Crucial to the General Data Protection Regulation (GDPR) and integral to the entire legislation, is its explicitly extended territorial scope. This reflects an increasing trend of the Court of Justice of the European Union (CJEU) and regulators to apply EU data protection law to organisations which might not, in the past, have been considered to be within scope.
The GDPR has not yet been published in its final version but the latest (near final) draft will almost certainly apply in all material points. The current Article 3 states that the GDPR applies:
- "to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union;
- to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU; and
- to the processing of any personal data by a controller outside the EU but in a jurisdiction where Member State law applies by virtue of international law (e.g. a diplomatic mission or consular post)."
We can look to the recitals to give us more background to some of these concepts.
Offering goods and services to data subjects – the discussion around when EU citizens are targeted by non-EU businesses is one which is often had in the context of consumer and product liability law. For the purposes of the GDPR, this will be where it is apparent that a controller is envisaging offering goods and services in EU Member State(s). The mere fact that a website is accessible from the EU, or the use of contact details or the language used in the country in which the controller is established, will not be determining factors. Aspects which can be considered are the possibility of ordering in a different language to the one of the controller's Member State, the availability of goods or services in a local Member State currency and any mention of EU customers or particular Member States.
Monitoring behaviour – in order to determine whether behaviour is being monitored through data processing, it should be ascertained whether individuals are tracked on the internet. This includes potential subsequent use of profiling in order to take decisions about the data subject or for analysing or predicting personal preferences, behaviours and attitudes.
Establishment – the recitals state that this implies the effective and real exercise of activity through stable arrangements. The form of the arrangements, for example, whether they are carried out through a branch or a subsidiary, is not relevant.
The Data Protection Directive, the outgoing EU data protection legislation, takes a less direct approach to territorial scope. Under Article 4, local Member State data protection law applies to processing carried out in the context of the activities of an establishment of the controller on the territory of the Member State, and where the controller is not established on Community territory, where processing takes place using equipment situated on the territory of the Member State (unless it is merely used for transit).
However, the question of what constitutes an establishment has been broadened considerably by decisions of the CJEU, which has repeatedly considered the issue at the request of Member State Courts. Most recently, Google Spain and Weltimmo touched on this.
Google Spain (the 'right to be forgotten' case), considered the issue of processing in the context of the activities of an establishment on the territory. The question in this case was whether the establishment within the EU (Spain) could be held to be processing personal data in the context of the activities of the US parent company Google Inc., even though the processing at issue in the proceedings was entirely separate from the processing carried out by Google Spain. The CJEU concluded that the Directive does not require the processing at issue to be carried out by the establishment, but only that it be carried out in the context of its activities. The activities of the parent company and its subsidiary will be inextricably linked if the subsidiary exists to make the parent company economically profitable.
The CJEU gave the term "establishment" a very broad interpretation in Google Spain and this was expanded on in the Weltimmo case which, despite being submerged by the Safe Harbor judgment released in the same week, is an important decision. It looked at what constituted an establishment for the purposes of allowing regulators to enforce in their own Member State. In Weltimmo, the CJEU followed the judgment in Google Spain in giving a very broad interpretation to the scope of the Directive and to what constitutes an “establishment”. This ruling confirmed the Google Spain judgment; the bar for claiming that you are not subject to local Member State data protection law is very high if you do business there under current data protection law.
The CJEU pointed to recital 19 to the Directive which states that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality is not the determining factor”. The CJEU said that the presence of only one representative can, in certain circumstances, be sufficient to constitute a stable arrangement and that, crucially, “the concept of establishment within the meaning of the Directive, extends to any real and effective activity – even a minimal one – exercised through stable arrangements”. This is the reasoning replicated by the language of the GDPR.
What constitutes an establishment is given new importance under the GDPR in terms of the 'one stop shop' mechanism which determines which Member State regulator has jurisdiction where organisations operate in more than one Member State (see our article on the 'one stop shop' for more).
The place of a controller's central administration in the EU is likely to be the Member State of its main establishment but this presumption can be overturned if the main decision in terms of data processing is taken in another Member State and that establishment has the power to have its decisions implemented in other Member States.
As far as data processors are concerned, again, the default position is that its main establishment will be the place of its central administration in the EU. If it has none, it will be the establishment in the EU where the main processing activities in its role as processor take place to the extent the processor is subject to specific obligations under the GDPR.
Representatives and establishment
What is left open to question though is the position of a non-EU company which is caught by the territorial scope of the GDPR and appoints a "representative" in accordance with the current Article 25. The GDPR defines a "representative" as any natural or legal person established in the Union, who, designated by the controller or processor in writing pursuant to Article 25, represents the controller or processor, with regard to their respective obligations under this Regulation". The representative must be established in one of the Member States where the relevant data subjects are located and should act as a point of contact for regulators and data subjects on data protection compliance issues. This is without prejudice to legal actions which might be initiated against the controller or processor.
What this idea of a representative fails to capture is the element of control. While the main establishment of an EU entity is determined according to which organisation has control over the data-related decisions and the power to implement them, for non-EU based companies, the likelihood is that the representative will act in an administrative capacity and will not have much, if any, power in terms of decisions around personal data. Theoretically, it makes sense for this kind of organisation to be regulated in the Member State in which the representative is located but this may not be the Member State with the largest number of relevant data subjects. In addition, if the representative is mainly an administrative conduit, while this will qualify it as an establishment for the purposes of the GDPR, enforcement becomes more problematic.
The evolution of thinking on issues of territorial scope between the Directive and the GDPR by way of the CJEU, is clear to see and reflects our increasingly globalised world with data being slung from location to location, criss-crossing in and out of jurisdictions. This is an ambitious piece of legislation which seeks, quite overtly, to exercise control and impose sanctions in jurisdictions beyond the EU when EU citizen data protection rights are at risk. It will be interesting to see how successfully this is achieved.