Companies that target EU residents must comply with the GDPR — even if they are not established in the EU.
In less than a year — on 25 May 2018 — the European Union (EU) General Data Protection Regulation (GDPR) will go into effect, replacing the current Data Protection Directive (the Directive). Global companies and companies based in the EU are generally well-acquainted with the GDPR and are currently undertaking efforts to bring themselves into compliance within the next year. However, companies that are not established in the EU but that target EU residents should also be focusing on such compliance efforts.
Companies that are not established in the EU but that offer goods or services to EU data subjects or monitor the behaviour of EU data subjects are required to comply with the requirements of the GDPR. In this article, we explain the territorial scope of the GDPR, provide background and context on the territorial applicability of data protection law in Europe, and dis-cuss the unique requirement for companies not established in the EU to designate a representative.
WHEN THE GDPR APPLIES TO COMPANIES OUTSIDE THE EU
The broad territorial scope of the GDPR is enshrined in Article 3. Under Article 3, the GDPR applies to the processing of personal data of EU data subjects where:
- The controller or processor is established in the EU (even if the processing does not take place in the EU) or
- The controller or processor is not established in the EU but a) Offers goods or services to EU data subjects (irrespective of whether payment is required) or b) Monitors the behaviour of data subjects in the EU.
When a company is seeking to determine whether it offers goods or services to EU data subjects, the company must consider factors that would indicate that it envisages offering goods or services to EU data subjects. Such factors include the language it uses to offer goods or services to data subjects, the type of currency used in the offer of goods or services, and mention of customers or users in the EU.
Also, it should consider whether it tracks the online behaviour of EU data subjects, including whether it uses pro-filing techniques that analyse or predict the individual’s personal preferences, behaviours, or attitudes.
EXTRATERRITORIAL APPLICABILITY OF EU DP LAWS
The GDPR’s broad territorial applicability stems in part from Jurisdictional differences in implementing the Directive. The Directive — which currently governs the processing of personal data of EU data subjects — was adopted in 1995 to facilitate the free flow of personal data within the EU, while also ensuring that the fundamental rights of individuals, particularly the right to privacy, were safeguarded. Because it was a Directive, rather than a Regulation, each EU Member State implemented its own data protection law, which led to inconsistencies and fragmentation in the protections for personal data across the EU.
One way in which the Directive is inconsistent is how each jurisdiction determines when its data protection law applies. Under the Directive’s Article 4, the Directive applies to the processing of personal data where “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.” However, how to determine when a company is “established” in a particular country varies depending on each jurisdiction’s interpretation of the term “established,” meaning the analysis of when a country’s data protection law applies can vary by country.
The European Parliament and Council of the EU sought to patch such discrepancies by ensuring that under the GDPR the personal data of EU data subjects would be protected more consistently and broadly (i.e., not only by controllers or processors established in the EU). In Recitals 23 and 24, the Parliament and Council stated:
“In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.”
WHAT DO NON-EU COMPANIES NEED TO DO?
Comply with the GDPR broadly: In line with Article 3, companies that are not established in the EU, but that nonetheless target EU data subjects by offering them goods or services or by monitoring their behaviour, must comply with all of the GDPR’s provisions. This means that they are required to comply with the GDPR’s data breach notification requirement, appoint a Data Protection Officer, update their privacy notices, implement measures to address expanded individual rights, document the bases for their processing of personal data, and ensure that appropriate contractual provisions are in place with vendors, among many other obligations. While companies may opt to take a risk-based approach and not comply with the GDPR altogether (or only implement compliance measures that address certain requirements) they are nonetheless technically subject to the GDPR as to all EU personal data they receive, including to its heightened sanction provisions.
Select and appoint a representative: In addition to complying with the GDPR’s broad requirements, companies that are not established in the EU are subject to one additional and unique provision: under Article 27, except in certain circumstances, companies must designate in writing a representative in the EU.
A “representative” is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under [the GDPR].” The GDPR’s requirements for representatives differ from those for Data Protection Officers: most notably, DPOs must perform duties such as advising on data protection impact assessments and monitoring compliance with the GDPR, but the GDPR assigns no substantive responsibilities to representatives. Rather, the requirement to appoint a representative appears to be more form than function. Under Article 27, the representative must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. In addition, the company must appoint the representative without prejudice to legal actions that could be initiated against the company itself — and the representative must be subject to enforcement proceedings in the event of non-compliance by the company (i.e., both the company and the representative could be subject to enforcement proceedings). By focusing on form for the representative and function for the DPO, the GDPR seems to contemplate that the representative and DPO will be separate persons.
One potential area of overlap between representatives and DPOs, however, appears in Article 27, which says that the representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities. This is similar to requirements in various Articles that the DPO be listed as a company’s point of contact (see Article 14) and interface with supervisory authorities (see Article 39). These points suggest that companies may want to consider having the representative and the DPO be the same person, to ensure a consistent point of contact.
A representative is not required when a company’s processing of EU personal data is (1) “occasional,” (2) does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and (3) is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR’s wording is vague, and thus far no regulators have offered guidance as to what is considered “occasional” processing, but this exception likely means that companies that do not target EU data subjects are not required to designate a representative. For example, a company that has one global marketing website (e.g., www.company.com) that is accessible by EU data subjects but does not specifically direct goods or services to EU data subjects (e.g., does not have country-specific websites such as www.company.fr) and whose customer base is 98 percent from the United States and only 2 percent from Europe may not be required to designate a representative.
Consider these key points: A company that is not established in the EU but that offers goods or services to, and/or monitors the behaviour of, EU data subjects must therefore consider the following:
- The best jurisdiction for its representative, which may be the jurisdiction in which it has the most EU data subjects, where it focuses its targeting of EU data subjects, or where it conducts the most extensive monitoring;
- The person that would be the most appropriate EU-facing representative for the company, considering the person’s understanding of data protection laws, legal or compliance background, and experience inter-facing with regulatory authorities;
- If that person is not a company employee but a third party, the appropriate contractual arrangement for engaging a third party to serve as the company’s representative;
- Whether the company will or should appoint a DPO and, if so, who the company has identified as the DPO; and
- The company’s potential liabilities in the EU.