“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?
Article 3 of the GDPR tries to answer this question in less than 150 words, which suggests that the answer should be straightforward. In fact, true to its evolutionary nature, the first ground for the territorial applicability of the GDPR essentially mirrors the language of its predecessor, the 1995 data protection directive. In that vein, the GDPR applies where the data processing activities take place in the context of the activities of an establishment of a controller or a processor in the EU. The only real difference is the reference to processors but otherwise, the GDPR will be applicable as determined by the existing doctrine of the European Court of Justice, which in 2014 issued an influential ruling in this respect. According to this doctrine, the law will apply even if the processing itself takes place outside the EU, as long as there is an inextricable link between that processing and the local activities of an EU-based establishment, such as the promotion of the business or some other economic activity that contributes to that business. In other words, global organisations with a physical presence in the EU will almost always be subject to the GDPR.
The second ground for the applicability of the GDPR did not exist under the directive, but it is a fairly logical one. In those cases where a controller or processor does not have an EU-based establishment, the GDPR will still apply whenever the use of personal data relates to the offering of goods or services to individuals in the EU, irrespective of whether a payment is required. This has to do with a simple principle which is set out in Recital 23: people in the EU should not be deprived of the protection to which they are entitled to under the GDPR. Crucially, this ground for the applicability of the GDPR is not triggered by the mere accessibility of a website from the EU, but by a more active targeting of individuals in the EU. In the case of processors, this will probably be interpreted as capturing the provision of services to a customer controller which relate to that customer’s offering of goods or services to individuals in the EU.
The other ground under which those without an EU establishment will often be caught by the GDPR is more difficult to pin down. It relates to the monitoring of those individuals’ behaviour in the EU. Recital 24 of the GDPR clarifies that tracking individuals on the Internet to analyse or predict their personal preferences – as many websites and apps do – will trigger the application of EU law. However, this measure makes almost every website in the world that drops tracking cookies or an app that retrieves usage information subject to the GDPR, which cannot be what the legislators intended. Common sense dictates that while under this ground the territorial applicability of the GDPR is universal, in practice the focus of regulators will be on those who use intrusive technologies from abroad to interfere with people’s privacy in the EU. Again, in the case of processors, the attention will likely be on those providing services which help customers track individuals in the EU.
What is clear is that, as with many other essential aspects of European data protection law, years will go by and we will still be scratching our heads over a myriad of borderline cases which may or may not be within the scope of application of the law. Those tasked with determining whether their operations are even subject to the GDPR will have to proceed knowing that the implications of saying ‘yes’ or ‘no’ will be huge from an organisational perspective. In the end, the best way to reach a sensible answer will probably be to think like an EU regulator: does a data activity affect in a meaningful way those individuals who I am supposed to protect? If so, it will be wise to get to work.