Non-EU entities have long been speculating to what extent the General Data Protection Regulation will affect business with EU countries. The European Data Protection Board has released a set of Guidelines to address the territorial scope of the General Data Protection Regulation.

1. DAWN OF EXTRATERRITORIAL SCOPE

The General Data Protection Regulation[1] (“GDPR”) is a major breakthrough in terms of recognizing the extraterritorial scope of the European Union’s data protection laws.

The GDPR’s predecessor, hereinafter referred to as the “Repealed Directive,”[2] covered only: (i) data controllers established in the European Union who process data within their establishment; (ii) data controllers who are not established in the European Union but use equipment situated within the European Union to process data; and (iii) instances where a European Union Member State’s domestic law is applicable by virtue of public international law.

The narrow scope of the Repealed Directive was criticized by many, especially by those who grew apprehensive over unlawful data storage havens outside of the European Union. The GDPR has been welcomed as a tool for safeguarding European values in connection with data protection. In the interim of its application, non-EU entities were left wondering to what extent the GDPR will affect their business transactions.

2. THE VERY ESSENTIAL ARTICLE 3

In an effort to clear the air, the European Data Protection Board (“EDPB”) adopted the Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)[3] (“Guidelines”). Accordingly, the GDPR will apply in cases where either (i) the establishment criteria or (ii) the targeting criteria are met, as explained in detail below. The GDPR also governs the processing when Member State law applies by virtue of public international law which will not be discussed in this Article.

i. Establishment Criterion

As per Article 3(1), the GDPR applies to the data processing in the context of activities of an establishment of a controller or a processor in the European Union, irrespective of whether or not the data processing takes place in the European Union.

One may assume at first glance that companies not established in the European Union will not fall within the scope of Article 3(1). However, the Court of Justice of the European Union (“CJEU”) has interpreted a broad definition of “establishment.”

Recital 22 of the GDPR indicates that the notion of “establishment implies the effective and real exercise of activity through stable arrangements.”[4] The Guidelines offer further clarification, stating that if a data controller or processor established outside of the European Union exercises real and effective activity through stable arrangements in a Member State regardless of the legal form (e.g. subsidiary, branch, office), this controller or processor should be considered to have an establishment in that Member State.

As indicated in the CJEU’s case VKI v. Amazon (C-191/15)[5] the fact that an undertaking does not have a branch or subsidiary in a Member State does not preclude it from having an establishment in the European Union within the meaning of the Repealed Directive. Rather, both the degree of stability of the arrangements and the effective exercise of activities in the Member State in question must be assessed.

The CJEU’s landmark decision in the Weltimmo case (C-230/14)[6] provided that a Slovakian company may be considered to be “established” in Hungary because the company had (a) a website in the Hungarian language for the purpose of advertising in Hungary; (b) a representative in Hungary serving as a point of contact between that company and the data subjects; (c) a Hungarian postal address and a letter box; and (d) a bank account intended for the recovery of debts.

Having an establishment is essential, but it is not adequate on its own to render the GDPR applicable. As rightly pointed out in the Guidelines, it is not necessary that the EU establishment itself carry out data processing. In fact, the GDPR is applicable whenever the processing is carried out “in the context of the activities of the establishment.”

The CJEU’s case Google Spain SL (C-131/12)[7] further clarifies the foregoing. In this matter, Google Spain’s commercial activities involved the promotion and sale of advertising space through the Google Search engine operated by the US-based Google Inc. Google Spain’s activities in relation to the advertising space made the search engine at issue economically profitable while the search engine was also the means by which Google Spain’s activities were being performed. The CJEU found that the results displayed by the Google Search engine were accompanied by advertisements displayed in connection with the search terms and that the processing of personal data was carried out in the context of the commercial activity of Google Inc.’s establishment in Spain, namely Google Spain. Therefore, the data processing fell within the scope of the GDPR.

In the Guidelines, the EDPB recommends that non-EU entities (i) determine whether or not they process personal data and (ii) identify any potential links between the activity for which the data is being processed and any activity present in the European Union. A case study from the Guidelines demonstrates these principles in action:

- A China-based e-commerce website conducts data processing activities exclusively in China. The same company has established an office in Berlin to implement commercial prospection and marketing campaigns towards EU markets.

-The activities of the Berlin office are inextricably linked to the processing of personal data carried out by the Chinese e-commerce website, insofar as the commercial prospection and marketing campaign towards the European Union markets notably serve to make the service offered by the e-commerce service profitable.

In light of the foregoing, the GDPR will be applicable if an entity established in Turkey processes personal data through the acts of an establishment in the European Union. The assessment is obvious when the establishment is officially domiciled and operating in the European Union; however, a Turkey-based entity may also be deemed “established” in the European Union within the context of the CJEU case law, if, for example, this entity has a liaison bureau or a bank account in the European Union. One indication would not be adequate to reach a conclusion, given that an overall assessment should be made taking into consideration the peculiarities of each case. The rationale behind the CJEU’s broad interpretation of “establishment” is to extend the territorial scope of the GDPR. This prevents circumvention of data protection laws by non-EU entities that directly or indirectly operate in the European Union.

ii. Targeting Criteria – The Data controller or processor is not established in the European Union

As per Article 3(2), the GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union where the processing activities are related to: (a) the offering of goods or services to data subjects in the European Union, irrespective of whether or not payment from the data subject is required or (b) the monitoring of the data subjects’ behavior as far as their behavior takes place within the European Union.

It is important to note that the GDPR emphasizes the data subjects’ location rather than data subjects’ nationality. Therefore, any data subject in the European Union is entitled to benefit from the rights conferred in said Regulation.

a. The offering of goods or services to data subjects in the European Union

Recital 23 of the GDPR states that “the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to [the GDPR] where the processing activities are related to the offering of goods or services to such data subjects.”[8] The main element of this Recital is whether or not the trader directs its activity to a specific EU market.

The same Recital reads: “in order to determine whether such a data controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”[9]  Thereby, if data controllers and/or processors “envisage” offering services to data subjects in the European Union, they are considered to be offering goods or services to data subjects in said territory.

The guidelines further list factors that could inter alia be taken into consideration in the assessment of the “targeting” criteria. The non-exhaustive list includes: (a) paying a search engine operator to facilitate access to consumers in the Union, (b) mentioning contact details to be reached from a Member State, (c) using a top-level domain name other than that of the third country where the processor or controller is established, (d) offering the delivery of goods to Member States, (e) using a language or currency other than that generally used in the trader’s country, (f) offering a description of travel instructions from one Member State to the place where the service is provided, and (g) mentioning international clientele in various Member States.

It is worth noting that the CJEU ruled in the Pammer case (C-585/08 and C-144/09)[10] that the mere accessibility of a trader or intermediary’s website in a Member State in which the consumer is domiciled is not sufficient to infer that the trader’s activity is directed to that Member State. Therefore, a case-by-case analysis should be conducted to take into consideration the merits of each case.

The GDPR aspires to safeguard data protection laws whenever data subjects in the European Union are involved. For instance, an e-commerce corporation based in Turkey may be situated in Turkish territory in all aspects, including vendors, warehouses, storage, etc., and at the same time be providing goods to consumers in the European Union. The GDPR would still be applicable to such entity, despite not being established in the European Union. 

b. The monitoring of data subjects’ behavior taking place within the Union

Numerous methods of monitoring (i.e, third party cookies, deep packet inspection) enable advertisers to track internet users’ activities online. Big data is considered the “new currency” due to its essential contributions to behavioral marketing. For the purposes of monitoring, it is not necessary to be established in the territory where the data subject itself is located. A Turkish entity may monitor a data subject in the European Union without being established in the European Union.

Recital 24 states that the GDPR is applicable when data processing relates to the monitoring of a data subject’s behavior when such behavior takes place in the European Union. A processing activity constitutes “monitoring” when individuals are tracked on the internet through personal data processing techniques such as profiling. Tracking should occur with the intention of influencing the user based on an analysis and prediction of the user’s personal preferences.

c. The Appointment of a Representative Established in the European Union

Article 27(1) of the GDPR states that when Article 3(2) is applicable controllers or processors not established in the Union shall designate in writing a representative in the European Union responsible for compliance with the GDPR.[11]

By virtue of Article 27(2), this obligation does not apply to (i) data processing that is occasional, or does not include to a great extent the processing of special categories of data as referred to in Article 9(1)[12] or the processing of personal data related to criminal convictions and offences referred to in Article 10, and is unlikely to risk the rights and freedoms of individuals, taking into account the nature, context, scope, and purpose of the processing; or (ii) public authorities or bodies. This will be assessed on a case-by-case basis.

The GDPR requires that the representative be an individual or legal entity established in the European Union. Recital 80 stipulates that the representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The designated representative should also be subject to enforcement proceedings in the event of non-compliance by the controller or processor.  

3. ENFORCEABILITY CONCERNS

If a non-EU entity does not have any subsidiaries or the like in the European Union, why would this entity voluntarily abide by the legal requirements set forth under the GDPR or submit to injunctions or penalties imposed by the EU Member State supervisory authorities?

Amid the controversies revolving around GDPR enforceability, there is one indirect but practical way of having non-EU entities comply with the GDPR. Article 28(3) regulates that processing by a processor shall be governed by a contract or other legal acts under the laws of the European Union or the Member State concerned. In other words, when data controllers consider conducting business with non-EU data processors, data controllers will be required by law to conclude data processing agreements or the like with the counterparties. Given that deterrent administrative fines[13] are in place for any violation of Article 28, recourse clauses may indirectly facilitate GDPR enforcement. The responsibility then lies with the companies already established in the European Union.