By Jordan L. Fischer of XPAN Law Group LLC
On Nov. 16, 2018, the European Data Protection Board (EDPB) adopted Guidelines 3/2018 on the territorial scope of the GDPR (Guidelines), soliciting public consultation through Jan. 18, 2019. While these are not final, they provide some of the first indicators on how the EU will interpret the jurisdictional reach of the GDPR – a critical analysis for many U.S.-based companies.
Article 3 of the GDPR outlines the criteria to be used to determine who is impacted by — and therefore required to comply with — the GDPR. Article 3 has garnered a lot of consideration, especially for entities not established within the European Union. The Guidelines outline two main criteria for determining whether the GDPR applies: “the ‘establishment’ criterion, as per Article 3(1), and the ‘targeting’ criterion as per Article 3(2).” See Guidelines, at 3.
Article 3(1) states:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
The EDPB makes clear that Article 3(1) can apply to both controllers or processors. As such, a processor impacted by the GDPR would still need to comply with the GDPR in the processing of the personal data, even if the controller would not need to comply. See Guidelines, at 9. As such, the GDPR can apply even if the personal data was not originally GDPR-impacted by virtue of a processor “established” within the EU. And, the EDPB makes it abundantly clear that the nationality of the data subject is irrelevant to whether the GDPR applies. See Guidelines, at 9.
Under the Article 3(1) criterion, the EDPB provides a three-consideration approach. First, an entity needs to determine if it is “established” within the Union. Drawing guidance from prior Court of Justice of the European Union (“CJEU”) case law, the EDPB states that “both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned.” See Guidelines, at 5. Physical presence in the EU is not the sole determinant of “establishment.”
Second, the processing activities at issue must be carried out in the context of the activities of the establishment. This requires an entity to identify “any potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the Union” (i.e., the establishment). See Guidelines, at 7.
Third, the EDPB makes clear that whether the processing occurs in the EU or outside of it is irrelevant for the application of Article 3(1). The trigger is processing that “takes place in the context of the activities of” an establishment within the Union. See Guidelines, at 8.
For the “targeting” criterion, Article 3(2) states:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
For this criterion, the EDPB states that the focus is on “what the ‘processing activities’ are ‘related to’” and breaks the analysis into two parts. See Guidelines, at 11.
First, the triggers for Article 3(2) are (a) a data subject’s location within the EU at the time the activity takes place and (b) some element of “targeting” data subjects within the EU. The EDPB makes it clear that the processing of EU citizen or resident personal data alone is not sufficient to trigger GDPR requirements. See Guidelines, at 14.
Second, an entity must determine “whether the conduct on the part of the controller or processor demonstrates its intention to offer goods or a services to a data subject located in the Union.” See Guidelines, at 15. Some connection, either directly or indirectly, needs to exist between the processing activity and the offering of a good or service, in order to trigger Article 3(2). The EDPB goes on to list a number of factors to be taken into consideration when making this determination.
Alternatively, Article 3(2) is triggered when monitoring the behavior of a data subject within the EU. See Guidelines, at 17. The Guidelines clarify that online collection of personal data and any subsequent analysis does not, by itself, necessarily trigger the “monitoring” jurisdictional requirement. Instead, it is a fact-based analysis, with the EDPB listing a number of activities that could be considered “monitoring behavior.”
Finally, the EDPB provides guidance on the designation of a representative for controllers or processors not established in the Union under Article 27, making it clear that a DPO (Data Protection Officer) should not be designated as a representative because of the “possible conflict of obligation and interests” inherent in the two separate and distinct roles. See Guidelines, at 21.
These Guidelines are not in final form, but they do provide great insight into the approach the EDPB is taking as it relates to the jurisdictional impact of the GDPR. The Guidelines also reiterate that the GDPR is meant to be all encompassing and not limited by citizenship, residence or any other legal status of the data subject. Companies need to assess the impact of the GDPR on their organisations with this new guidance on the jurisdictional reach of this Regulation, and determine whether these Guidelines foreshadow risk of non-compliance under the GDPR.