Follow ACC Docket Online:  

EU Regulators Clarify Scope of GDPR

T he long-awaited guidance on the scope of the General Data Protection Regulation (GDPR) was released for public consultation on 16 November 2018 by the European Data Protection Board (EDPB), the new name for the group of EU data protection authorities.

One would think that guidance clarifying the extent of a new law would have been one of the first documents to be released by the EDPB or its predecessor (the Article 29 Working Party), but it only arrived a full two and a half years after the text of GDPR was finalized.

Overall, it is a helpful and pragmatic document. It provides welcome clarification to some fundamental concepts, and useful examples to illustrate its points. However, several key questions are left unanswered.

Background

The territorial scope of GDPR is explained in Article 3. The bolded aspects are defined further in the guidance. GDPR will apply in two situations: (1) where processing takes place in the context of activities of an Establishment of a controller/processor in the European Union, regardless of where the processing takes place (Establishment Criterion); and (2) where the organization (i) offers goods/services or (ii) monitors the behavior of individuals within the European Union (Targeting Criterion).

Releasing a draft is standard procedure for EDPB, which reviews comments before releasing a final version in a month or two. These changes usually do not vary too much from the draft.

Establishment

The EDPB's predecessor traditionally interpreted the concept of “establishment” very widely, in line with the case law of the European Court of Justice. This was likely a result of the Data Protection Directive 1995, being based on “location of equipment” and the unforeseen rise of cloud computing, ubiquitous broadband, or smartphones. Companies outside the European Union could avoid regulation as long as they had no equipment or subsidiaries within it.

The guidance confirms the legal form of an establishment is not the determining factor (e.g., a subsidiary, branch office, or merely a few employees with no official structure). Even a single employee/agent with a laptop could qualify as establishment if real work is being done. US companies do not need an office or legal entity in the European Union to be considered established there.

The second aspect of the Establishment Criterion is for the processing to be carried out “in the context of activities of” the establishment. Again, case law has interpreted this widely, famously in the Google Spain “right to be forgotten” case. In that case, Google's Spanish subsidiary's sales activities were sufficient to bring Google Inc. within the scope of EU law. Even though the Spanish subsidiary undertook no processing, its activities were “inextricably linked.”

The guidance sensibly limits this, stating it should not mean that any presence with even the remotest link would bring the non-EU company within scope. However, having an “inextricable link” with the establishment and any revenue-raising by the local establishment likely would.

[Related: GDPR and Privacy Shield: Different Tools for Different Goals] (PDF)

For example, a South African hotel that markets to EU citizens with a website in English, German, French, and Spanish, but with no office or stable arrangement in the European Union, would not meet the Establishment Criterion. However, it may meet the Targeting Criterion. On the other hand, a Chinese e-commerce website with an office in Berlin that markets to EU citizens would meet the Establishment Criterion, even though all processing occurs in China.

The third aspect states that it doesn’t matter where the processing takes place. This means a Swedish company undertaking a clinical trial from its Singapore branch, with only Singaporean participants, is subject to GDPR, even though none of the participants are located in the European Union. It’s counterintuitive. The fact that the Swedish company is established in the European Union is sufficient for all its processing to be subject to GDPR. The guidance confirms this is the case regardless of the location or nationality of the individuals.

One of the more perverse results of a strict reading of the Establishment Criterion was that a mom-and-pop store in Montana, which only collected the details of its Montana customers but hosted all data on a cloud server located in the European Union, would technically be subject to GDPR. Thankfully, EDPB confirmed this is not the case, and that the controller and processor obligations apply independently to the relevant controller or processor.

However, the controller may still have to comply partially with GPDR via contract. The EU processor is under an obligation to have a GDPR-compliant data processing agreement in place with the Montana store. Many US processors are being asked to meet GDPR standards via this contractual route. Even if the US processor is outside the scope of GDPR, its European customers are not, and many trickle down their GDPR obligations via a data protection addendum.

Targeting

To come under the first limb (i.e., offering goods or services), there needs to be some element of intention on the company's behalf. Mere access to a website from a user in the European Union will not be sufficient. Factors that might demonstrate such intention include:

  • Mentioning an EU member state;
  • Paying for search engine optimization for consumers in the European Union;
  • Marketing campaigns directed at EU audiences;
  • Collecting dedicated addresses or phone numbers in the European Union;
  • Having an EU domain (.eu, .fr, .de);
  • The international nature of the service (e.g., tourism);
  • Travel instructions to the place the service is provided; and
  • The use of language or currency of EU countries (if different from the trader's).
  • Disregarding method of payment, free goods/services are also included.

The second limb refers to monitoring of behavior, which could potentially include almost every modern website. The fact that the relevant background recital almost exclusively refers to internet tracking demonstrates the EU legislator's intent to bring US tech companies within the scope of GDPR.

The EDPB clarifies that monitoring is not limited to the internet and also includes CCTV, wearable devices, and behavioral studies. However, the focus remains on behavioral advertising, geo-location, and, of course, online tracking via cookies and similar technologies.

Compared to the first limb, there is no requirement of intention, but the EDPB considers that the controller's motive is still important. Any online collection of personal data at all does not necessarily amount to monitoring, but all of the given examples here likely would. The key consideration is whether the controller is intentionally collecting targeting data for a specific purpose and imagines some subsequent reuse, such as analysis, profiling, or marketing.

The EDPB confirmed that the test turns on “data subjects who are in the Union” and thus nationality or legal status is limited. A Taiwanese bank with no EU presence and only customers in Taiwan — even those who happen to be German citizens — will not be subject to GDPR as a result.

[Related: The Eye of the GDPR Storm]

Immigration authorities of non-EU countries will not be subject to GDPR for processing EU citizens' data on arrival. The assessment must be made at the time the good/services were offered or behavior monitored, regardless of the duration of the offer/monitoring.

One question we are often asked by our US clients who don’t intentionally offer any services in the European Union is whether GDPR applies if they temporarily offer services because some users are traveling to the European Union. A literal reading implies this is the case. However, the guidance thankfully dismisses it.

A US news app offered exclusively to US users will not be subject to GDPR just because someone uses it on their holiday in France. However, an app offering guides to London and Paris that targets users would fall within the scope, even if most users were tourists only temporarily in the European Union.

Partial application

One of the most common questions US clients ask is: If GDPR applies to us, does it apply to everything we do or just to the “European data”? Sadly, this question is not clearly answered in the guidance. GDPR itself does not seem to envisage partial application.

If GDPR applies to a controller or processor, it applies. The guidance does not specifically address this, but introduces the concept of GDPR applying to the processing, rather than to the controller or processor (for the Targeting Criterion):

"where the processing of personal data falls within the territorial scope of the GDPR, all provision of the Regulation apply to such processing."

The guidance suggests that GDPR can apply to a certain data set but not to all data processed entirely. For example, a Swiss (i.e., non-EU) university offers courses (1) to any students who can speak German and (2) to specifically Austrian universities. GDPR applies to (2) but not (1).

It must therefore follow that non-EU organizations can analyze which aspects of their processing are subject to GDPR and which are not. Of course, depending on how the data is managed, US companies may find that it is in practice more difficult to separate data sets than it is to apply GDPR protection to all.

One-stop shop

On a side note, the EDPB confirmed that companies not established in the European Union cannot take advantage of the “one-stop shop” mechanism, which allows EU-established companies to nominate a lead regulator and deal with them primarily.

This method avoids having to deal with all 27 national and 16 German regulators separately. Whilst this seems like a blow, the much-vaulted one-stop shop was diluted in the final text and doesn’t offer many practical benefits.

Representative

Related to scope considerations is the need for non-EU controllers/processors who are subject to GDPR to nominate a representative within the European Union. The guidance confirms the following points:

  • Nominating a representative does not then mean that the company is thereafter established in the European Union for GDPR purposes (despite them passing all the tests described above);
  • The representative cannot also act as the company's Data Protection Officer as the two roles would conflict;
  • The representative should ideally be based in the member state where most of the processing occurs or most of the individuals are located; and
  • The representative will be liable for the non-compliance of the non-EU company, including the huge GDPR fines.

The last point is not new but helpful to clarify, as there was much speculation about this. It is the liability exposure that has meant relatively few organizations are offering representative services and those that do must have very sound professional indemnity insurance.

Conclusion

Overall, the guidance provides welcome clarification on arguably the most significant provision of the GDPR. It is pragmatic and doesn't include any surprises. This is to be expected, given that the guidance has taken the best part of a year to produce and been subject to several unexplained delays. Hopefully, the final version will answer some open questions:

  • Can the GDPR partially apply to a company?
  • Are non-EU companies offering purely B2B services, and so not technically offering services to individuals, subject to GDPR?
  • How should transfers from EU processors (subject to GDPR) to non-EU controllers (not subject to GDPR) be covered? This scenario is not imagined by the current Model Clauses.
  • Must an EU established global controller extend GDPR rights to all data subjects globally?

US companies should reassess their analysis of whether the GDPR applies. Some can now more convincingly argue they are outside its scope, whilst other borderline cases will now find themselves more clearly inside. A representative will also be required.

For those who underwent a GDPR compliance program that now feels unnecessary, don't despair. Implementing GDPR policies is good data practice and any efforts in mapping your data, organizing it more logically, and establishing controls will serve you well in the long run.

About the Authors

Alex De GayeAlexander de Gaye is a UK-qualified lawyer specialising in data protection in Fieldfisher's top-ranked Privacy, Security, and Information team. He is currently seconded to Silicon Valley advising primarily US technology, ad-tech, and data companies on their GDPR preparations.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.