The extraterritorial scope of the GDPR: Quo Vadis?

On 23 November 2018 the European Data Protection Board (EDPB) published its ‘Guidelines on the territorial scope of the GDPR’. With these guidelines, the EDPB responds to many doubts of companies located outside the EU as to whether they are subject to the General Data Protection Regulation (GDPR) as well. Although the Guidelines are not final yet, they offer much-needed guidance on article 3 of the GDPR and reassure all those fearing the ‘viral effect’ of the GDPR. 

In its guidelines, the EDPB distinguishes 3 criteria which define the territorial scope of the GDPR. The two major ones are:

1. the criterion of ‘establishment’
2. and the ‘targeting’ criterion.

Besides those, a third smaller criterion relates to the applicability of the GDPR by virtue of Member States’ public international law. This third criterion will not be discussed in this blog.

1. Targeting data subjects in the EU

For companies lacking any presence in the EU, the most important criterion relates to the targeting of data subjects in the Union. Pursuant to article 3(2), the GDPR applies to controllers or processors that are not established in the EU if

• the processing of personal data concerns data subjects who are in the union
• and the processing activities relate to either the offering of goods or services, or the monitoring of their behaviour that takes place within the Union.

As such, controllers or processors established outside the Union, will have to comply with the GDPR if they ‘target’ data subjects located in the Union through the offering of goods or services, or behavioural monitoring.

But what exactly is meant by the terms 'offering goods or services', 'monitoring of behaviour' and 'data subjects who are in the Union/behaviour that takes place in the Union'? The EDPB provides advice:

‘Offering goods or services’:

The concept of ‘offering goods or services’ to data subjects in the Union was discussed extensively by the EDPB in its guidelines. In line with recital 23 of the GDPR, the EDPB confirms that offering goods or services to data subjects in the Union requires a certain intention of the controller or processor. Hence, the mere accessibility of the company’s website in the Union, the mentioning of an email address and telephone number without international code or the use of a language generally used in the country of the controller is insufficient to ascertain such intention.

Factors which the EDPB does consider relevant, however, are:

• the use of a toplevel domain name other than that of the non-EU country in which the controller or processor is established,
• the use of language or currency not generally used in the trader’s country (especially when it is used in EU Member States),
• the use of paid internet referencing services in order to facilitate access to one’s site by consumers in the Union…

In the view of the EDPB, these factors, if taken alone, may not always amount to a clear indication of the intention required, but when jointly taken into account in an analysis in concreto, they might be considered as an offer of goods or services directed at data subjects in the Union.

In any case, a direct or indirect connection needs to exist between the processing activity and the offering of the goods or services.

‘Monitoring of behaviour’:

The EDPB takes a broad view on the concept of ‘behavioural monitoring’. Whereas recital 24 of the GDPR only mentions tracking of people on the internet, the EDPB considers that tracking through other types of network or technology involving personal data processing (for example through wearables and other smart devices) should also be taken into account when assessing if a processing activity amounts to behavioural monitoring.

Other examples of monitoring activities are:

• geolocalisation activities,
• online tracking through cookies,
• CCTV,
• behavioural advertisement…

Although the GDPR does not require an intention to target when it comes to behavioural monitoring, the EDPB still feels that the word ‘monitoring’ implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. In that sense, not every online collection or analysis of personal data of individuals in the EU automatically counts as monitoring. The specific purposes of the controller, such as for example profiling, are to be considered.

‘Data subjects who are in the Union / behaviour that takes place in the Union’:

With regard to the location requirement, the EDPB emphasizes that the targeting criterion is not limited by the citizenship, residence, or other type of legal status of the data subject whose personal data are being processed, nor by the circumstance that the goods or services were delivered for free. Consequently, a U.S. company offering a service through a mobile app freely accessible by tourists in the EU will be subject to the provisions of the GDPR. However, if that app was exclusively directed at the U.S. market and used by a U.S. tourist visiting Europe, the processing of that tourist’s personal data will not be governed by the GDPR.

This example given by the EDPB is (most likely) inspired by the will to prevent US companies from geo-blocking EU visitors because of the GDPR.

2. Establishment in the EU

Companies that are based outside the EU, can still be subject to the GDPR if they have an ‘establishment’ in the EU. This follows from article 3 (1) of the GDPR, which stipulates that the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not (and regardless of the location or nationality of the data subject, for that matter).

Once again, in its guidelines, the EDPB provides valuable advice for determining when a processing activity should be considered as processing ‘in the context of the activities’ of an ‘establishment’.

Processing ‘in the context of the activities’ of an establishment:

First of all, it is important that the processing of personal data is carried out ‘in the context of activities of the establishment’, meaning that there is an inextricable link between the activities of the establishment in a Member State and the data processing activities of the non-EU entity. However, the mere fact that revenues are generated by the local establishment can, according to the EDPB, be indicative of such an inextricable link.

‘Establishment’

The definition of ‘an establishment in the Union’ has been scrutinized by the Board. Based on recital 22 of the GDPR and the case law of the CJEU, the EDPB argues that an establishment is: ‘any real and effective activity – even a minimal one – through stable arrangements’, regardless of its legal form (registered or not, branch or subsidiary…).

The question as to whether or not there is an establishment in the EU should be considered in the light of the specific nature of the economic activities and the provision of services concerned. Particularly for companies offering services exclusively on the internet, the threshold can be quite low. As such, the presence of a single employee or agent of the non-EU entity in the EU may qualify as a stable arrangement. But rest assured, the mere accessibility of the website of a non-EU company in the Union cannot cause the company to be established in the EU. Anyhow, it concerns a case-by-case in concreto analysis.

Furthermore, the notion of establishment in the EU has led many to doubt if the use by a non-EU controller of an EU processor leads to the conclusion that the controller is established in the Union, or vice versa, that a non-EU processor providing services to an EU controller has an establishment in the Union. In this context, the EDPB has made clear that the processing by each entity must be considered separately. Consequently, a processor in the EU should not be considered as an establishment of the controller merely because of its status as processor. The existence of a relationship between the non-EU controller and EU processor does not necessarily trigger the application of the GDPR. The EU processor will however still be subject to the processor obligations imposed by the GDPR, such as the duty to maintain a record of processing activities and the duty to conclude a data processing agreement, by virtue of article 3(1). 

The other way around, when a non-EU processor acts on instructions from an EU controller, that non-EU processor will be indirectly subject to the GDPR, by consequence of article 28(3) of the GDPR, which provides that the processing by a processor shall be governed by a contract or other legal act. This means that the controller would have to put in place a contract with the non-EU processor addressing the data protection requirements set out in article 28(3). If the processor located abroad does not comply with these requirements, this should be considered as a breach of contract, not as a violation of the GDPR.

Conclusion

Although it would be overly exaggerated to contribute a ‘viral effect’ to the GDPR, it is clear from the guidelines that the EDPB takes an expansive view on the applicability and reach of the GDPR. Companies established outside the EU should be aware that even a minimal activity or presence - such as an intention to offer services or the presence of an EU agent – is sufficient to meet the GDPR’s applicability threshold. In addition, standard online practices, such as tracking through cookies, can bring a company within the scope of the GDPR.