We live in an ever-increasingly global society, with cross-border transactions and relationships becoming the norm. Advances in technology means that organisations and individuals can communicate and conduct business with one another throughout the globe, almost without limitation. Data can be shared around the world at the click of a button, a voice-command, the touch of a finger-print or even facial recognition.
Whilst globalisation and rapid technological developments have served to benefit international commerce and consumer experiences, this has brought with it new challenges for protecting personal data.
In steps the GDPR.
The General Data Protections Regulations (“GDPR”) came into force on 25 May 2018 and set out a framework which is intended to regulate all EU Member States’ approaches to data protection. At the heart of the regulation is the aim to ensure that all individuals in the EU are afforded the same level of protection against organisations using their data irresponsibly.
With this central aim in mind, the GDPR now seeks to ensure that organisations based outside of the EU are also culpable, even if they have no physical presence in the EU. Businesses based in the US, China, Russia, Brazil or elsewhere which deal with individuals in the EU now need to carefully assess whether they are caught by the GPDR, else they face significant financial penalties.
The GDPR affords protection to all individuals in the EU. It therefore applies to:
a) Data controllers and data processors established in the EU that process personal data in relation to that establishment, regardless of where the processing takes place; and
b) Data controllers and data processors that are not established in the EU, but which process EU data subjects’ personal data in connection with offering goods or services, or monitoring their behaviours.
Merely hosting a website which can be accessed by EU data subjects would not fall within the scope of the GDPR. However, as soon as an EU data subject engages an organisation to provide goods or services to them, and in doing so provides them with personal data, the GDPR will be triggered. Other factors which may indicate an intention to offer goods or services in the EU includes explicitly targeting EU citizens, or hosting a website in an EU language or using an EU currency which is different to the organisation’s jurisdiction e.g. a Chinese website that is written in English and offers payment in GBP.
The GDPR also seems to indicate that organisations that monitor behaviour will only be caught by the GDPR if they actively monitor or track behaviour online, and either profile a natural person to make decisions about them, or analyse or predict their personal preferences, behaviours and attitudes. This may include online behavioural marketing for commercial purposes such as recommending services that a provider thinks its users will enjoy based on their use of other services.
The extra-territorial reach of the GDPR is therefore far-reaching, and goes much further than its predecessor regulations. Organisations outside of the EU risk being caught when they do not expect it, but what does this mean in practice?
1. Organisations caught by the GDPR, regardless of their locality, must only process personal data in accordance with the GDPR, including:
a) ensuring data is only transferred between jurisdictions as permitted under the GDPR (in particularly transfers outside of the European Economic Area (“EEA”));
b) ensuring the necessary safeguards are in place when appointing 3rd party processors;
c) maintaining records of data processing;
d) conducting data protection impact assessments;
e) implementing appropriate technical and organisational measures;
f) notifying the data controller, national supervisory authority, or data subject as appropriate in the event of a breach.
2. Non-EU established businesses must also designate in writing a representative in one of the EU Member States with affected data subjects, unless all of the following conditions apply:
a) the processing is occasional
b) the processing excludes large-scale processing of:
i. special categories of personal data; or
ii. personal data relating to criminal convictions and offences; and
c) the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of processing, or if the controller is a public body or authority.
The designated representative can be contacted by the relevant supervisory bodies, and may be subject to enforcement proceedings if the data controller or data processor fails to comply with the GDPR, although this is without prejudice to any action that may be brought against the foreign entity itself.
3. Regardless of whether an organisation based outside of EEA falls within the scope of the GDPR, if it is engaged by an entity which is subject to the GDPR, that entity may be under an obligation to impose additional requirements on the foreign company.
The GDPR only permits the transfer of personal data from the EU to a country outside of the EEA where:
a) the European Commission has decided that the third country, a territory or one or more specific sectors within that third country, or the international organisation ensures an adequate level of protection; or
b) the controller or processor has:
i. provided appropriate safeguards in accordance with Article 46(2) of the GDPR; and
ii. enforceable data subject rights and effective legal remedies for data subjects are available; or
c) a relevant derogation applies.
An organisation based outside of the EEA may therefore be required to comply with additional data protection regulations regardless of whether they are themselves caught by the GDPR, if they wish to supply services to and process data on behalf of an entity caught by the GDPR.
Whilst the GDPR has been heralded as the biggest shakeup in data protection regulation in the EU this century, it is clear that its territorial scope is much wider. As both the United Kingdom seeks to strengthen its international relationships throughout the rest of the world, particularly in light of Brexit, and as businesses outside of the EU wish to take advantage of their increasing ability to reach the EU market through technological advances, what is clear is that the ramifications of the GDPR will be felt much further than the confines of the 27 Member States.