The European Union’s draft data protection regulation (the “Regulation”) contains new and controversial extra-territorial provisions extending the Regulation’s reach to some companies based outside the European Union.
Organisations processing personal data about European residents will be subject to the Regulation if they:
- offer goods or services to data subjects in the European Union; or
- monitor behaviour of those data subjects (“Profiling”).
These rules will bring many US tech companies within the scope of European data protection law, many of which have kept their data processing in the US in the past to avoid becoming subject to the current Data Protection Directive. International businesses which target residents through tracking, mining and targeted advertising will be brought into scope where previously the law may not have applied to their data processing activities. Given that US tech companies typically generate a third or more of their sales in the European Union, this change will have a major impact on their business models.
Sanctions for breach of the data protection duties under the new regime could include fines of up to €1 million or 2% of annual worldwide turnover for serious compliance failures.
“Using Means”: the current criterion
Under current European data protection law, if a controller is not established on Community territory, to come within the ambit of the European data protection law regime, it must make use of equipment, automated or otherwise, situated on the territory of the said Member State (unless such equipment is used only for purposes of transit through the territory of the Community), the so-called “using means” test.
The Regulation attempts to be more specific and more tailored to the protection of Union’s data subjects: instead of the “using means” test, the Regulation will apply whenever there is an offering of goods or services to data subjects in the Union or if the processing activities are related to Profiling.
US lobbying on EU data protection reforms
US lobbyists, many working for large technology companies, have been seeking to limit the territorial extent of the Regulation. The US government itself has also been aggressively lobbying the European Parliament, which is currently reviewing the proposed reforms. The debate has shown how much Europe and the United States differ on privacy rights and their role in the data-driven online economy.
US technology companies are arguing that it would be unfair for them to be subject to strict EU data protection laws which could result in large fines. The EU Justice Commissioner, Viviane Reding, however, has said that the EU is determined to respond “decisively” to any attempts by US lobbyists to curb the EU data protection reforms and that “if companies want to tap into the European market they have to apply European standards”.
US government officials have warned that if the legislation is passed as planned it could start a trade war between the EU and the US. Lobbyists are attempting to dilute the Regulation by attempting to exempt US companies from its scope. However, Ms. Reding has continued her firm stance and stated in February of this year that exempting non-EU companies from the Regulation is not on the table.
Many have questioned the enforceability of the extra-territorial provisions of the Regulation. It will be difficult to enforce sanctions, however large, against data controllers who have no establishment in the European Union.
Article 25 of the Regulation counteracts this, however, by obliging non-EU-based data controllers processing the data of EU citizens to appoint a representative established in an EU member state (with some impor¬tant exceptions as stated in Article 25(2) such as when the controller is established in a country that has been found “adequate”, the controller has fewer than 250 employees, or when the controller “only occasionally” offers goods or services to individuals in the EU). The representative is subject to substantial liability risks, since it is liable for penalties that can be levied against the controller. Failure to nominate a representative may result in a fine. These provisions are likely to attract much interest if they remain in the final draft of the Regulation, given the obvious difficulties of enforcing sanctions against a company which is not established in the EU and which has failed to nominate a representative.
It is still unclear whether the offering of goods or services to data subjects in the Union is required to be direct, or whether the potential availability to Union citizens over the internet of goods and services is enough to trigger applicability of the Regulation (in which case vast swathes of the internet would be subject to the Regulation). In the final analysis, the distinction may be left to EU courts to interpret.
The final committee vote on the Regulation in the Civil Liberties Committee of the European Parliament is due to occur on May 29. However, lobbying from both data controllers and privacy activists is set to continue and the Regulation is subject to further change as it passes through the final committee stage. Once the committee has given its opinion, the Regulation will be voted on by Parliament. Only then can it be signed by the Member States.
Ireland, which currently holds presidency of the European Union, is keen to see the new law signed before the end of its term on July 1. However, this deadline is seen as overly optimistic by industry observers. Due to the ongoing debate about some of the Regulation’s controversial provisions (eg, the extra-territorial application of the Regulation) adoption of the Regulation in final form may not take place until 2015.