The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3) (“Draft Guidelines”). These are now subject to consultation until 18 January 2019.
These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” applies to them. The Draft Guidelines are just as important for companies that must comply with the GDPR in their business dealings with non-EU organisations.
Article 3 of the GDPR defines the territorial scope of the regulation using two main criterion, Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).
The Establishment Criterion
A wide interpretation of “establishment in the EU”
The challenge for companies established outside of the EU is that the Draft Guidelines continue to refer to the very broad interpretation of an establishment by the European Court of Justice (ECJ) under the Directive 95/46. Essentially, the Draft Guidelines appear to follow the case law despite the GDPR having introduced the “targeting” criterion.
Establishment of the controller and of the processor to be considered separately
The EDPB emphasises that it is important to consider the establishment of the controller and processor separately.
- In case of processing by a controller in the EU using a non-EU processor – The processor not subject to the GDPR will become indirectly subject to some obligations imposed by controllers bound by the GDPR, by virtue of contractual arrangements under Article 28.
- In case of processing in the context of the activities of an establishment of a processor in the EU – A non-EU controller, unless other factors are relevant, will not become subject to the GDPR simply because they choose to use a processor in the EU. However, in this case, the EU processor will have difficulties complying with its GDPR obligations relating to international transfers with regard to the relationship with its non-EU controller/client.
Also, EDPB insists that the EU territory cannot be used as a “data haven”, especially if the processing is to do with inadmissible ethical issues, or breach of EU or national public order rules, which will put all the burden of compliance on the processor
The Targeting Criterion
This is one of the novelties introduced by the GDPR to address online activities that could not be captured under the previous regulation, Directive 95/46. Under this criterion, GDPR applies to companies that do not have an establishment in the EU but
- Offer goods or services to data subjects in the EU, irrespective of whether a payment of the data subject is required, or
- Monitor the EU-based data subject’s behaviour within the Union.
The guidelines on the targeting criterion raise several issues, including the difficulty in appointing a representative in the EU as well as the lack of clarity on international transfers to the organizations outside of the EU.
Appointing a representative in the EU
In line with Recital 80 and Article 27(5), the designation of a representative in the EU does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions, which could be initiated against the controller or the processor themselves.
EDPB however underlines the concept of the representative which was introduced precisely with the aim of ensuring enforcement of the GDPR against non-EU controllers or processors. To this end, it was intended to enable enforcers to initiate enforcement actions against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable. This is clearly unwelcome news for companies established outside of the EU as they may find it challenging to find organisations willing to take on the role of their representative and associated risk. Accordingly, it is worthwhile considering creating an establishment in the EU.
It would certainly be important to receive additional clarification from EDPB on the extent of the representative’s liability, assuming this interpretation is valid.
International transfer of data
There has been much debate amongst stakeholders on whether or not processors or controllers established outside the EU and falling under the scope of article 3(2) of the GDPR would need to implement the measures provided for in Chapter V in relation to the data they are collecting on data subjects in the EU.
Some consider that as the GDPR already applies to such controllers or processors, this would not require any additional measures for the data flow from the EU (given that compliance with GDPR offers all the protection that is needed).
In practice it sometimes is very difficult for non EU controllers or processors that are not from countries considered adequate (including the US under the Privacy Shield) to implement the measures of chapter V especially when they cannot rely on the exceptions of article 49 and have no one with which to enter into EU Standard Contractual Clauses.
Here again clarification should be sought from EDPB. It will be difficult to have a joint position from the EDPB members on this.
Finally, in addition to the two major criteria above, GDPR provides for additional territorial rules:
- GDPR allows for local derogations and Member States may create their own criteria with respect to territorial scope of such derogations
- GDPR applies to processing in a territory where Member State law applies by virtue of Public International Law.