European Data Protection Board Provides Clarifications on Territorial Scope of GDPR
The Situation: The General Data Protection Regulation has a broad territorial scope and can apply to businesses based outside the European Union.
The Result: The European Data Protection Board has provided important clarifications on the interpretation of GDPR and the criteria to determine its territorial scope.
Looking Ahead: Non-EU based controllers and processors should consider carefully their assessment of whether the GDPR applies to them in light of this draft guidance. If the GDPR applies to a non-EU based controller or processor, they need to designate a representative in the European Union, who will be subject to EU supervision and may be subject to enforcement initiated by the European Union's supervisory authorities.
The European Data Protection Board ("EDPB"), the body consisting of representatives of all national supervisory authorities and the European Data Protection Supervisor in charge of ensuring the consistent application of the General Data Protection Regulation ("GDPR"), recently released draft guidelines ("Guidelines") providing important clarifications on the territorial scope of the regulation. Although still in draft, the Guidelines shed light on a number of important issues and should be taken into account by businesses when assessing the impact of the GDPR on their data processing activities.
The GDPR has a broad territorial scope and applies on the basis of two main criteria: an "establishment" of a controller or processor in the European Union, or "targeting" activities carried out by a controller or processor not established in the European Union in relation to data subjects in the European Union.
Establishment Criterion—Context of Processing Activities
The GDPR applies to processing of personal data carried out in the context of an establishment of a controller or processor in the European Union, regardless of whether or not the processing takes place in the European Union.
In this respect, the Guidelines confirm a broad interpretation of the concept of "establishment" under article 3 of the GDPR. In particular, the EDPB states that: (i) it is not necessary to have a business incorporated in the European Union to be considered as having an EU establishment and (ii) the main criterion is to determine whether there is a real and effective activity exercised through stable arrangements. For example, the stable presence in the European Union of a single employee or agent of a non-EU entity could be sufficient to consider that an entity has an establishment in the European Union. The EDPB also states that the GDPR applies to the processing activities carried out in the context of the EU establishment, regardless of whether the actual processing is carried out by the EU establishment itself. In particular, the application of the GDPR does not require that the processing takes place in the European Union.
Most importantly, the EDPB clarifies that the "establishment criterion" should be applied separately to each of the controller and processor. This statement is particularly important as it implies that a controller established outside of the European Union will not be subject to the GDPR on the sole basis that it uses a processor located in the European Union. Conversely, a data processor established outside of the European Union and acting for an EU-based customer will not be subject to the GDPR solely because its customer is based in the European Union—however, that processor will in practice be bound by a number of contractual obligations imposed by the controller as part of its own compliance with the GDPR.
This pragmatic approach by the EDPB will be a relief both for non-EU businesses using EU-based service providers, and for non-EU based service providers acting for EU customers, as it implies that such non-EU based businesses will not systematically be subject to the GDPR.
Targeting Criterion—Offering Goods and Services, and Monitoring Behavior
In addition to the "establishment criterion," the application of the GDPR to controllers and processors is also triggered when a "targeting criterion" applies, i.e., where the processing of personal data relates to: (i) the offering of products or services to data subjects in the European Union, or (ii) the monitoring of the behavior in the European Union of the data subjects.
In this context, the Guidelines emphasize that the requirement that the data subject be located in the European Union must be assessed at the moment when the offering or monitoring takes place—regardless of the duration of the offer or monitoring. A typical example is an app targeted to the U.S. market, but which can be incidentally downloaded by a U.S. resident while travelling in the European Union: the GDPR will not apply as the offering was not intended for data subjects in the European Union.
In respect of the monitoring of the behavior of data subjects in the European Union, the EDPB states that monitoring implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the data about a data subject's behavior for behavioral analysis or profiling.
Role and Obligations of the Representative for Controllers or Processors not Established in the European Union
For controllers and processors that are not established in the European Union but are nevertheless subject to the GDPR as a result of the "targeting" criterion, the regulation provides that they must designate a representative in the European Union. Such a representative may be addressed, on behalf of the represented controller or processor, by supervisory authorities and data subjects for all issues related to GDPR compliance.
In respect of the designation of a representative, the EDPB clarifies that this should be done in writing, and that the representative can be either an individual or an organization. The representative can be appointed on the basis of a service contract, but the representative should not be the data protection officer. Once appointed, the representative should be clearly mentioned in the data protection notices provided to data subjects. However, according to the Guidelines, there is no need to notify the appointment of a representative to any supervisory authority.
The Guidelines further state that the responsibilities of the representative must at least include: (i) facilitation of communication between the data subjects and the controller or processor, (ii) maintaining a record of processing activities jointly with the controller or processor, and (iii) facilitating any exchange with a supervisory authority.
Last but not least, the EDPB clearly states that the supervisory authorities may initiate enforcement actions against a representative and against the relevant controller or processor, including administrative fines and penalties and to hold the representative liable. In addition, failure for a non-EU established controller or processor that is subject to the GDPR to designate a representative would be an infringement of the GDPR and subject to an administrative fine.
The Guidelines are currently in draft and are subject to public comment. Hopefully, such comment period will enable the EPDB to provide further clarity on questions related to the scope of the GDPR that currently remain open. For example, to what extent should processors established in the European Union comply with the restrictions applicable to the transfers of data in the case of a transfer to a non-EU based controller? And does the "targeting" criterion also apply in a situation where the processing of personal data relates to an offering of goods and services in a business-to-business context?
In any case, the Guidelines already provide important clarifications that should be taken into account by businesses for refining their GDPR compliance program and adjusting their strategy-related decisions.
Three Key Takeaways
- Territorial application of the GDPR on the basis of the 'establishment' criterion should be assessed separately for controllers and for processors.
- Territorial application of the GDPR on the basis of the 'targeting' criterion requires assessing the offering of products/services when such offering is made, and/or assessing the intent to further reuse personal data for behavioral analysis or profiling.
- Non-EU based controllers and processors subject to the GDPR must appoint an EU representative who will be subject to supervision and regulatory enforcement.
For further information, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Undine von Diemar
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.