The European Data Protection Board (EDPB) recently published an updated version of its guidelines on the territorial scope of the General Data Protection Regulation (GDPR).
This finalized version clarifies several points regarding processors and controllers not established in the European Union that remained unclear after the EDPB issued its initial guidelines in March 2018.
Enforcement mechanisms still unclear
Even now that EDPB’s guidelines are finalized, it remains unclear how authorities will enforce the GDPR against an organization outside the EU who falls within the scope of the GDPR under Article 3(2) but fails to appoint an Article 27 representative.
The guidelines confirm that the EDPB is considering the development of international cooperation mechanisms to facilitate the GDPR’s enforcement in such scenarios pursuant to Article 50. However, they do not provide any more detailed information on how these cooperation mechanisms would function.
Key Points for Non-EU Organizations
The new guidelines emphasize and clarify some key points for companies not established in the EU.
First, when determining whether an entity is making an offer of goods or services to people within the EU, authorities will look for evidence of intentional targeting of EU citizens, as distinguished from inadvertent offers of service. To determine whether the targeting is intentional, authorities will consider several factors, including who the entity advertises to, the language used to advertise, where it offers to ship goods, and the types of payments accepted.
According to the guidelines, if a non-EU company offers a service to someone outside the EU, and continues to offer that service when that person travels temporarily to the EU, the business will have engaged only in inadvertent targeting and will not be subject to the GDPR’s terms.
Second, the guidelines address processors located outside the EU who do work for controllers subject to the GDPR. Even if a processor located outside the EU does not, on its own, do anything to trigger the GDPR’s application, it will still be subject to the GDPR if the controller for which it processes personal data is subject to the GDPR. Processors outside the EU must consider this when determining whether to enter into a contract with controllers.
Relatedly, the guidelines clarify that processors located within the EU that process data for controllers outside of the EU still need to comply with the GDPR. This puts processors in a tough situation, as they cannot simply re-transfer the data they process back to the non-EU controller; the processors must meet the GDPR’s transfer requirements or rely on one of Article 49’s derogations, which were not intended to cover routine transfers.
Third, the guidelines clarify the potential liability of EU representatives established pursuant to Article 27. In the first version of the guidelines, it was not clear if the EU representative would be liable for the controller/processor’s failure to comply with its GDPR obligations, as authorities could “initiate enforcement against a representative.” This uncertainty meant few companies entered the market offering to serve as Article 27 representatives.
The guidelines now read authorities may “initiate enforcement through a representative” (emphasis added). “The possibility to hold a representative directly liable however is limited to its direct obligations referred to in [A]rticles 30 and … 58(1)(a).” (Guidelines v2.0, p. 28.) It is now clear that authorities will not seek to hold the Article 27 representative directly liable for the controller/processor’s non-compliance; instead, the representative will serve as a conduit for authorities to pursue the controller/processor.
Brief Overview of Article 3
GDPR Article 3 provides a broad territorial scope. Under Article 3.1, businesses established in an EU Member State are plainly subject to the GDPR’s requirements. Article 3.3 applies the GDPR to controllers not established in the EU but are where a Member State’s national law applies by virtue of international law, i.e. a consulate or embassy.
Article 3.2’s terms have proved more mystifying. It applies the GDPR to controllers and processors outside the EU when the processing activities relate to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the [EU]; or, the monitoring of their behavior, as far as their behavior takes place in the [EU].”
Article 3.2 applies the GDPR to businesses located anywhere in the world if they offer goods or services in the EU or monitor EU citizens’ behavior. This puts many non-EU businesses in a harsh regulatory environment, yet many entities have not considered whether they fall under the GDPR, and, if so, how they need to react in order to be compliant.