This Article provides a preliminary information on applicability and binding authority of the EU General Data Protection Regulation (“GDPR”) on the companies located in the non-EU countries. In providing this Article, we have relied primarily upon the Articles and Recitals of the GDPR and the European Data Protection Board’s Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation.
B. TERRITORIAL SCOPE OF GDPR
Generally, the GDPR applies:
- to EU-established entities (establishment criterion) and
- on a long-arm, extraterritorial basis to entities which offer goods or services to or who monitor individuals in the EU (targeting criterion).
Thus, the GDPR may apply to companies in the non-EU countries, if either criterion is met. We have explained these criteria of the applicability of GDPR below.
Article 3(1) of the GDPR provides that the GDPR applies to the processing of personal data in the context of activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU. In such case, the following concepts should be understood within the meaning of the GDPR:
- What is an establishment?
- What is “processing in the context of activities of an establishment”?
- What is “regardless of whether the processing takes place in the EU”?
1.1.Concept of ‘Establishment’
Court of Justice of the European Union (“CJEU”) broadened the interpretation of the establishment in the Weltimmo Case.
The CJEU ruled that the concept of establishment is not confined to an entity’s country of registration. If the entity exercises ‘through stable arrangements in the territory of a Member State, a real and effective activity even a minimal one’, such entity will be regarded as having an establishment in that Member State, even though it does not have any branch, subsidiary or any other legal form in that Member State.
Recital 22 states that an “establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”. Therefore, the European Data Protection Board (“EDPB”) considers that in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability. However, the EDPB also states that the mere accessibility of the non-EU entity’s website in the Union would not be considered as a sufficient degree of stability.
Therefore, it is important to note that such interpretation must be made on a case-by-case basis, considering both the degree of stability of the arrangements and the effective exercise of activities in that Member State in the light of the specific nature of the economic activities and the provision of services concerned.
Example: A Japanese company has an office in France, conducting the company’s business transactions in the EU and has a representative at this office, who represents the company in administrative and judicial proceeding in the Union.
This can be considered to be a stable arrangement, which exercises real and effective activities in the light of the nature of the economic activity carried out by the Japanese company. Therefore, the Japanese company will be regarded as having an establishment in the Union, within the meaning of GDPR.
1.2.Concept of ‘Processing in the Context of Activities of an Establishment’
The second concern is whether the processing of personal data is carried out ‘in the context of the activities’ of the establishment. Where this is the case, then the GDPR will apply regardless of whether the processing takes place in the EU or not.
The EDPB considers that if a case by case analysis on the facts shows that there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU entity, the GDPR will apply to that processing activity by the non-EU entity, even though the EU establishment entity does not play a role in that processing of personal data.
Example: In the Google Spain SL v. EFPD case, a Spanish citizen requests Google to not display certain information related to him in response to a search against his name. However, such activity was run by the Google Inc. located at US. Google Spain SL only promotes and sells advertising space in Spain in the capacity of a business agent and does not involve with the functionalities of the search engine, and thus the actual processing of personal data.
However, CJEU decided that there was an inextricably link between the activities of Google Spain SL and Google Inc., “since the activities relating to the advertising space constitute the means of rendering the search engine … economically profitable and that engine is, at the same time, the means enabling those activities to be performed”
1.3.Concept of ‘Regardless of Whether the Processing Takes Place in the EU or not’
The GDPR also applies the EU established entity carrying out its processing activities in the context of its activities, even though such processing activity takes place outside the EU.
Example: A German software company provides its services to merely customers who are in India and processes their personal data. This software company is established in the EU and carry out its processing in the context its activities such as providing software services. Although such processing does not take place in the EU, the GDPR will apply to the processing carried out by the German company in relation to its customers in India.
Article 3(2) of the GDPR provides that the non-EU established entities will be subject to the GDPR where they process personal data about “data subjects who are in the Union” in connection with:
- the “offering of goods or services”, to such data subjects in the EU, irrespective of whether data subject has made a payment or not,
- the “monitoring of their behaviour” as far as their behaviour takes place within the Union.”
Before elaborating these targeting activities, it should be examined what the GDPR means by “data subjects in the Union”.
2.1.Data Subjects in the Union
The term of “data subjects in the Union” is not limited by the citizenship, residence or other type of legal status.
The EDPB considers that “the requirement that the data subject be located in the EU must be assessed at the moment when the relevant triggering event takes places, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken".
Example: A French company that provides its services in Paris, will be subject to the GDPR, when it processes personal data of foreign tourists travelling Paris at that moment.
It is important to note that the GDPR will not be applicable only because personal data of an EU citizen or resident is processed.
Example: A telecom company located in the United Arab Emirates provides its services merely within Dubai and Abu Dhabi and does not offer any specific promotion or any other targeting activities for the tourist from the EU.
In this case, the telecom company will not be subject to the GDPR, when processing personal data of EU citizens and residents visiting Dubai or Abu Dhabi.
2.2.Offering of Goods or Services to Data Subjects in the EU
Non-EU entities will be subject to the GDPR where they process personal data of the EU data subjects in connection with offering goods or services to data subjects in the EU. It is not important whether payment by the data subject is made or not.
Recital 23 of the GDPR provides that it should be “apparent” that the non-EU established entity “envisages” offering services to data subjects in one or more Member States in the EU. The term “envisages” suggests some degree of intent or awareness, and “apparent” that there should be external evidence of this intent. Hence, the mere accessibility of the entity’s or its intermediary’s website in the EU, of an email address or of other contract details, or the use of a language generally used in the entity’s home country, is insufficient to ascertain such intention.
To determine such intention, following factors will be taken into consideration, possibly in combination with one another:
- The entity offers the delivery of goods in EU Member States;
- The use of a language or currency especially of one or more EU Member States (such as German, French language and displaying the prices in Euro);
- The use of a top-level domain name other than that of the entity’s country (such as “.de” or “.eu” as a neutral top-level domain name);
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The entity pays a search engine operator for an internet referencing service in order to facilitate access to its website by consumers in the EU; or the entity has launched marketing and advertisement campaigns directed at the EU countries;
- The international nature of the activity at issue, such as certain tourist activities;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customer.
If taken alone, such factors may not clearly indicate the intention of the entity to offer goods or services to data subjects in the EU. However, the combination of such factors may indicate such intention, therefore, case-by-case analysis should be made.
Example: A hotel company located in Cape Town, has a website for guests to make a reservation. The website has German, French and Italian language preferences. In these languages, the website also shows the prices of hotel rooms in Euro currency and has a phone number dedicated to the guests from those countries.
Considering such factors, it can be clearly said that the website intends to provide services customers in the EU. Therefore, the processing activities of this website will be subject to the GDPR
2.3.Monitoring of Data Subjects’ Behaviour
Non-EU entity who monitor the behaviours of EU data subjects will also be subject to the GDPR provided that their behaviours take place within the EU.
The EDPB does not consider that any online collection or analysis of personal data of data subjects in the EU would automatically count as “monitoring”It should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes. In other words, “monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to make decisions particularly concerning them or for analysing or predicting their personal preferences, behaviours and attitude.
The EDPB gives some examples of such monitoring activities as follows:
- Behavioural advertisement,
- Geo-localisation activities, in particular for marketing purposes,
- Personalised diet and health analytics services online,
- Market surveys and other behavioural studies based on individual profiles,
- Monitoring or regular reporting on an individual’s health status.
In case this digital marketing company provides this service to an EU company, the company will monitor the behaviour of the EU individual. Hence, the company will be subject to the GDPR with respect to this processing activity.
C.ENFORCEABILITY OF GDPR OUTSIDE EU
In case a non-EU entity does not comply with the GDPR, and consequently breaches the rights of the EU individuals, these individuals can lodge a complaint against the entity at the Supervisory Authority or before a competent court of the relevant Member State (Article 77 and 79). The Supervisory Authority or the competent court can investigate such complaint and use its powers to enforce compliance and/or to sanction the entity.
However, there are some uncertainties how the Supervisory Authority or the court can enforce its decision to the non-EU established entity. Therefore, we have provided the possible means of enforcement of the GDPR, whether directly or indirectly, against the non-EU established entity.
1.Enforcement through the Representative of the Entity
Any entity which is subject to Article 3(2) (targeting criterion) and does not have an establishment in the EU must designate a representative in the EU, in one of the Member States in which the data subjects are located (Article 27). The representative will be the contact person between the relevant entity and the EU authorities and will be addressed on behalf of the entity by the EU authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with the GDPR.
Recital 80 states that the designated representative should be subject to enforcement proceedings in the event of non-compliance by the entity. However, the GDPR does not provide any details on this enforcement mechanism. Some Member States has considered that the designated representative can incur liability in case of non-compliance. However, entities object to such consideration on the grounds that the sanctions of non-compliance are very grave and it is impossible to find a representative that will assume such liability.
2.Having Assets in the EU
EU authorities can enforce its ruling through the assets possessed by the non-EU established entity.
3.Taking Market Destroying Measures
The EU governments and authorities may introduce market destroying measures to penalise the non-EU entity. For example, it may prohibit business operations of the entity within the jurisdiction or the personal data transfer to the country where the entity resides.
Furthermore, the Data Protection Authorities can obtain a court injunction to block the websites of the entity or its partners. In case the entity has an e-commerce website and sell its product through that website, such blocking would directly affect to its commercial operations.
Any GDPR-related fine or penalty brings reputational damage to the entity and impacts its further trade relations with other companies or customers in the EU. On the other hand, the entity that complies its processing activities with the GDPR, will gain trust from the EU companies and customers and definitely have a competitive advantage over the competitors.