Introduction
The EU General Data Protection Regulation (GDPR), which revised and sought to ensure greater harmonization of the European Union’s data protection framework, took effect in May 2018. Among the changes it introduced was the extraterritorial reach that brought within its scope non-European businesses who had not previously been subject to the European data protection rules. The GDPR applies to non-EU controllers or processors in three situations: (1) in the context of the activities of its EU establishment, regardless of where the processing takes place; (2) where the controller or processor is offering goods or services to data subjects in the EU, irrespective of whether payment is required; or (3) if the controller or processor is monitoring the behavior of data subjects in the EU. The GDPR also introduced a new guidance issuing body, the European Data Protection Board (EDPB) who produce guidance on the scope and interpretation of the GDPR.
Guidance on extraterritorial application
In November 2018, the EDPB published its draft guidance on the extraterritorial scope of the GDPR (available here). The guidance clarifies key aspects of the territorial basis for the application of the GDPR to certain data processing activities of data controllers and data processors. The consultation period for the draft guidance closed on 18 January 2019 and the EDPB will finalize the guidance in due course.
While the draft guidance confirms some areas of uncertainty, it has not addressed others. For example, the guidance does not address the treatment of data subjects who act as representatives of EU legal persons or entities, and whether personal data of such data subjects collected by a non-EU person without an EU establishment should be subject to the GDPR. The EDPB is expected to release further guidance in respect of the application of the GDPR in the course of 2019. We will monitor such developments.
Key aspects of the draft guidance include the following:
Organizations Located in the EU
Where organizations are located in the EU, the guidance adopts the Court of Justice of the European Union’s (CJEU) approach in key pre-GDPR judgments defining the meaning of “establishment” in the context of determining the territorial scope of the GDPR. This means that a person may have an establishment in the EU if it engages in a real and effective activity, even a minimal one, through stable arrangements, regardless of the legal form of those arrangements. This includes employees, marketing offices, branches, subsidiaries and other arrangements. However, the assessment of whether a non-EU person in fact has an establishment, should be made on a fact-specific basis in light of all of the relevant circumstances. The EDPB provides the example of a car manufacturing company headquartered in the US, with a fully-owned branch and office in Brussels overseeing all European operations, including marketing and advertising and finds that the Belgian branch is considered an establishment in the EU and subject to the GDPR.
In assessing whether organizations are processing data in the context of that establishment in the EU, the guidance confirms that the processing of the data carried out wholly outside the EU may be subject to the GDPR if the processing is “inextricably linked” to the activities of the EU establishment. The test for “inextricably linked” however, remains somewhat ambiguous; it requires a “case-by-case” analysis, which is not too broad to sweep in the “remotest links” but at the same time, fulfils the GDPR’s aim for “effective and complete protection.”
The guidance notes two specific situations where processing activities may be considered “inextricably linked”:
-
First, the activities of a local establishment in a Member state and the data processing activities of a data controller established outside the EU may be “inextricably linked” and trigger GDPR requirements. The fact that an EU establishment is not itself conducting the data processing is not sufficient to determine whether the GDPR applies or not.
-
Second, revenue-raising activities in the EU by a local establishment, to the extent that they are “inextricably linked” to the processing of EU individuals’ personal data outside the EU, may be sufficient to cause the processing to be subject to the GDPR.
The guidance provides the example of an e-commerce website based in China that establishes a Berlin office to lead and implement commercial prospection and marketing campaigns in Europe. The EDPB explains that the activities of the Berlin office are inextricably linked to the processing of personal data carried about by the Chinese e-commerce website because the marketing activities of the Berlin office serve to make the service offered by the e-commerce website profitable and the processing of personal data by the Chinese company will be subject to the GDPR. However, the use of an EU data processor will not, without more, subject a non-EU person to the GDPR.
The guidance has now clarified that the GDPR will apply to EU persons acting as data controllers in relation to data subjects who are outside of the EU (e.g., non-EU employees or customers). For this purpose, “EU persons” includes persons themselves who are established in the EU (i.e., have a physical presence and operations in the EU), but may also include a person that is established in the EU as a result of having a subsidiary or a group entity that has a presence or operations in the EU. Thus, if an EU-established organization processes data on a non-EU data subject (e.g., a German data controller processing data of a US customer or employee), that processing must comply with the GDPR.
Organizations Located Outside of the EU
The guidance confirmed that data processing in the context of offering goods or services to individuals who are not EU citizens or residents could in some cases be subject to the GDPR, if such data subjects are in the EU at the time of the relevant offering. For example, marketing campaigns focused on an EU audience, use of EU-related domain names, designating contact telephone numbers for individuals in the EU, and delivery of goods to locations in the EU would likely bring the relevant processing activities subject to the GDPR. However, the mere accessibility of a website in the EU, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, will not, on its own, cause a non-EU person’s data processing activities to be subject to the GDPR.