Follow ACC Docket Online:  

EU Regulators Finally Clarify Scope of GDPR

This article follows last year’s article concerning the draft guidance on the scope of the EU General Data Protection Regulation (GDPR). The final version of the regulation was published on Nov. 12, 2019.

Typically, the finalized version — which takes account of comments submitted by industry bodies, affected organizations, and concerned individuals — is published within a couple of months of the draft. However, this one took the European Data Protection Board (EDPB) an entire year. No official reason was given for the delay but typically this is due to differences in opinion between EU member states.

It is, of course, a significant document and so it was important to get it right. The document answers the most pressing of questions: "Does the GDPR apply to my organization, and if so, to what extent?" 

This update will not repeat the former article other than to remind readers of the two criteria by which your organization will be caught by GDPR: 

  • Article 3(1) (the "Establishment" criterion) provides that GDPR applies to processing "in the context of an establishment" of a controller or processor in the European Union. 
  • Article 3(2) (the "Targeting" criterion) provides that GDPR applies to non-EU controllers or processors in two situations (i) those that offer goods or services to individuals in the European Union and (ii) those who monitor the behavior of individuals in the European Union.

The finalized guidance maintains the draft's structure of addressing each in turn. 

Establishment 

The changes here were not significant. The EDPB confirmed that the mere presence of an employee in the European Union who is not processing any EU data would not be sufficient to meet the Establishment criterion. A controller not established in the European Union without any "stable relationship" and not processing any EU data, but who might have one EU-based employee processing purely non-EU data, would not be caught. 

Targeting 

There was one major change here, potentially very significant for US vendors. The EDPB stated that a non-EU processor providing services for a non-EU controller who targets services at EU individuals would likely meet the Targeting criterion just because of its customer. The guidance stated there must be a connection between the targeting and the processing of the processor, but then gave such broad examples that it would be difficult to imagine any situation where there is no connection. 

A US-based health app aimed at EU users utilizes a US-based cloud service provider to store its data. The cloud provider would be caught due to the fact it carries out processing on behalf of the controller and thus there is a connection between its processing and the targeting. This is bad news for any US vendors who positioned themselves as outside the scope of GDPR because they are not established in the European Union and only served their business customers in the European Union. 

However, there is some good news. The EDPB confirmed what was long suspected from a sensible reading of Article 3: that if an organization is based outside the European Union but targets some of its activities at EU individuals, GDPR will apply to that EU dataset only, and not the entire organization. The guidance goes to great lengths to emphasize that GDPR application attaches to the processing activity, not the organization itself

They also confirm that there must be an intention to target EU individuals. If you are based outside the EU and don't offer services to EU individuals and one of your customers go to the European Union temporarily on holiday, this does not bring you within scope. 

Representative 

The other potentially significant change involves representatives. Non-EU organizations must nominate a representative in the European Union. According to a strict reading of GDPR, the representative itself is fully liable for the actions of its controller/processor appointer. This somewhat stymied the development of a market of representatives.  

The guidance now softens the tone, stating that actions are to be taken through the representative rather than against. Whether this encourages more organizations to offer such services remains to be seen. 

And sadly, for those of us Brits who are hopeful Brexit will be canceled, all references to the United Kingdom in the draft example scenarios were removed.

About the Authors

Alex De GayeAlexander de Gaye is a UK-qualified lawyer specializing in data protection in Fieldfisher's top-ranked privacy, security, and information team. Until recently, he was seconded to Silicon Valley to advise primarily US technology, ad-tech, and data companies on their GDPR preparations, and has since returned to the United Kingdom.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.