Unlike EU ‘directives’, EU ‘regulations’ are by nature directly effective in EU Member States and so do not require further implementation into national laws. Previously, European data protection law was governed by the Data Protection Directive. It was the responsibility of Member States to implement the Data Protection Directive into their national law. When the Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. As a consequence, national data protection acts will cease to be relevant for all matters falling within the scope of the Regulation.
Why does this matter?
It is absolutely crucial for organisations to know if they are or are not subject to the Regulation. Since the Regulation strengthens data protection principles, requires organisations to demonstrate compliance and ushers in greater enforcement powers for regulators, it is essential for all organisations, public and private, local, national or global, to understand in what circumstances the Regulation will apply to their use of personal data.
When will the Regulation apply?
The Regulation will be applicable in three situations:
1) Established in the EU
The Regulation applies when an organisation (whether a controller or processor) is processing personal data in the context of the activities of an establishment in the EU, whether the actual processing takes place within the EU or not. This rule retains the concept of processing data in the context of an establishment based in the EU which is included in the current Data Protection Directive. Therefore, the presence in the EU of a branch or subsidiary or only a single individual may all bring the data processing activity (whether the EU presence is acting as a controller or processor) within the scope of the Regulation
What this means
For many organisations (companies, branches, partnerships etc.) based in the EU there is no change since they are already acting as controllers established in the EU and required to comply with the current Data Protection Directive. The Regulation clarifies that it is irrelevant if the actual processing takes place within the EU or not (i.e. the data could be stored on clouds in the US). An organisation established in the EU making decisions about the processing of personal data (wherever that processing occurs) in the context of its activities is caught by the Regulation.
However, now entities that are established in the EU and act as processors when processing client data (e.g. technology service providers) will be required to comply with the Regulation and not just with their contractual obligations to their clients. This will require processors established in the EU to assess what obligations under the Regulation apply to them and take the necessary steps to comply.
2) Individuals in the EU
In order to ensure that organisations cannot avoid their responsibilities under EU data protection law simply through being located outside the EU, the Regulation introduces a new provision which is based primarily on processing the personal data of individuals in the EU. If a non-EU organisation is processing the personal data of individuals in the EU for activities relating to:
- Offering goods or services to such individuals; or
- Monitoring their behaviour
then such non-EU organisations are required to comply with the Regulation.
What this means
All non-EU organisations that collect data on individuals through websites and other remote interactions are now potentially susceptible to the scope of the application of the Regulation. This is the biggest change to the applicable law rule under the Regulation.
Non EU-organisations will need to consider whether they are involved in online offerings of goods and services or monitoring activities that are directed at individuals in the EU. Merely being able to access a website in the EU, or an email address, or contact details or the use of a language used in a non-EU country are not in themselves sufficient to determine the intention by a non- EU organisation to offer goods and services to individuals in the EU. However, it seems that the use of a language or currency generally used in a Member State, the possibility of ordering goods and services in that language, and/or referring to users or customers in the EU are likely to indicate that the controller envisages offering goods or services to individuals in the EU.
In determining whether processing amounts to monitoring of behaviour, the recitals to the Regulation indicate that it should be ascertained whether individuals are tracked on the internet including potential subsequent use of data processing techniques which consist of profiling them, particularly in order to take decisions concerning them or to analyse or predict their preferences, behaviours and attitudes. The language looks primarily designed to catch online behavioural advertising networks (although there will be other services) that create profiles according to the behaviour of a device online (and behind the device, an individual) and then serve up relevant ads. This moves the focus away from identifying ‘equipment’ located in the EU (as required under the Data Protection Directive) and onto the actual deliberate activity of targeting individuals in the EU.
3) Public International Law
The Regulation applies to controllers not established in the EU but in a place where the national law of a Member State applies by virtue of public international law.
What this means
This is the same rule from the Data Protection Directive and is designed principally to capture data processing by Member States’ overseas diplomatic establishments.
Judicial and regulatory support for a broad scope
Recently courts and regulators have indicated their support for a broad interpretation of the rule on the applicability of the law which complements the position under the Regulation. In its decision of May 2014 (known as the Google Spain ‘right to be forgotten’ decision) the Court of Justice of the European Union (CJEU) found that the advertising sales generated by Google Spain (the local subsidiary of the US company Google Inc.), were sufficiently linked to the Google search activities that the individual affected complained about. Even though Google Spain neither designed nor operated Google’s search business in Spain, because the data processing at issue related to the search business which Google Spain’s sale of online advertising space helped to finance, this was processing of personal data carried out ‘in the context of the activities’ of the Spanish establishment. Therefore, the Data Protection Directive applied to the data processing the individual complained about.
Similarly the Belgian Privacy Commissioner (in May 2015) issued a recommendation that clarified that Belgian law applied to Facebook’s activities in Belgium regardless of the arguments Facebook made that the data controller of its processing in the EU was established in Ireland and therefore its processing was subject to Irish data protection law.
In October 2015, the CJEU ruled in Weltimmo that the concept of ‘establishment’ under the current Data Protection Directive should be interpreted broadly. In the CJEU’s view even minimal activities in a Member State can trigger the application of the local law of that Member State. This decision therefore risks dislodging the long-standing country of origin principle
under the Data Protection Directive, under which an organization established in one Member State only has to observe the data protection law of that Member State even when it processes personal data about individuals resident in other Member States.
Following the CJEU’s Google Spain decision in May 2014, the CJEU’s decision in Weltimmo in October 2015 and increasing regulator activism, all global businesses should take note of how they may be brought within the scope of the Regulation even if it appears that a non-EU based part of their business is involved in different services from EU operations
What to do now
- Identify any processor entities established in the EU and initiate a plan to ensure that such entities comply with their applicable obligations under the Regulation.
- Non-EU organisations should consider whether they could be considered to be ‘established’ in the EU even if they are only engaged in minimal activities in a Member State.
- Non-EU organisations should assess whether their online presence will fall within the rules of offering goods or services to, or monitoring of, individuals in the EU. Where this is the case, they should assume that the Regulation will apply.
- While global businesses without a clearly identified EU-based controller have in the past positioned an entity in one EU Member State as the entity through which they conduct all data processing subject to EU rules, this strategy will be under much greater scrutiny following the Weltimmo decision. For some controllers it will be additionally important to facilitate an ongoing dialogue with the data protection regulator of that Member State to explain its position.
For Part 1 of this series, “Future-Proofing Privacy,” click here.