The European Data Protection Board (“EDPB”)[1] adopted its highly anticipated guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”) (the “Guidelines”), which are currently open for public consultation until January 18, 2019.

The extraterritorial application of the GDPR to entities located in non-EU countries marks a significant shift in the legal framework compared to the GDPR’s predecessor (Directive 95/46/EC).

The GDPR’s extraterritorial scope is based on two main criteria described in its Article 3:

  • the “establishment” criterion, according to which the GDPR applies where processing of personal data is undertaken by a person in the context of the activities of an establishment in the European Union regardless of whether the processing takes place in the European Union or not, and
  • the “targeting” criterion, according to which the GDPR applies where processing activities conducted by a person established outside the European Union relate to the offering of goods or services or the monitoring of behavior of data subjects in the European Union.

As a result of these two criteria, businesses which did not previously need to consider the applicability of EU data protection law to their processing activities may now be caught within the GDPR’s territorial scope. The Guidelines  are intended to bring clarity to non-EU businesses doing business with the EU, either directly or through “establishments”, which must undertake a careful assessment of their data processing activities in order to determine whether the GDPR applies. The full text of the Guidelines can be accessed here and their key features are summarized below.

The application of the establishment criterion to non-EU entities

  • What is an “establishment in the European Union”? The Guidelines explain that in order to assess whether a data controller or a data processor has an establishment in the EU, both the (i) degree of stability of the arrangements, and (ii) effective exercise of activities in the relevant member state, must be considered in the light of the specific activities and/or provision of services concerned. The threshold for “stable arrangements” should be considered quite low, particularly where goods and/or services are provided over the internet. The fact that a non-EU entity does not have a branch or subsidiary in a member state does not preclude it from having an establishment in the European Union within the meaning of the GDPR.
  • What does it mean for a non-EU entity to process personal data “in the context of the activities of” an establishment in the European Union? Basing its reasoning on a judgment of the Court of Justice of the European Union rendered before the GDPR came into force, [2] the Guidelines provide that two key factors must be considered when assessing whether a processing by a non-EU entity having an EU establishment must be deemed to take place “in the context of the activities” of that establishment:
    • whether there is an “inextricable link” between the activities of the EU establishment and the processing of data carried out by a non-EU entity; and
    • whether the EU establishment’s revenue raising activities are inextricably linked to the processing taking place outside the European Union.
  • Key Takeaways:
    • Businesses with EU operations (whether or not conducted through a legal entity in an EU jurisdiction) need to closely consider whether their EU activities give rise to GDPR compliance obligations elsewhere in the organization. The concept of “establishment” should not be viewed narrowly.
    • An assessment of the potential links between the purpose for which personal data is being processed by a non-EU organization and the activities of the EU establishment must be undertaken. Where the purpose of the processing cannot be separated from the EU activities, the non-EU organization must consider its GDPR compliance obligations.
    • The Guidelines also confirm that the use of a non-EU processor, that is not subject to the GDPR, by an EU controller will give rise to the need for an Article 28 compliant data processing agreement between the parties (placing the non-EU processor under GDPR like obligations). Alternatively, where a non-EU controller, that is not required to comply with the GDPR, uses an EU processor, the controller will not become subject to GDPR obligations. In the latter case, the EU processor who deals with the non-EU controller must still comply with those GDPR provisions which are directly applicable to data processors.[3]

The application of the targeting criterion to entities established outside the EU

  • Who are “data subjects in the European Union”? The Guidelines clarify that whether or not a data subject is “in the [European] Union” must be assessed at the moment the relevant “trigger activity” takes place (i.e., at the point that goods or services are offered, or the moment that behaviour is being monitored).
  • Is all processing caught? The Guidelines emphasize that the processing of personal data of an individual in the European Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the European Union. The “targeting” of such individuals in the EU, either by offering goods or services to them or by monitoring their behaviour must also be present.
  • What does it mean to “offer goods and services”? The Guidelines confirm that offering goods and services does not depend on whether payment is claimed or made. Instead, a decisive factor is whether the offer of goods or services is “directed” at a person in the European Union (or, put differently, whether it is the controller or processor’s intention to offer goods or services to a data subject located in the European Union). For this purpose, the Guidelines set out nine factors which can be taken into consideration as part of any assessment of intention (including, for example, whether a controller or processor has launched marketing campaigns directed at an EU country audience, or whether the controller or processor offers the delivery of goods in EU member states). It is noted however, that a single factor may not be sufficient on its own to establish intention; instead, the factors should be considered as part of an in concreto analysis of the data controller’s activities.
  • What does it mean to “monitor data subjects’ behaviour”? The Guidelines confirm that the GDPR will apply where the behavior being monitored (i) relates to a data subject in the European Union, and (ii) such monitored behaviour takes place within the territory of the European Union. While the GDPR’s recitals specifically refer to monitoring as including the tracking of a person on the internet, the Guidelines confirm that tracking through other types of network or technology are also relevant (e.g., through wearable and other smart devices). Additionally, the Guidelines note that while the GDPR does not require an “intention to target” on the part of the data controller, the use of the word “monitoring” implies that the controller has a specific purpose in mind. However, the EDPB does not consider that all online collections of personal data automatically amount to “monitoring” and so the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling using that data, must be assessed on a case-by-case basis.
  • Key Takeaways:
    • The Guidelines confirm that intention is a key factor when determining whether goods or services have been offered to persons in the EU. The Guidelines also clarify that the GDPR will apply even where the services are offered to persons who are merely travelling through the EU (the Guidelines include an example of a US business that provides a mapping app to tourists visiting cities in the European Union; where the intention is to target persons located in such cities, even tourists, the GDPR will apply). On the other hand however, the GDPR will not apply where a US tourist accesses a US service (such as a news app) while visiting the EU, so long as the app was intended for a US audience.
    • The concept of monitoring should not be limited to internet based activities and intention to monitor is not decisive. Therefore, the features of any potential monitoring of data subjects in the EU will need to be examined carefully. The Guidelines give the example of a US based marketing company that advises a French based client in connection with design of retail layouts, based on the analysis of customers’ movements through a French shopping center, collected via Wi-Fi tracking. Such tracking would amount to monitoring for GDPR purposes, according to the EDPB.

Other guidance provided by the EDPB

As well as clarifying a number of concepts associated with the two main criteria for the application of the GDPR to non-EU entities, the Guidelines also include various additional examples of the application of the guidance in practice. Additionally, the Guidelines provide information to non-EU controllers and processors to whom the GDPR applies in connection with the obligation to appoint an EU representative. The Guidelines set out the formality requirements of such appointment, the distinction between the role of a Data Protection Officer and an EU representative, exemptions from the requirement to appoint an EU representative and the obligations and responsibilities of the EU representative. The Guidelines also set out information about the application of the GDPR where member state law applies by virtue of public international law.

[1] The EDPB is an independent body established by the GDPR composed of representatives of the national data protection authorities and the European Data Protection Supervisor, which can adopt general guidance on the GDPR and is also empowered to make binding decisions to ensure a consistent application of the GDPR.

[2] The Google Spain judgement of 13 May 2014 (Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González).

[3] This includes the obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to enter into a data processing agreement, with the exception of those relating to the assistance to the data controller in complying with its (the controller’s) own obligations under the GDPR.