Speed-read
What do I need to know?
- The territorial reach of European data privacy law will be extended significantly once the GDPR is in force.
- The impact could well be huge given the global reach of business organisations. Questions remain about how the extended territorial reach will be enforced by the supervisory authorities in each of the EU member states. They will be empowered to take enforcement action against companies who are not currently at risk under EU data privacy law.
- Currently, EU wide data privacy law (distinct from local country laws) does not apply to your organisation if it is a data processor only, even if it is located here. This will change!
- If your organisation is located outside the EU, the new law will apply directly to it in certain scenarios! For example, it will apply to overseas organisations which process personal information in connection with the offering of goods or services to, or monitoring of behaviour of, data subjects (e.g. residents) who are in the European Union.
What do I need to do?
- Start to consider now whether your business is likely to be caught by the territorial reach criteria. Err on the side of caution – the key concepts of "establishment", "monitoring" and "offering of goods or services" are deliberately broad in the new law.
- If you find there is a possibility you will be caught, your key risk areas will be where a "trigger" event occurs such as a data security breach or complaint by a data subject about how his personal data is processed.
- You will need to consider whether you are confident that personal data is kept secure by your organisation in accordance with the security principle of the GDPR and that it is fairly and lawfully processed.
- Make sure key personnel within your organisation (in particular, those who are responsible for managing staff who process personal data, whether in a data controller and/or data processor role) are aware of the key principles.
- If you determine you are outside scope currently, what checks and controls can you put in place to stay that way.
Full briefing
What is the current position?
Statute
Currently the territorial reach of the Directive is limited to data controllers (not data processors) who either: (i) are established in the relevant member state of the European Union, for instance by way of an office, branch, agency or regular practice, or a company incorporated in that member state, or (ii) use equipment in that member state for processing data otherwise than for the purposes of transit through it.
As a reminder, data controllers determine the manner in which and purposes for which personal data about e.g. staff and customers (B2C and B2B contacts) is processed. Data processors do not, they process personal data on behalf of the data controllers which have appointed them. Furthermore the Directive is not directly applicable across the EU. Instead, it is implemented into each member state’s national law by locally applicable legislation. In the UK, for example, the Directive is implemented into English law by the DPA.
Applying this, and taking the UK as the example, if your organisation is in the UK but is a data processor, the UK’s current data protection law does not apply directly to it, instead its obligations are by way of contract between itself and the data controller for whom it processes the personal data and its risks are contractual rather than statutory.
The interpretation of current law was, until very recently, as follows. If your organisation is a data controller, it was subject to the UK’s implementation of the EU’s data privacy directive only in two scenarios. First, if it has an office, branch, agency or regular practice in the UK or is a company incorporated in the UK. Secondly, if it does not have an office, branch, agency or regular practice in the UK but nevertheless uses equipment in the UK for processing data, e.g. it has located its data centre here. If your organisation was outside the UK, and provided neither of these scenarios applied to it, then it was not subject to the UK’s data protection law.
In other member states there may also be local variations which add to the position on territoriality and scope under Directive.
Recent case law
To a degree, recent case law has pre-empted some of the changes in the scope of GDPR. The following recent cases undermine the concept that, to be at risk of enforcement under EU data privacy rules, a company must be located here or process data here.
First, in a case concerning Google and the supervisory authority in Spain (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos) the CJEU ruled on the territoriality of the EU’s data privacy directive. In essence, even if the physical server of a company processing data is located outside Europe, EU data privacy rules will apply if it has a branch or a sub¬sidiary in an EU member state which promotes the selling of advertising space offered by that non-EU company (here, the US search engine).
Separately, the CJEU ruled in favour of the Hungarian supervisory authority and against the consumer facing property advertising site operated by Weltimmo (Weltimmo v Nemzeti Adatvédelmi és Információszabadság Hatóság). This is a landmark ruling with potentially significant implications for web players who operate across multiple EU member states. The CJEU ruled that if a company operates a service in the native language of a country, and has representatives in that country, then it can be held accountable by the country’s supervisory authority despite not being headquartered in the country. Weltimmo operated its service in Hungary and it is based in Slovakia. The CJEU decided that Weltimmo could be liable for fines imposed by the Hungarian supervisory authority for breach of national data protection law. The rationale, put simply, is that companies should be deterred from locating themselves in EU countries whose supervisory authorities tend to take a more lenient approach to enforcement, then offering their services in countries taking a stricter approach.
In Google Inc v Vidal-Hall the English Court of Appeal held that the individuals were entitled to serve proceedings on Google in the United States for the misuse of their private information and for breach of the DPA. The misuse and the breach were classed as torts in English law to enable this. The claimants were able to serve their claim out of jurisdiction on Google Inc in the US.
What will stay the same?
Put simply, if your organisation is within territorial scope and application of the Directive, then it will remain subject to the GDPR. The GDPR is not there to reduce the territorial reach of EU data protection law. In particular, the concept of “establishment” remains (albeit it is widened to cover data processors as well as data controllers). In the introduction to the GDPR, establishment of a company in a territory is explained as “the effective and real exercise of activity through stable arrangements.” The introduction adds that “the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor. In essence, the position stays the same here since the Directive has always provided that establishment in the territory of a member state implies activity through “stable arrangements” and that the legal form of such an establishment, whether a branch or subsidiary, is not the determining factor.
What is changing
Establishment within the territory
The first scenario in which your organisation will be within territorial scope of the GDPR is if it is processing personal data in the context of the activities of an establishment of a data controller or a data processor in the EU, regardless of whether the processing takes place in the EU or not.
For the first time in many member States, it is enshrined in data privacy law that organisations processing personal data on behalf of others (data processors) will be caught, provided they themselves have an establishment in the EU. You cannot escape this by processing data outside of the EU. Providers of outsourced services could well be caught, for example, such as IT support, pensions administration services, fund administration and insurance administration services, as well as data storage facilities (where that storage actually involves processing of personal data).
Offering goods or services to, or monitoring, data subjects in the EU
The second scenario is where the organisation is not established in the EU but is processing personal data about data subjects who are in the EU in relation to: (a) the offering of goods or services to them, irrespective of whether a payment of the data subject is required, or (b) the monitoring of their behaviour taking place within the EU.
Applying this, if your organisation chooses to offer goods or services to, or to monitor the behaviour of, individuals who are in the EU, then there is EU wide data privacy law which will expose it to risk unless it is followed. Your business will be affected if it does any of this, even though it is incorporated or otherwise established overseas. The rationale being that EU citizens are not deprived of the GDPR’s protection simply because a business locates itself elsewhere.
In effect, for the first time, the data subject’s location drives territorial reach. There are indications that the mere accessibility of a website in the EU or of an email address and of other contact details in the EU are not by themselves sufficient to trigger this. What is key is whether the controller or processor envisages offering goods or services to data subjects who are in the EU. As indicated, recent case law had made certain inroads here already, but enshrining this extension of territorial reach into a regulation is a big change.
What is meant by “data subjects who are in the EU”? This is unclear as yet, but presumably this will be a wide concept. The physical location of the data subject and place of residence could well be key. If your website is targeted at EU users e.g. by being in their own language or by offering goods or services for sale in e.g. Euros or GBP, or indeed by offering them in local language without requiring payment, you could well be caught.
In addition, for the first time, monitoring of data subjects’ behaviour in the EU will also drive territorial reach. Whether the individual is tracked on the internet can be relevant, and this includes subsequent use of data processing techniques which consist of profiling an individual, particularly to take decisions about him or to analyse or predict his personal preferences, behaviours and attitudes. “Profiling” includes any form of automated processing of personal data about a person, including to analyse or predict performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
How will your business be affected?
The impact could be huge given the global reach of business organisations. Many overseas organisations will find it difficult to definitively answer whether the scope of their activities do fall within the territorial scope of the GDPR. “Holding the line” on territory to avoid becoming subject to these rules will get a lot harder and require very tight internal controls across websites, technology, HR and other factors.
For data processors, the scope issue opens up practical difficulties in that their customers’ use of their services could bring them into scope. Another example is how the GDPR will fundamentally impact processor and controller due diligence and contracting (more on this topic in our separate briefing).
Questions remain about how, in practice, this extended territorial reach will be enforced by supervisory authorities. For instance, how might they go about issuing a formal enforcement notice on a U.S. company and pursue non-compliance with the same. Currently, if a data controller established in the UK ignores a formal enforcement notice from the UK’s supervisory authority, it commits a criminal offence actionable through the courts. But supervisory authorities will be empowered to seek to take enforcement action against data controllers and data processors who satisfy the criteria outlined should they so wish.
In terms of monitoring data subjects’ behaviour in the EU and this being a trigger for territorial reach, if your company carries out monitoring of people in the EU e.g. by web analytics, even if pursuant to an “information only” website rather than one which makes online sales to them, then this could well bring your organisation within reach of GDPR and of enforcement from the supervisory authorities in multiple EU member states. This could have significant implications for generic service providers who do not specifically target particular EU member states but who are nevertheless generally accessible.
In addition, for the first time, monitoring of data subjects’ behaviour in the EU will also drive territorial reach. Whether the individual is tracked on the internet can be relevant, and this includes subsequent use of data processing techniques which consist of profiling an individual, particularly to take decisions about him or to analyse or predict his personal preferences, behaviours and attitudes. “Profiling” includes any form of automated processing of personal data about a person, including to analyse or predict performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Next steps…
Start to consider now whether your business is likely to be caught by the territorial reach criteria. Err on the side of caution. As indicated, “establishment”, “monitoring” and “offering of goods or services” are deliberately drafted in broad terms.
Can you alter the way you reach out to persons in the EU on your websites, or in the way you store and otherwise process personal data? Are you confident that it is kept secure in accordance with the security principle of the GDPR and that it is fairly and lawfully processed in accordance with the relevant principles? Your key risk area will be where a “trigger” event occurs such as a data security breach or complaint by a data subject about how his personal data is processed. This could well be brought to the attention of the supervisory authority.
Get to grips with the new law and make sure key personnel within your organisation (in particular, those who are responsible for managing staff who process personal data) are aware of the key principles and of what they need to do in practical terms to protect personal data.