Data ProtectionPrivacy

To which entities is the GDPR applicable and how?

The territorial scope of the GDPR can unvail major issues for businesses not located in the EU

The GDPR is applicable to any business looking at the European Union, especially after the EDPB guidelines on the territorial scope.

As part of my series of blog posts on the most relevant issues to consider in complying with the EU General Data Protection Regulation, here I discuss why not only European companies should care about it since the GDPR is applicable also to companies outside the EU. This issue is a relevant topic, especially after the issue of the EDPB Guidelines on Territorial Scope that are now subject to a consultation that will end on 18 January 2019.

The GDPR applicability for data processing “in context of the activities of an establishment in the EU

The EU Data Protection Directive 95/46 applied to data controllers established in the European Union with the consequence that for instance US companies with no EU establishment could be considered to be excluded unless other criteria of applicability applied.

On the contrary, the European General Data Protection Regulation refers to

the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

This provision requires, according to the EDPB Guidelines on Territorial Scope, to determine what an establishment in the European Union is. This circumstance does not depend on the adopted legal form. And for instance, it is not possible to conclude that the non-EU entity has an establishment in the Union merely because

  • its website is accessible from the EU;
  • it has designated an EU representative according to the GDPR; or
  • it uses a data processor established in the EU.

According to the EDPB Guidelines on Territorial Scope, the GDPR is applicable when

  • there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller, regardless of whether the EU establishment plays a role in that processing of data.

  • there is a revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU.

The interpretation of the EDPB is at least arguable since it might extend the applicability of the GDPR to any business that has directly or indirectly a presence in the European Union (e.g., through an EU based marketing entity), even if no data processing activity relating to the non-EU business is performed through such presence.

What shall data controllers and data processors do?

The consequence of the above is that according to the EDPB Guidelines on Territorial Scope:

  • if there is a non-EU established data processor that processes data on behalf of an EU established data controller, a GDPR compliant data processing agreement shall be entered between the parties to regulate the data transfer;
  • If there is an EU established data processor that processes data on behalf of a non-EU established data controller, the controller will not become subject to the GDPR controller obligations only because it chooses to use an EU processor. But, the processor will still be subject to the GDPR provisions directly applicable to data processors. Such duties include the obligations to (i) enter into a data processing agreement (ii) process data only on instructions from the controller (iii) maintain a record of all categories of processing carried out on behalf of a controller (iv) implement technical and organizational measures to ensure a level of security appropriate to the risk, also appointing a DPO and (v) adopt GDPR compliant data transfer agreements.

This interpretation might lead to potential discrimination of EU established data processors that would be subject to stricter obligations than their competitors, even if they offer services to entities to which the GDPR is not applicable.

The targeting principle for non-EU establishments can still make the GDPR applicable

The expanded concept of privacy establishment is a minor change if compared to the massive effects that can derive from the targeting principle. According to such rule, the General Data Protection Regulation applies to the processing of personal data of data subjects who are in the European Union performed by a data controller or a data processor not established in the EU where the processing activities are related to

the offering of goods or services – irrespective of whether they are free of charge or require a payment – to such data subjects in the EU

The rationale is to protect European citizens regardless of the place where the company offering the goods and services is located which in a global economy and with the ubiquity of the Internet might be everywhere in the world.

The consequence of the above is that the US or an Asian Internet company with no establishment in the European Union, but actively promoting and selling its products to EU customers is likely to be required to comply with EU data protection law. However, to prevent companies with no relevant business in the EU from just stopping their sales in the EU, the GDPR clarifies that to assess whether it is applicable, it should be evaluated if

it is apparent that the controller is envisaging the offering of services to data subjects in one or more Member States in the Union“.

What shall data controllers and data processors do?

According to EDPB Guidelines on Territorial Scope, the following factors to be considered in assessing whether the requirements of the targeting principle are met:

  • The EU or at least one Member State is designated by name for the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service to facilitate access to its site by consumers in the Union, or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example, “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in the EU Member States.

The EDPB excludes from the applicability of the GDPR, data processing activities that are merely incidental, e.g., an App dedicated to tourists in the US which is purchased in the US and brought in the EU, but other scenarios might remain unclear.

If a non-EU entity monitors users in the EU, the EU General Data Protection Regulation might apply

The last criteria that make the GDPR applicable are

the monitoring of their behavior as far as their behavior takes place within the EU.

According to the EDPB Guidelines on Territorial Scope, the behavior monitored must first relate to a data subject in the European Union and, as a cumulative criterion, the monitored behavior must take place within the territory of the European Union. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data.

What shall data controllers and data processors do?

The EDPB listed among scenarios where the GDPR can be applied according to such criterion the following:

  • behavioral advertising, as ads run through cookies  and fingerprinting technologies
  • Geo-localization activities, in particular for marketing purposes
  • Online tracking through the use of cookies (Read on the topic “Sites ready for new Italian privacy cookies rules?“) or other tracking techniques such as fingerprinting (Read on the topic “Fingerprinting treated like cookies under privacy law“)
  • Personalized diet and health analytics services online
  • CCTV
  • Market surveys and other behavioral studies based on individual profiles
  • Monitoring or regular reporting on an individual’s health status

These categories are vast, and my concern is that they might apply to any company running a website, risking to make the GDPR applicable to the whole Internet.

The obligation to appoint an EU representative for non-EU entities under the GDPR

The role and responsibilities of EU representatives under European privacy law have always been quite unclear. Data controllers and processors established outside the EU but subject to GDPR are required to designate a representative in the EU. The requirement applies unless the processing is occasional, does not include on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offenses where the term “occasional” has not been clarified EDPB Guidelines on Territorial Scope. 

According to the EDPB, the EU representative must facilitate the communication between data subjects and the controller or processor represented, to make the exercise of data subjects’ rights are effective as well as the communication with the data protection supervisory authorities. And for this purpose, it shall maintain a record of processing activities under the responsibility of the controller or processor.

What shall data controllers and data processors do?

The interpretation of the role of the EU representative arising from the GDPR appeared in my view more as a mere point of contact. On the contrary, the EDPB wants to increase its relevance even expressly providing that authorities might start enforcement actions against a representative in the same way as against controllers or processor which includes the possibility to impose administrative fines and penalties and to hold the GDPR EU representatives liable.

This change is massive and has been highly criticized since making the EU representative liable will not make enforcement more effective since companies might find ways to bypass the enforcement.

This aspect is one of the most relevant to be addressed as part of the current consultation on the EDPB Guidelines on Territorial Scope. Indeed, it seems to me that the EDPB is trying to go beyond what provided by the European General Data Protection Regulation, imposing obligations that might be difficult to manage for any business.

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button