Recent guidance from the European Data Protection Board explains some of the more unclear concepts regarding territorial scope under Article 3 of the EU General Data Protection Regulation. This installment of The eData Guide to GDPR breaks down the guidelines, which provide insight into both the establishment criteria and the targeting criteria; guidance on Article 3(3), which states that the GDPR applies to any place where EU law applies “by virtue of public international law”; and guidance on the responsibility of data processors and controllers who fall under the scope of Article 3(2) to designate a representative in the European Union.
The European Data Protection Board (EDPB) released “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)” (the Guidelines) on November 23 to help define some of the more ambiguous concepts in Article 3 that determine which organizations are subject to the regulation’s rules for processing personal data. The Guidelines are open for comment until January 18, 2019.
The Guidelines state that Article 3 of the GDPR reflects the intention to ensure comprehensive protection of EU data subjects’ rights and to establish a level playing field for companies active on the EU markets. Article 3 bases the GDPR’s territorial scope on two criteria:
- Under Article 3(1), the GDPR will apply if the processing of personal data is done in the context of activities of an “establishment” of a controller or a processor within the European Union (i.e., the establishment criterion).
- Under Article 3(2), even if the controller or processor is not established in the EU, the GDPR will apply to any company whose processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of data subject behavior when the behavior takes place in the EU (i.e., the targeting criterion).
Thus, on its face, Article 3 can be interpreted to apply to almost any organization that has a presence in the EU or that processes the personal data of any EU citizen, regardless of where that organization is located. Since the GDPR took effect in May 2018, companies outside the EU have been eagerly anticipating more guidance from the EDPB on this subject, to either confirm or restrict the regulation’s extraterritorial breadth.
The newly released Guidelines are split into four sections. Sections 1 and 2 provide insight into the establishment and targeting criteria, respectively. Section 3 provides guidance on Article 3(3), which states that the GDPR applies to any place where EU law applies “by virtue of public international law.” Section 4 provides guidance on the responsibility of data processors and controllers to designate a representative in the EU if they fall under the scope of Article 3(2). Some of the most important highlights from each of these sections are outlined below.
Section 1: Application of the Establishment Criterion (Article 3(1))
As stated above, Article 3(1) applies if the processing of personal data is conducted through an “establishment” of a controller or a processor within the EU. The Guidelines recommend the following two-step approach to determine if the processing of personal data meets this standard, along with some important guidance on how to correctly apply the test:
- Determine if there is an “establishment” within the EU.
- Determine if the processing of personal data is carried out “in the context of the activities” of the establishment.
Section 2: Application of the Targeting Criterion (Article 3(2))
As stated above, under Article 3(2), even if the controller or processor is not established in the EU, the GDPR will apply to any company whose activities are related to the offering of goods or services to data subjects in the EU or the monitoring of data subject behavior when such behavior takes place in the EU. Here, the Guidelines also recommend a two-step approach to determine whether a processing activity meets this standard:
- Determine that the processing relates to personal data of data subjects who are in the EU.
- Determine whether such processing is related to the offering of goods or services or the monitoring of data subject behavior in the EU.
Important guidance provided by the Guidelines regarding each of these steps includes the following:
- The simple processing of an EU citizen’s data by a non-EU organization would not meet the requirements of Article 3(2). The organization must be “targeting” individuals in the EU to offer them goods or services, or must be monitoring their behavior.
- Determining whether a data subject is “in the EU” is not limited by citizenship, residence, or another type of legal status of the data subject. Rather, the determination must be assessed at the moment when the relevant trigger activity takes place (for example, the moment of offering goods or the moment when a behavior is monitored).
The Guidelines provide a list of specific factors that, taken together, can be considered to determine whether goods and services are being “targeted” to EU citizens:
Unlike the offering of goods or services, there is no requirement that a company must be targeting EU citizens specifically in order to be considered as “monitoring” them. However, the collection of data must be done with the specific purpose and subsequent reuse of the data regarding the individual’s behavior within the EU. This could include a broad range of monitoring activities:
Section 3: Processing in a Place Where Member State Law Applies by Virtue of Public International Law
Under Article 3(3), the GDPR also applies to “the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” The Guidelines elaborate on this by stating that the GDPR applies to personal data processing carried out by EU member states’ embassies and consulates when the processing falls within the material scope of Article 2 of the GDPR. It would also apply to EU cruise ships traveling in international waters that may be processing data of guests on board.
Section 4: Representative of Controllers or Processors Not Established in the Union
Data controllers or processors subject to the GDPR under Article 3(2) (i.e., through the targeting criterion) have a duty to designate a representative in the EU. The Guidelines elaborate on that requirement, noting the following:
- In practice, the duty can be exercised by a wide range of commercial and noncommercial entities (such as law firms, consultancies, etc.).
- One representative can act on behalf of several non-EU controllers or processors. The EDPB recommends that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented.
- The representative role is not compatible with the role of an external data protection officer (DPO). A DPO must have a degree of autonomy and independence that would not be compatible with the role of a representative.
- A company does not need to notify the supervisory authority regarding the designation of a representative. However, it must notify data subjects regarding the identity of the EU representative.
- The representative should be established in the member state that has a significant proportion of data subjects whose personal data are being processed but must remain easily accessible for data subjects in other member states.
- The representative must be in a position to communicate with data subjects and cooperate with supervisory authorities in the languages used by those parties.
- Representatives can be individually fined and penalized under the GDPR.