Miriam Everett, Head of Data Protection and Privacy, Herbert Smith Freehills, looks at new draft guidelines issued by the European Data Protection Board giving long-awaited guidance on the extraterritorial application of the EU’s General Data Protection Regulation.
The EU’s General Data Protection Regulation (GDPR) imposes broad extraterritorial application, catching those who process personal data about EU data subjects wherever the processing takes place (subject to exceptions). On 23 November 2018, the European Data Protection Board (EDPB) published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The guidelines are in draft form and are subject to consultation but they help clarify key questions regarding the application of the GDPR. That being said, they do not cover every possible permutation of Article 3. There remain gaps where organisations outside the EU will need to exercise judgement without any comfort that their interpretation will align with that of regulators. In particular, there are still question marks around the application of what actually constitutes the offering of goods and services to individuals in the EU.
The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing personal data either:
- in the context of an establishment of a controller or a processor in the EU, or
- relating to the offer of goods or services to individuals in the EU, or
- relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU.
The broad drafting of the legislation and potentially extremely wide application of the GDPR to organisations located outside the EU has left many organisations worldwide in a state of uncertainty as to the fundamental application of this important legislation to their activities. Guidance on Article 3 is therefore long overdue.
The draft guidelines published on 23 November 2018 are open for consultation, with interested parties being given until 18 January 2019 to provide comments. However, even in their current draft state, the guidelines give invaluable insight into the European regulators’ view on interpretation of Article 3.
At a high level, the guidelines confirm that non-EU organisations directly caught by the GDPR and with no establishment in the EU will not be able to benefit from the one-stop shop mechanism. This confirms that such organisations will need to comply with national privacy laws in each of the member states in which they have customers.
Article 3(1) relates to processing in the context of the activities of an establishment of a controller or a processor in the EU. The key highlights of the guidelines in the context of Article 3(1) are set out below.
The simple fact that an organisation’s website is accessible in the EU will not mean that the non-EU entity has an establishment in the EU.
The existence of an ‘establishment’ should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring processing within the scope of the GDPR.
Where a controller subject to the GDPR uses a non-EU processor, it will need to ensure by contract that the processor processes the data in accordance with the GDPR. The processor will become indirectly subject to some GDPR obligations by virtue of its contractual arrangements with the controller but will not be directly subject to the GDPR by virtue of Article 3(1).
A non-EU controller using an EU processor will not become subject to the GDPR simply because it chooses to use a processor in the EU. By instructing a processor in the EU, the non-EU controller is not carrying out processing ‘in the context of the activities of the processor in the Union’. The processing is carried out in the context of the controller’s own activities; the processor is merely providing a processing service.
Article 3(2)(a) relates to processing relating to the offer of goods or services to individuals in the EU. The key highlights of the guidelines in the context of Article 3(2)(a) are set out below.
- Article 3(2) refers to ‘personal data of data subjects who are in the Union’. This is regardless of citizenship (that is, it does not just apply to EU citizens). The requirement that the data subject be located in the EU must be assessed at the moment of offering of goods or services.
- The processing of personal data of an individual in the EU alone is not sufficient to trigger the application of the GDPR. The element of ‘targeting’ individuals in the EU, by offering goods or services to them, must always be present in addition.
- The offering of goods or services will apply regardless of whether a payment by the individual is required. Article 3(2)(a) is not dependent upon payment being made in exchange for the goods or services provided.
- When considering whether or not goods or services are being offered, the EDPB suggests taking into account the following factors:
- the EU or at least one member state is designated by name with reference to the good or service offered
- the controller (or processor) pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the EU
- the controller (or processor) has launched marketing and advertisement campaigns directed at an EU country audience
- the international nature of the activity at issue, such as certain tourist activities
the mention of dedicated addresses or phone numbers to be reached from an EU country
- the use of a top-level domain name other than that of the third country in which the controller or processor is established, for example ‘.de’, or the use of neutral top-level domain names such as ‘.eu’
- the description of travel instructions from one or more other EU member states to the place where the service is provided
- the mention of an international clientele composed of customers domiciled in various EU member states, in particular by presentation of accounts written by such customers
- the use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU member states, or
- the controller offers the delivery of goods in EU member states.
Article 3(2)(b) relates to processing relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU. The key highlights of the guidelines in the context of Article 3(2)(b) are set out below.
- For Article 3(2)(b) to apply, the behaviour monitored must first relate to an individual in the EU and, in addition, the monitored behaviour must take place within the EU.
- Although Recital 24 only talks about the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data should also be taken into account, for example through wearable and other smart devices.
- The online collection or analysis of personal data of individuals in the EU would not automatically count as ‘monitoring’ (that is, just having some cookies on a website will not be enough). It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.
- Examples of monitoring activities could include:
- behavioural advertising
- geo-localisation activities, in particular for marketing purposes
- personalised diet and health analytics services online
- market surveys and other behavioural studies based on individual profiles, and
- monitoring or regular reporting on an individual’s health status.
The guidelines finally also consider the requirement for non-EU organisations with no establishment in the EU to appoint an EU representative. The guidelines confirm that it was the intention of the legislation to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility of imposing administrative fines and penalties against representatives, and to hold representatives liable.
Miriam Everett, Head of Data Protection and Privacy
Herbert Smith Freehills
Copyright: Herbert Smith Freehills
The EDPB draft guidelines are available at: https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en.