The Data Protection Directive 95/46/EC (“DPP”) of the European Union (“EU”) was adopted in 1995 to regulate the processing of personal data within the EU under the ambit of the EU’s privacy and human rights legislation. In April of 2016, the EU adopted the General Data Protection Regulation (“GDPR”). The GDPR supersedes the DPP and will be enforceable as of 25 May 2018.
Qatar promulgated the Data Privacy and Protection Law on November 13 of 2016, which is in the most part influenced by the DPP.
The long-arm extraterritorial application of the GDPR.
In the 2015 case of Weltimmo v Hungarian Data Protection Authority (C-230/14), a Slovakian company (Weltimmo) was found to be established in Hungary due to its operation of a website that advertised Hungarian properties in the Hungarian language. The Court of Justice of the European Union decided that an “establishment” is not limited to the legal presence of the person, but rather is confirmed by “any real and effective activity – even a minimal one”. Weltimmo was fined around €32,000 for breaching Hungarian law transposing the DPP.
In comparison to the DPP, the GDPR has an even lower threshold for parties outside of the EU to be subject to its rule. Article 3 regarding the territorial scope of the GDPR reads as follows:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Moreover, the GDPR recitals note that even where a party “envisages” that they shall offer products to individuals in the EU, the GDPR shall apply to them.
Does it apply to you?
There are various factors that must be considered before confirming whether the GDPR applies to your enterprise, and although adequate legal due diligence is always advisable; the following factors would assist in determining whether it applies:
- Processing of personal data of residents in the EU for economic purposes (i.e. other than public security or personal/household activities), regardless of whether you have a registered presence in the EU or not;
- Presence of a branch, office, subsidiary, or other establishment in the EU that processes personal data, even if the processing itself does not take place in the EU;
- Offering goods or services to individuals in the EU whether for consideration or free. If so, the offer has to tick certain check-boxes such as direct targeting to individuals in the EU, accepting payment in euros, communicating the offer in a European language (other than English), or offering to ship products to buyers in the EU; or
- Monitoring behaviour of individuals in the EU which includes tracking individuals on the internet, collecting their data, and predicting their behaviour based on such data.
What personal data is covered? Wider considerations and the internet-of-things.
Personal data under the GDPR is recognized as any information related to a natural person or data subject that can, directly or indirectly, be used to identify the person. The information can be anything from a name, email address, medical information, an internet protocol address, social media aliases, or occupation.
Additionally, the GDPR’s inclusion of online identifiers and location data as information which can be personal data implies that it may apply to identifiers in certain web analytics, mobile applications with geo-tagging abilities, and to companies that operate in the internet-of-things.
The GDPR applies to any processing of such personal information that occurs wholly or partly by automated means, or other means intended to form part of a filing system. Processing of personal data for personal activities or by competent authorities for public security matters are excluded from the application of the GDPR.
Sanctions and next steps for you to comply.
Non-compliance with the GDPR can result in harsh fines of up to € 20,000,000 or 4% of the global annual turnover of the preceding financial year, whichever is higher.
To avoid the risks of such fines, compliance with the GDPR requires a legal due diligence exercise to ensure that you are operating in line with the requirements, which in brief, include:
Rereading your standard wording in end-user license agreements, data protection clauses in contracts, provisions in warrants and consents.
Assessing current privacy and data protection policies and procedures to confirm whether they comply with matters such as individuals’ rights to their data.
Evaluating whether a data protection officer is mandatory pursuant to the GDPR.
Providing adequate internal employee and management policies and training in light of any vicarious liability that may arise.