falls within the scope of the GDPR pursuant to Article 3(1):
- “An establishment in the Union”: the guidelines reference the Court of Justice of the European Union’s ruling in Weltimmo to clarify that the concept of “establishment” extends to any effective and real exercise of activity through stable arrangements. The legal form of an entity’s arrangements is not determinative – even the presence of a single employee or agent of a non-EU entity may suffice. Further, the level of activity does not need to be significant, particularly when a controller’s services are delivered online (although the mere ability to access an organisation’s website in the EU would likely not suffice).
- “Processing of personal data carried out in the context of the activities of that establishment”: it is not necessary that the processing in question is carried out “by” the relevant EU establishment itself – it simply needs to be done “in the context of the activities of” the established organisation. The guidelines state that the meaning of this cannot be interpreted restrictively, but nor should it be interpreted too broadly to include commercial activity of a non-EU entity in the EU which is “far removed” from the processing of personal data by that entity. The recommendation from the EDPB is that this determination must be made on a case-by-case basis and each situation assessed on its own merits. To this end, the guidelines provide several indicative examples.
- “Regardless of whether or not the processing takes place in the Union”: Article 3(1) does not restrict the application of the GDPR to the processing of personal data in the EU or of EU persons; personal data processing (of any person and in any location) in the context of the activities of an entity’s EU establishment may trigger the application of the GDPR.
Targeting Criterion - Article 3(2)
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The EDPB recommends a straightforward, twofold approach to determining the applicability of Article 3(2). First, determine that the processing relates to the personal data of data subjects in the Union; secondly, determine whether such processing relates to the offering of goods or services to such data subjects, or to the monitoring of their behaviour in the EU.
- “Data subjects in the Union”: the targeting criteria is not limited by citizenship, residence or other type of legal status of the relevant data subjects – those people merely need to be located in the EU at the moment when the relevant trigger activity takes place.
- “Offering of goods or services”: one of the key elements to be assessed is whether the goods or services are actually directed towards persons in the EU - mere accessibility of a website by EU persons is insufficient in and of itself. However, for example, mentioning customers or users who are located in the EU may bring the website within scope of the GDPR.
- “Monitoring of behaviour”: it is not automatically the case that any online collection or analysis of personal data of EU persons would count as monitoring. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques deployed.
Designated Representative - Article 27
“Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union. The obligation laid down in paragraph 1 of this Article shall not apply to: (a) processing which is occasional, does not include, on a large scale, processing of special categories of data …., and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or (b) a public authority or body.”
- Designating a representative in the Union does not itself constitute an “establishment” under Article 3(1).
- One representative can act on behalf of several non-EU controllers or processors. However, the function of a designated representative is not compatible with the role of an external data protection officer (DPO). This is because whilst a representative acts under the direct instruction of the relevant controller/processor, the DPO is meant to be autonomous and independent.
If you are an Australian organisation, and you would like to understand some of the key differences between your obligations under the Australian Privacy Act and the GDPR, as well as our views on some of the key steps towards achieving cross-border privacy compliance, please see our “GDPR: Ready or not, here it comes” publication.
For our insights on what has changed in the 6 months since the GDPR went live, together with a brief update on some of the key enforcement actions thus far, be sure to see our recent report “GDPR: 6 months on – what’s changed?”.
Authored by Melissa Fai, Nikhil Shah, Bryce Craig and Michelle Xu.