Regulation (EU) 2016/679 (the GDPR) comes into force 25th May 2018 and replaces Directive 95/46/EC. The GDPR widens the territorial scope of data protection rules by taking into account both the place of establishment of the data controller and the place of residence of the data subject.
The territorial scope of Data Protection Directive 95/46/EC, which is currently in force, has been implemented into the national legislation of each EU member state. Article 4 of the Directive provides that the data protection law applies to:
(i) data controllers who have an establishment in an EU member state and process data within their establishment;
(ii) data controllers who are not established in any EU member state, but use means or equipment located within the territory unless the equipment is only used for transit through the territory; and
(iii) data controllers who are not established in any EU member state, but where EU member state law applies due to public international law.
Therefore, the current territorial scope of EU data protection law is based on the location of the data controller, where they are established, or where they have technical or human resources.
Under the GDPR, the territorial scope of the Regulation applies to:
(i) data controllers or data processors who process personal data for an establishment in the EU, regardless of where the processing actually occurs;
(ii) data controllers or data processors who are not established in the EU, but who offer goods or services to, or monitor the behaviour of EU residents; and
(iii) data controllers or data processors who are not established in the EU, but where EU member state law applies as prescribed by public international law.
Consequently, the GDPR’s territorial scope has widened to include the data subject’s place of residence.
a) Establishment in the EU
The Court of Justice of the European Union (CJEU) has been inspired by this new territorial scope in some of its recent data protection rulings, due to the 2012 publication of the draft GDPR. The rulings of Google UK Ltd. and Google Inc. v. Spanish Data Protection Agency and Mario Costeja González C-131/12 (Google) and Weltimmo s.r.o. v. Adatvédelmi Nemzeti és Információszabadság Hatóság C-230/14 (Weltimmo) help clarify the meaning of ‘territorial scope’ and ‘establishment’.
The Google ruling confirms that the processing of personal data by a branch or establishment is inextricably linked to the activity of its parent entity and where the processing actually occurs is irrelevant. This position has now been recognised in the GDPR.
The Weltimmo ruling considers the nature of an ‘establishment’ and concludes that its legal form is not a determining factor. The CJEU stated that a combination of elements may imply the existence of establishment in a country including, among others, the provision of a website in a given language, the supply of products in the local currency, the presence of a representative in the country of the data subject, or the shipment of goods to the country of the data subject. Of course, this question should be examined on a case by case basis and an isolated occurrence of any of the above features will not necessarily indicate an establishment. For example, a Brazilian company won’t have establishment in the EU just because it allows access to residents in Portugal.
The GDPR now expressly states that the place where the processing of personal data is carried out is irrelevant.
b) Offering goods or services to the EU, or monitoring behaviour in the EU
The GDPR introduces two new circumstances under which data protection law is applicable: (i) offering of goods and services to EU residents; and (ii) monitoring behaviour of individuals in the EU.
With respect to offering of goods and services, Recital 23 of the GDPR states that a determining factor will be whether the provider has evidently intended or designed the offering to EU residents. The following should be taken into account: the language used, the currency (local or foreign), and/or expressly mentioning residents in that country.
When the GDPR applies, data controllers must designate a representative in any EU member state where the data subjects are located. If the data subjects reside in several EU member states, the data controller must designate a representative in only one of those states. Their function is to respond to queries and mediate between the supervisory authorities, the data subjects and other stakeholders.
c) Rules of International Law
This rule does not change and appears to be limited to diplomatic missions and consular offices, as mentioned in Recital 25 of the GDPR.
Finally, both data controllers and data processors will now fall within the scope of the GDPR. Additionally, data processors are now equally liable as data controllers. Currently, data processors are bound only by contractual indemnity clauses, whereas only data controllers can be fined by supervisory authorities.
What to do adapt?
Companies incorporated outside the EU must undertake a detailed analysis to determine whether the GDPR applies to their business activities. They should analyse whether they could be deemed established in the EU by offering goods or services or monitoring EU residents’ behaviour, in light of their business activities.
If the company has no establishment in the EU but the GDPR applies because the company offers goods or services to EU residents or monitors the behaviour of data subjects within the EU, an EU representative must be designated.
Companies incorporated within the EU are automatically bound by the GDPR, so they must implement all measures in this guide.
Practical example: a company based in Mexico sells Mexican chilies worldwide via its website which can be accessed from all EU member states. The website has an IP detection system, which is used to automatically display the website in the language of the user’s location. Furthermore, the website gives prices of the chillies in Euros and the company ships to the EU.
This Mexican company should comply with the GDPR because it offers goods to EU residents. The company must also designate a representative in the relevant EU state. However, the fact that the company determines the user’s IP address is irrelevant if there is no intention to monitor the user’s behaviour.