On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU.
Establishment in the EU
Controllers and Processors established in the EU will be subject to GDPR, regardless of whether the processing of personal data takes place in the EU. Establishment in the EU is a low threshold and, as expected, entities with branches or subsidiaries in the EU will be covered, but coverage can also extend to entities with a single employee or agent in the EU. Essentially, pre-GDPR case law on these points is confirmed.
Processors established in the EU will be subject to the GDPR even where the Processor is processing data behalf of a non-EU Controller that itself is not subject to the GDPR. In practice, that means an EU Processor that processes data on behalf of a US entity in connection with US data subjects, will still be subject to GDPR for that data.
The Guidelines confirm that the Processor is subject to the GDPR’s data export provisions in this situation but offers no solution (there are no Processor to Controller EU model clauses) which is uncomfortable for such EU Processors.
Targeting of data subjects in the Union
Controllers and Processors that target data subjects in the Union will be subject to the GDPR even if they are not established in the EU. To determine whether targeting of data subjects occurs in the Union, the Guidelines set out a two-step approach:
- Does data relate to data subjects in the Union?
- Does data relate to the offering of goods and services to data subjects in the Union or the monitoring of data subjects in the Union?
Who are data subjects in the Union?
Data subjects in the Union means any person in the Union whose information is being collected at that moment, regardless of their nationality or legal status. That means EU citizens and residents are squarely in scope. And someone in the EU, even a US tourist using an app in the EU, is a data subject in the Union for purposes of the GDPR.
The Guidelines note that the processing of personal data of EU citizens that takes place outside the EU will not trigger the GDPR so long as the processing is not a specific offer directed at individuals in the EU or to monitor their behavior in the EU. For example, a US company with employees in the US who hold EU citizenship will not be subject to the GDPR just because they employ EU Citizens. However, a US company with employees in the EU, will be subject to the GDPR even if the company’s employees in the EU are US citizens.
What qualifies as offering goods and services?
The GDPR applies to entities that target data subjects in the EU with goods or services. Here, an entity only need an “intention” to offer goods and services to EU data subjects – there is no requirement that commerce or economic activity occurs. For example, if a company’s website displays languages or currencies commonly used in the EU, then that company would be targeting EU data subjects even if it never made a sale in the EU. One limited example is provided of where this intention is not manifest and that is when a US citizen uses a US news app while traveling in the EU.
The Guidelines also give a list of nine factors that can be taken into account in determining where an intention to offer goods and services exists, including: whether an EU member state is designated by name, advertising campaigns in the EU, the international nature of the activity, mention of addresses or phone numbers reachable from an EU country, use of a top level EU domain name, description of travel instructions from the EU to the services, mention of international clientele or customers in the EU, use of language or currency commonly used in the EU, and whether goods are delivered in EU countries.
What meets the threshold for monitoring EU Data Subjects?
The GDPR applies when entities monitor the behavior of EU data subjects when that behavior takes place in the EU. Per the EDPB, ‘monitoring’ implies that the Controller has a “specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.” Examples of monitoring behavior include the use of common online tools such as cookies, geolocation tracking, and behavioral advertising but also offline monitoring such CCTV.
EU representatives of Controllers or Processors not established in the Union
After a short section on how the GDPR applies to diplomatic missions and consular posts by virtue of public international law, the Guidelines address representatives of Controllers or Processors not established in the EU. An EU representative must be appointed if a Controller or Processor is subject to the GDPR by virtue of offering goods or services or monitoring data subjects in the Union. Of particular note in this section, the Guidelines state that the responsibilities of an EU representative are incompatible with that of an external DPO and that it is the EDPB’s view that fines and penalties can be enforced against the EU representative. Both of these points are somewhat controversial and not fully supported by the text of the GDPR.
The Guidelines confirm that the EDPB will be taking an expansive view on the applicability and reach of GDPR. Companies outside the EU that thought their activities might fall outside the scope of GDPR should bear in mind that even minimal activity – such as an intention to offer goods or services – is enough to meet GDPR’s applicability threshold. In addition, standard online practices, such as behavioral advertising, are enough to bring a company in scope. Further, there are no exceptions for entities with “de minimus” contacts or business in the EU.
The Guidelines are now open for public comment until January 18, 2019. Comments can be made to EDPB@edpb.europa.eu.
*Max Kellogg, Law Clerk, assisted with the preparation of post.