Regulation on data protection and privacy in the European Union (“EU” or “Union”) is governed by the General Data Protection Regulation (“GDPR” or “Regulation”). On November 12, 2019, the European Data Protection Board (“EDPB”) adopted a final version of Guidelines 3/2018 on the territorial scope of the GDPR.
Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the scope and location of business activity. It will also apply to businesses outside the EU if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behaviour. This latter provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law. As such, it is important to understand the territorial scope of the GDPR.
Article 3 of the GDPR defines the territorial scope of the GDPR on the basis of two main criteria:
- the “establishment” criterion, as per Article 3(1); and
- the “targeting” criterion, as per Article 3(2).
Where one of these two criteria are met, the relevant provisions of the GDPR will apply to the processing of personal data by the controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing where EU law applies by virtue of public international law.
As a general principle, where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the GDPR apply to such processing.
Data Controller & Data Processor
It is first necessary to identify who is the controller and who is the processor for a given processing activity. According to the definition in Article 4(7) of the GDPR, controller means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.”
A processor, according to Article 4(8) of the GDPR, is “the natural or legal person, public authority agency or other body which processes personal data on behalf of the controller.”
Criteria 1: The “Establishment” Criterion
Article 3(1) of the GDPR provides that the “Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Approach Towards Establishment Criterion
The EDPB recommends a three-fold approach in determining whether or not the processing of personal data falls within the scope of the GDPR pursuant to Article 3(1):
- determine whether the data controller or processor has “an establishment in the Union”;
- determine whether data is “processed in the context of activities of an establishment in the Union”; and
- confirm that the GDPR will apply regardless of whether the processing carried out in the context of the activities of the establishment takes place in the Union or not.
(1) “Establishment in the Union”
If a data controller or data processor established outside the Union exercises a “real and effective activity—even a minimal one” through “stable arrangements”, regardless of its legal form (e.g. subsidiary, branch, office), in the territory of the EU, the data controller or data processor has an establishment in the EU for the purposes of Article 3(1). In order to determine whether an entity has an “establishment” in the EU, the following factors are considered:
- the degree of stability of the arrangements;
- the effective exercise of activities in the EU Member State;thom
- the specific nature of the economic activities and the provision of the services concerned; and
- the number of employees present at the establishment and whether the employees act with a sufficient degree of stability.
Although the notion of an establishment is broad, it is not without some limits—a non-EU entity will not be considered as having an establishment in the EU merely because it has a website accessible in the Union.
(2) “Processed in the Context of Activities of an Establishment in the Union”
The following two factors may help determine whether the processing is being carried out by a controller or processor in the context of its establishment in the Union:
- Relationship between a data controller or processor outside the Union and its local establishment in the Union. If there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing.
- Revenue raising in the Union. Revenue-raising in the EU by a local establishment may be indicative of processing by a non-EU controller or processor.
Non-EU organizations should assess their processing activities by first determining whether personal data is being processed, and then identifying potential links between the activity for which the data is being processed and the activities of any presence of the organization in the EU.
The following provides an illustrative example: An e-commerce website is operated by a company based in China and the personal data processing activities of the company are exclusively carried out in China. The Chinese company has an established European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets. In this case, it can be considered that the activities of the European office in Berlin are inextricably linked to the processing of personal data carried out by the Chinese e-commerce website, insofar as the commercial prospection and marketing campaign towards EU markets notably serve to make the service offered by the e-commerce website profitable. As such, the processing activities by the Chinese company will be subject to the GDPR.
(3) “Regardless of Whether the Processing Takes Place in the Union or Not”
In determining the territorial scope of the GDPR, geographical location will be important with regard to the place of establishment of:
- the controller or processor itself (i.e. is it established inside or outside the Union?); and
- any business presence of a non-EU controller or processor (i.e. does it have an establishment in the Union?)
However, geographical location is not important for the purposes of Article 3(1) with regard to the following:
- the place in which processing is carried out;
- the location of the data subjects in question; and
- the nationality of the data subject whose personal data is being processed.
For example, if a French company develops a car-sharing application exclusively addressed to customers in Morocco, Algeria, and Tunisia, the provisions of the GDPR will still apply to the processing carried out by the French company because the data processing is carried out in the context of the activities of a data controller established in the Union.
Application of the Establishment Criterion
The existence of a relationship between a controller and processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the Union. There are two ways in which the establishment criterion may be applied to a data controller and processor.
(1) Processing by a controller established in the EU instructing a processor not established in the EU
Where a controller subject to GPDR chooses to use a processor located outside the Union for a given processing activity, it will still be necessary for the controller to ensure that the processor processes data in accordance with the GDPR. The controller should consider imposing, by contract or other legal act, the obligations placed on processors subject to it. This is an important point for both data controllers and processors to note. A processor located outside the EU may be indirectly subject to obligations imposed by controllers subject to the GDPR by virtue of contractual arrangements.
For example, if a Finnish research institute conducts research regarding the Sami people in Russia and the institute uses a processor based in Canada, the Finnish controller will have a duty to enter into a data processing agreement with the Canadian processor.
(2) Processing carried out in the context of the activities of an EU establishment of a processor
A non-EU controller will not become subject to the GDPR simply because it chooses to use a processor in the Union.
For a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to GDPR, the processing activities of the data controller would not be deemed as falling under the territorial scope of the GDPR. However, the data processor will still be subject to GDPR provisions that impose obligations directly on data processors, such as:
- obligations under Article 28(2), (3), (4), (5), and (6) on the duty to enter into a data processing agreement;
- the processor and any person acting under the authority of the controller or of the processor who has access to personal data shall not process data except on instructions from the controller, unless required to do so;
- where applicable, the processor shall maintain a record of all categories of processing carried on behalf of a controller;
- the processor shall cooperate with the supervisory authority in the performance of its tasks;
- the processor shall implement technical and organizational measures to ensure a level of security appropriate to the risk;
- the processor shall notify the controller without undue delay after becoming aware of a personal data breach;
- where applicable, the processor shall designate a data protection officer;
- comply with the provisions on transfers of personal data to third countries or international organizations;
- the processor shall ensure its processing remains lawful with regards to other obligations under EU or national law;
- the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
For example, if a Mexican retail company enters into a contract with a processor established in Spain for the processing of personal data relating to the Mexican company’s clients, the Mexican retail company, as the data controller, will not be subject to the GDPR. However, the data processor is established in Spain and, therefore, its processing will fall within the scope of the GDPR.
Criteria 2: The “Targeting” Criterion
Article 3(2) sets out the circumstances in which the GDPR applies to a controller or processor not established in the Union, depending on their processing activities. Specifically, Article 3(2) provides that the “Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (2) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Approach Towards Targeting Criterion
In assessing the conditions for the application of the targeting criterion, the EDPB recommends a two-fold approach:
- determine whether the processing relates to the personal data subjects who are in the Union; and
- determine whether the processing relates to the offering of goods or services or the monitoring of data subjects’ behaviour in the Union.
(1) Data Subjects in the Union
The application of the targeting criterion is not limited by citizenship, residence, or type of legal status. In other words, it is not limited to EU citizens. The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering goods or services or when behaviour is being monitored, regardless of the duration of the offer made or the monitoring undertaken.
For example, if an Australian company exclusively offers a mobile news and video content service to users in Australia, but the service is not withdrawn when an Australian subscriber travels to Germany while on holiday, the processing will not be subject to the GDPR. Even if the Australian subscriber continues to use the service while in the EU, the service is not “targeting” individuals in the EU—it is targeting only individuals in Australia.
(2) Triggering Activities
i. Offering of Goods or Services
The first activity triggering the application of Article 3(2) is the “offering of goods or services.” This applies irrespective of whether a payment by the data subject is required. A key element is whether there is an intention to offer goods or services to a data subject in the Union. Case law from the Court of Justice of the European Union (“CJEU”) provides the following factors which can be taken into consideration, possibly in combination with one another, to determine whether goods or services are offered to a data subject in the Union:
- the EU or at least one Member State is designated by name with reference to the good or service offered;
- the data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the EU;
- the controller or processor has launched a marketing and advertising campaign directed at an EU country audience;
- the international nature of the activity in issue, such as tourist activities;
- the mention of dedicated addresses or phone numbers to be reached from an EU country;
- the use of top level domain name other than that of the third country in which the controller or processor is established (e.g. “.de” or “.eu”);
- the description of travel instructions from one or more other EU Member States;
- the mention of an international clientele composed of customers domiciled in EU Member States, in particular by the presentation of accounts;
- the use of a language or a currency other than what is used in the trader’s country, especially in a language or currency of an EU state; and
- the data controller offers delivery of goods in the EU Member States.
ii. Monitoring of Data Subjects’ Behaviour
The second type of activity triggering the application of Article 3(2) is the monitoring of data subject behaviour as far as their behaviour takes place within the Union. The consideration is whether natural persons are tracked on the internet (or through other types of network or technology, such as wearable smart devices) in order to take decisions concerning the subject or for analyzing or predicting the subject’s personal preferences, behaviours, and attitudes. The following are examples of monitoring activities:
- behavioural advertisement;
- geo-localization activities, especially for marketing purposes;
- personalized diet and health analytics services online;
- market surveys and other behavioural studies; and
- monitoring or regular reporting on an individual’s health status.
Processor Not Established in the Union
In addition to the above, to determine whether a data processor not established in the Union may be subject to the GDPR, it is necessary to look at whether the processing activities by the processor are related to the targeting activities of the controller.
Where processing activities by a controller relates to the offering of goods or services or to the monitoring of individual’s behaviour in the Union, any processor instructed to carry out that processing activity on behalf of the controller will fall under the provisions of the GDPR.
The following provides an illustrative example: A Brazilian company sells food ingredients online and instructs a data processor also established in Brazil to develop special offers to customers in France, Spain, and Portugal. Processing activities by the Brazilian processor, under the instruction of the data controller, are related to the offer of goods to data subjects in the EU. Furthermore, by developing these customized offers, the data processor is directly monitoring data subjects in the EU. The data processor’s activities would, therefore, be subject to the GDPR.
These flowcharts outline the decision tree for the territorial scope of the GDPR, as well as the factors to consider at each step. For additional information on the territorial scope of the GDPR, please visit the EDPB’s Guidelines 3/2018 here.
The information and comments herein are for the general information of the reader and are not intended as advice or opinion to be relied upon in relation to any particular circumstances. For particular application of the law to specific situations, the reader should seek professional advice.