The General Data Protection Regulation (GDPR) will come into force in all EU Member States on the 25 May 2018 and represents substantial evolution of EU data protection law. The GDPR will regulate the processing of personal data and is designed to strengthen data subjects’ data protection rights. The GDPR will replace the 1995 Data Protection Directive (Directive), which is the current EU legislation on which EU Member States’ national data protection laws are based.
One of the most significant aspects of the GDPR is that it expands the territorial scope of EU data protection laws. From the 25 May 2018, EU data protection laws will also apply outside of the EU in certain situations, with the result that certain non-EU organisations will also fall within its scope.
Who does the GDPR apply to?
Organisations ‘established’ in the EU which process personal data in the context of that establishment will be subject to the GDPR, in the same way that they currently fall within the scope of the Directive today.
However, the GDPR will also capture non-EU organisations where they offer goods and services (even if for free) to data subjects in the EU or monitor their behaviour, even if that processing does not take place in the EU.
The GDPR not only considers the location of the processing, as the Directive currently does, but also considers the location of the individual whose data is being processed.
Recent case law and guidance from the Article 29 Data Protection Working Party
The expanded scope of data protection law by the GDPR is not surprising given the recent EU case law on this topic, in particular the decisions of Google Spain (C-131/12) and Weltimmo (C-230/14) by the Court of Justice of the European Union (CJEU).
Google Spain involved a Spanish citizen’s request to be removed from Google’s search index results. Google Inc., which carried out the search engine activity, is based in the United States but has a subsidiary in Spain, Google Spain. Google Spain was not actually involved in operating the search engine and did not process personal data relating to Google search. Its main activities centred on selling advertising space to local customers via Google search. Google Spain was considered to be ‘established’ for the purposes of the Directive.
The CJEU held that there was a sufficient connection between the activities of Google Spain and the processing activities of its parent company, Google Inc., in respect of the search engine for Google Inc. to be considered ‘established’ in Spain for the purposes of the Directive. It considered that the search engine activities were ‘inextricably linked’ to the advertising sales generated by Google Spain. This was a significant decision in the context of extending the territorial reach of EU data protection law as it was held that the processing of personal data does not need to be carried out by the relevant establishment itself, it is sufficient if the processing is carried out in the context of the activities of the establishment.
Following the Google Spain case, in December 2015 the Article 29 Data Protection Working Party (Art 29 WP) updated their Opinion 8/2010 on applicable law to take into account the Google Spain decision. The Art 29 WP is made up of representatives from the various data protection authorities and issues non-binding opinions on their interpretation of EU data protection law.
According to the Art 29 WP, EU data protection law will apply to processing activities carried out by a non-EU data controller established outside the EU which has a ‘relevant establishment’ whose activities are ‘inextricably linked’ to the processing of personal data carried out by the non-EU data controller. Where organisations have a designated EU headquarters (acting as the data controller) but also have other ‘relevant establishments’ in other Member States and those activities are inextricably linked to the data processing activities (e.g. selling advertising space), the national laws of the Member States in which each such establishment are established will also apply.
In another recent case, Weltimmo, the CJEU held that if a company operates a service in the native language of a country, and has representatives in that country, then it can be held accountable by that country’s data protection authority despite not being headquartered in the country. The CJEU held that the definition of “establishment” is a flexible concept and departs from the formalistic approach that an “establishment” exists solely where a company is registered.
Elements of the expanded territorial scope
Targeting data subjects in the EU
A non-EU organisation that offers goods and services to data subjects in the EU will be subject to the requirements of the GDPR. In determining if an organisation is ‘offering goods and services’, a number of factors may be taken into account including the possibility of ordering goods in a language different to that used by the non-EU organisation, the ability to pay for the goods or services in Euro, or the targeting of EU customers.
In practical terms, a shop established in Japan which trades online, and where its website is available in English and it ships products to customers in the EU, is likely to be considered to be offering goods in the EU. As such, it is likely to fall within the GDPR's scope even if it does not have an establishment in the EU.
Another scenario in which a non-EU organisation can be made subject to the GDPR is where it monitors the behaviour of data subjects in the EU (e.g. tracking). The GDPR makes it clear that where data subjects are ‘tracked on the internet’ this will be considered monitoring and will thus bring the non-EU organisation within its remit. E-commerce providers, online behavioural advertising networks and analytic companies that process personal data are for example likely to be required to comply with the GDPR.
What are the practical implications?
The practical effect is that many organisations that were previously outside the scope of application of EU data protection laws will now be directly subject to its requirements. This may of course be a challenge for those organisations particularly as the road to compliance for such organisations may be new.