The European Data Protection Board ("EDPB") has issued updated guidelines on the extraterritorial scope of the General Data Protection Regulation ("GDPR"). The revised guidance will be particularly helpful for non-EU entities seeking clarification on the extent to which their data processing operations are caught by European data laws. The new guidelines also clarify the liability of representatives appointed by non-EU controllers and processors.
The GDPR came into force in May 2018 with a substantially wider scope of application to countries outside the European Union ("EU") than the previous regime. This was an intentional move on the part of European legislators to ensure comprehensive protection of individuals' data privacy rights in the EU and to establish a level playing field in this area for companies active in EU markets.
In particular, Article 3 of the GDPR confirmed the applicability of the new regulations to the processing of personal data:
- in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU or not (the "Establishment Test");
- of persons in the EU by a non-EU controller or processor where the processing activities relates to:
- the offering of goods or services to such persons in the EU (the "Offering Test"); or
- the monitoring of their behaviour in the EU (the "Monitoring Test").
Where the GDPR applies by virtue of the Offering Test or the Monitoring Test to a non-EU controller (i.e. a person or entity that determines the purposes and means of processing personal data) or processor (i.e. a person or entity that processes personal data on behalf of a controller), there is an obligation on the controller or processor to appoint a representative in the EU.
These tests and the implications of appointing a representative have proven difficult to interpret in practice, which was recognised by the EDPB with the development of draft guidelines for consultation in late 2018. The consultation has been completed and version 2.0 of EDPB Guidelines 3/2018 (the "Guidelines") were issued on 12 November 2019 taking into account contributions and feedback on the original draft.
The Guidelines confirm that the application of the tests in Article 3 of the GDPR are aimed at determining whether a particular processing activity falls within the scope of the GDPR, not a person or organisation. Accordingly, certain data processing undertaken by a controller or processor may fall within the scope of the GDPR while other processing falls outside.
This clarification is a helpful reminder to organisations concerned at the prospect of implementing "full" GDPR compliance across a business, although non-EU entities may need to consider the practicality of adopting GDPR standards for only a portion of their data processing activity.
The Establishment Test
The Guidelines refer to Recital 22 of the GDPR which states that an establishment implies "the effective and real exercise of activities through stable arrangements". This test also existed under European Directive 95/46/EC, which preceded the GDPR as Europe's primary data protection legislation.
While the threshold for a "stable arrangement" can potentially be quite low – even the presence of a single employee or agent in the EU may be considered an establishment if they act with a degree of stability – the mere presence of an employee in the EU would not automatically trigger the application of the GDPR. The Guidelines confirm that the processing in question must be that which is carried out in the context of the activities of the EU-based employee. If the processing relates to the activities of the non-EU controller, it would not fall within the GDPR's scope.
Importantly, the processing in question does not have to be carried out "by" the EU establishment. A non-EU organisation processing any personal data in the context of its EU establishment outside the borders of Europe would still be caught (for example, a Dubai-headquartered company processing the payroll information of employees at its representative office in Germany).
Any processing by an EU-based controller that instructs a non-EU processor must comply with the GDPR on the basis that the processing is undertaken in the context of the activities of the former. It is the controller's responsibility to ensure that the processor implements the necessary measures to ensure compliant processing. The processor therefore becomes indirectly subject to the GDPR pursuant to its contract with the controller, which must contain at least the provisions outlined in Article 28.
The Offering Test
In the absence of an establishment in the EU, a controller or processor's data processing activities may still be caught under the tests set out in Article 3(2) that determine whether a controller or processor is targeting data subjects in the EU.
The Guidelines establish that the Offering Test is aimed at intentional targeting of individuals who are based in the EU, not inadvertent or incidental targeting. If the processing relates to a service offered to individuals based in a non-European country, the ongoing processing of their personal data when the individuals enter Europe does not bring that processing within the scope of the GDPR. Accordingly, this would not catch the processing of subscribers to online services targeted outside the EU when those subscribers visit an EU member state.
It is also important to note that the Offering Test only applies in connection with an offer of goods or services. In the Guidelines, an example is provided of a non-EU company processing the personal data of its employees on a temporary business trip into the EU (for example, reimbursing business expenses and paying allowances). While the processing activity is connected to data subjects who are in the EU, it is in the context of the employment relationship and not the offering of goods or services.
The Guidelines also re-affirm the point in Recital 23 of the GDPR that mere accessibility of a website in the EU does not provide sufficient evidence of an intention to offer goods or services in the EU. When goods or services are "inadvertently or incidentally" provided to a person in the EU, the related processing does not fall within the scope of the GDPR for the purposes of the Offering Test.
There must be a connection between the processing activity and the offering of goods or services. The Guidelines clarify that this may apply to either the controller or a processor: while the decision to target individuals in the EU can only be made by an entity acting as a controller, a processor may actively take part in processing activities related to carrying out the targeting criteria (for example, by offering goods or services or carrying out monitoring actions on behalf of, and on instruction from, the controller). In such case, a non-EU processor would fall within the scope of the GDPR. The guidance provides examples, including a processor developing special offers to EU customers and a cloud service provider storing data that a controller uses to monitor individual users of an app. Both of these examples are considered to show processing by the processor that falls within Article 3(2), although the extent of the cloud service provider's "active" participation in the targeting activity is not clear in the latter example. This could have significant implications in scenarios where a processor is requested to carry out processing such as data storage or hosting but does not have information concerning the controller's use of the data.
Controllers or processors whose activities are caught by the Offering Test or the Monitoring Test must appoint a representative in the EU. The appointment of the representative would not itself constitute an establishment in the EU for the purposes of the Establishment Test and the role is not intended to equate to an external data protection officer ("DPO"). The representative is appointed by a controller or processor with a mandate that is incompatible with the independent tasks and duties of a DPO under the GDPR.
While the representative is required to maintain a record of processing activities, the EDPB considers that the controller or processor is responsible for the primary content and updating of the record. The Guidelines also make clear that the GDPR does not establish "substitutive liability" of the representative in place of the controller or processor. Corrective measures or administrative fines and penalties may be addressed to the representative but are considered to be imposed on the controller or processor only.
The Guidelines will be particularly relevant to organisations based outside the EU that do business in or have connections with Europe. All such organisations should be:
- assessing or seeking advice as to whether any of their data processing operations trigger the various tests that would cause the GDPR to apply;
- adopting any necessary compliance measures to comply with the GDPR to the extent required, including the appointment of a representative where appropriate;
- understanding the implications if the GDPR applies only to certain activities; and
- considering measures to address GDPR risks and monitoring changes in their business models and processes even if the GDPR is not applicable to current data processing activities.
Any data processors based outside the EU – including cloud storage providers, call centres and other service providers – should consider the potential direct application of the GDPR in circumstances where the processing activity of the controller relates to the targeting of individuals in the EU. This may require some enquiry on the part of the processor to determine the context of the controller's data processing.