How far does the GDPR extend? On November 16, 2018, the European Data Protection Board (EDPB) issued draft guidance on the territorial scope of the GDPR. This client alert highlights the importance of these recent guidelines, provides an overview of the topics covered and explains why the guidelines—while still in draft form—are nonetheless “required reading” for any company with business in the European Union.
What is the EDPB?
The EDPB is the successor organization to the Data Protection Working Party, which was established by Article 29 of the Data Protection Directive and therefore known as the “Article 29 Working Party.” As of last May, the Directive, including Article 29, has been supplanted by the GDPR, and the EDPB has taken the place of the Article 29 Working Party as the independent body which is tasked with advising the European Commission on data protection law.
The guidelines on the GDPR’s territorial scope are the third set to be released by the EDPB and the first since the GDPR took effect in May. The first two sets of guidelines, which were both released on the day the GDPR took effect (May 25, 2018), focused on (1) certification and identifying certification criteria and (2) derogations to the prohibition on cross-border transfer in Article 49.
What does Article 3 of the GDPR say?
Article 3 of the GDPR addresses the GDPR’s territorial scope and sets forth three situations in which the GDPR will apply:
- To personal data processing “in the context of the activities” of a data controller (an entity which makes the decisions regarding the processing of personal data) or a data processor (an entity which processes personal data at a controller’s direction) that is established in the European Union (this is referred to by the EDPB as the “establishment” criterion);
- To personal data processing when the data controller or data processor is not established in the European Union, to the processing of personal data of data subjects who are located in the European Union, provided that the activities are either (a) related to the offering of goods or services to data subjects in the European Union or (b) related to the monitoring of the behavior of data subjects who are located in the European Union (this is referred to by the EDPB as the“targeting” criterion); or
- To personal data processing by a data controller in “a place where Member State law applies by virtue of public international law.”
What are the guidelines?
The EDPB’s draft guidelines explain how companies should assess whether they fall into any of the above three situations, although the third situation will apply in much more limited circumstances.
The guidelines are a must-read for any company with operations in the European Union because—as they make clear—it is not always apparent whether the GDPR applies and may depend on the details of a company or other entity’s specific situation.
The Establishment Criterion
Approximately one-third of the EDPB’s guidance addresses the application of the “establishment” criterion, providing guidance on what it means for an entity to have an establishment in the European Union and what it means for processing to occur “in the context of the activities of an establishment” in the European Union. In essence, if the controller has a “stable arrangement” in the EU, the GDPR will apply.
The EDPB’s guidance on what it means for an entity to have a “stable arrangement” and therefore an “establishment” is particularly helpful—and confirms that the threshold is very low, especially for businesses which are based exclusively on the Internet. The EDPB states that, in some cases, “the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.” However, the EDPB clarifies (per Recital 23 of the GDPR) that merely making a website available in the European Union does not make it possible to conclude that a non-EU entity has an establishment in the European Union.
In its guidance, the EDPB also confirms that, if processing of personal data is carried out “in the context of the activities” of such an establishment in the European Union, then it does not matter whether the processing itself takes place in the European Union or not.
The Targeting Criterion
Even without an establishment in the European Union, a data controller or processor may be subject to the GDPR if it is either (1) offering goods and services to individuals in the European Union or (2) monitoring the behavior of individuals in the European Union. The guidelines outline the factors for entities to consider. Returning to the example of a company with a website that is accessible in the European Union, the EDPB recalls that Recital 23 to the GDPR states that factors including use of a language or a currency used in one or more EU Member States, or references to customers in EU Member States, may be indicative of offering goods or services in the European Union. The EDPB suggests that other factors could include (among others) “pay[ing] a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union,” the “international nature” of an activity or the delivery of goods or services in EU Member States.
Crucially, the EDPB’s guidance makes it clear that the GDPR applies to individuals who are in the Union, regardless of citizenship, residence or legal status. This interpretation is supported by Recital 14 of the GDPR, which states that the GDPR’s protection applies to natural persons no matter their nationality or place of residence.
What other situations are addressed by the guidelines?
Finally, the EDPB’s guidelines address Article 3(3), which applies to personal data processing conducted by embassies and consulates of European Union Member States. This provision may be triggered in other limited situations, such as, in one example from the guidance, on a German-registered cruise ship when it is in international waters.
What else do the guidelines cover?
In addition to addressing the question of when the GDPR applies, the EDPB goes beyond the strict bounds of the question on territorial scope to provide guidance on the related question of the requirements for data controllers and processors which must designate a representative within the European Union. This requirement is addressed in Article 27 of the GDPR. The EDPB recommends that a single individual serve as a representative. The EDPB also clarifies that a company’s representative and external data protection officer should not be the same individual.
Importantly, the EDPB’s guidance is not set in stone. Similar to previous guidance issued by the Article 29 Working Party, the Guidelines are still in draft form pending a public consultation period, which will run until January 18, 2019. Despite its draft form, the guidance is very helpful in assessing the direction of travel in this area. For organizations that are potentially on the margin of applicability of the GDPR, the guidelines provide useful assistance to attempt to determine on which side of the line the organization falls.