On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).
This is the first of two blogs on the guidelines. This blog considers the extra-territorial scope of the GDPR. Next week, we will consider the need for non-European Union (EU) controllers to designate a representative located in the EU.
The GDPR has extra-territorial effect. This means it can apply to companies based outside of the EU.
GDPR applies to a non-EU-based company where that company:
- Processes personal data in the context of the activities of an EU establishment (the establishment criterion);
- Processes personal data of an individual in the EU, for the purposes of either: (i) offering goods or services to that individual in the EU, or (ii) monitoring the behaviour of that individual in the EU (the targeting criterion); or
- Is subject to EU Member State law by virtue of public international law.This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.
This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.
The establishment criterion
The EDPB breaks this criterion down into three separate considerations.
1. The meaning of ‘establishment’
The EDPB clarifies that ‘establishment’ refers to the degree of stability of the arrangement between a non-EU-based company and a company located in the EU. The guidelines give the example of a U.S.-headquartered company with a branch and office in the EU to oversee its operations in Europe. This constitutes an EU establishment.
‘Establishment’ will be assessed on the facts, taking into account the specific nature of the economic activities and the provision of services. The mere fact that a company’s website is accessible in the EU does not constitute an establishment in the EU.
2. The processing must be ‘in the context of’ the establishment’s activities
For GDPR to apply, the activities of the EU establishment and the data processing activities of the non-EU company must be ‘inextricably linked’.
3. Geographical location
It is irrelevant whether the processing takes place in the EU or whether the individual is located in the EU or is an EU citizen. If the above two considerations are satisfied, the GDPR will apply.
The targeting criterion
The EDPB breaks this criterion down into two separate considerations.
1. Location of the individual
The individual must be located in the EU. This is a requirement of physical geographical location. Nationality, citizenship, residence and other legal status of the individual are irrelevant.
Location will be assessed at the moment when the triggering activity takes place, regardless of the duration of the triggering activity.
2. The triggering activity
The triggering activity could be either offering goods or services to individuals in the EU or monitoring the behaviour of individuals in the EU.
The offering goods or services requires an element of intention. The mere fact that a company’s website is accessible from an EU Member State or the mere mention of an email or geographical address on a company’s website is not sufficient evidence of an intention to target individuals in the EU.
The EDPB gives examples of factors that may indicate an intention to offer goods or services to individuals in the EU:
- The EU or EU Member State is referred to by name with reference to the good or service offered;
- A search engine operator has been paid to direct the site at consumers in the EU;
- The goods or services are of an international nature, for example, certain tourist activities;
- Certain addresses and phone numbers are dedicated for people in EU countries to use;
- Domain names are either neutral or for an EU country;
- Travel instructions from one or more EU Member States to the place of service are made available;
- The company specifically refers to its EU clientele;
- The company uses a language or currency used by one or more EU Member States; and
- Delivery of goods to EU Member States is offered.
The facts should be considered together to determine whether a company is offering goods or services to individuals in the EU. There must be a direct or indirect link between this offering and the processing of personal data of an individual in the EU.
Alternatively, the triggering activity could be the monitoring of individuals’ behaviour in the EU. Monitoring can be conducted on the internet or through other types of network or technology.
Unlike the offering of goods and services, monitoring does not require intention to target. However, the EDPB considers that ‘monitoring’ implies a specific purpose. This purpose must be considered carefully to determine whether the triggering activity is satisfied. A key consideration is whether the individual is tracked on the internet and subsequently profiled.
The EDPB gives examples of monitoring activities:
- Behavioural advertisement
- Geo-localisation activities, in particular for marketing purposes
- Personalized diet and health analytics services online
- The use of CCTV
- Market surveys and behavioural studies based on individual profiles
- Monitoring or regularly reporting on an individual’s health status
Public international law
The GDPR may also apply to a non-EU company, where that company is subject to EU Member State law by virtue of public international law. This would include, for example, an EU Member State’s diplomatic mission or consular post in a non-EU country.
The guidelines provide an in-depth interpretation of the GDPR’s territorial scope. This clarity will be helpful to global companies with EU operations.
The EDPB has opened the guidelines up to public consultation and welcomes comments on the draft until 18 January 2019. After the consultation process, the guidelines will be finalised.