The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development.
As a result, and as essential as this is, the GDPR’s territorial scope of application has become one of the most difficult issues to pin down. Therefore, the publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.
It is fair to say that the publication of regulatory guidance always generates some trepidation. Will it match our current understanding of the law? Will it be pragmatic? Will it be strict? Or a bit of both? Given the consequences of determining whether the GDPR applies or not to any given data activities, it is crucial to get this issue right.
On this occasion, the EDPB has produced a detailed 23-page document that is both authoritative and full of common sense.
Confirming Old Ground
The guidelines start by treading into well-known territory: the “establishment criterion.” Following a principle that already existed under the 1995 Data Protection Directive, the GDPR will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. So the EDPB relies on existing case law to consolidate its opinion on this criterion.
In other words, the EDPB does not change the interpretation of this criterion but simply follows the doctrine established by the Court of Justice of the European Union in various ground-breaking decisions. In essence, if the activities of a local establishment in an EU member state and the data processing activities of a data controller or processor established outside the EU are inextricably linked, that will trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself.
In interpreting this principle, the EDPB reasonably points out that in line with the CJEU’s thinking, it is not possible to conclude that a non-EU entity has an establishment in the Union merely because its website happens to be accessible in the EU.
Furthermore, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law.
Perhaps even more crucially, the EDPB confirms that a processor in the EU should not be considered to be an establishment of a data controller merely by virtue of its status as processor. As the EDPB puts it, the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the EU.
All in all, the guidelines do not break any new ground when confirming the regulators’ interpretation of the establishment criterion but simply reiterate the existing reasoning under the previous legal framework.
It is in relation to the new “targeting criterion” where the EDPB’s input is particularly helpful. The idea of determining the applicability of the GDPR by reference to where people are rather than where the equipment involved in the processing is located is perfectly logical, but a novel approach in European data protection.
So any guidance aimed at injecting practical thinking into this approach is to be welcomed. Fortunately, the EDPB delivers that, and the guidelines’ stance on certain situations will be well received by overseas organizations.
In particular, there are some clarifications in relation to the way in which the “offering of goods and services” and the “monitoring of individuals’ behaviour” that are set to become solid points of reference for the years to come. These include:
- Processing personal data of individuals who are in the EU alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behavior must always be present.
- It is the conduct on the part of a controller or processor that demonstrates its intention to offer goods or services to individuals located in the EU, and this conduct can be ascertained through the notion of “directing an activity” to the EU market as developed by the CJEU’s decisions on commercial jurisdictional matters.
- The idea of monitoring implies that a controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU. Accordingly, EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring.” It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data. Nonetheless, monitoring goes beyond online tracking and it also covers CCTV usage and market surveys based on individual profiles.
However, as helpful as the guidelines are in clarifying the points covered, there still are some open issues where understanding the regulators’ stance would be extremely useful. For example, in relation to a situation where a non-EU controller engages an EU processor, the EDPB correctly points out that the processor will still be required to comply with the processor obligations imposed by the GDPR. The guidance that is missing is to what extent that processor needs to address – and how – the obligations in relation to international data transfers when the data is made available to the controller outside the EU.
Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion. This is a question that continues to defy the logic of the GDPR given that by the very nature of their role, processors do not interact with individuals – let alone target them – in their own right but only on behalf of controllers. A possible interpretation of the law in this respect is that the GDPR applies to a non-EU processor where the data processing activities relate to the targeting of EU-based data subjects by the controller, but this has yet to be confirmed by the regulators.
One final issue which could and will be queried is the EDPB’s assertion that the function of the EU-based representative of a non-EU controller or processor is not compatible with the role of external data protection officer. The EDPB goes on to say that the requirement for a sufficient degree of autonomy and independence of a DPO does not appear to be compatible with the function of the representative in the EU.
However, taking into account that many of the practical functions of the representative, like interacting with regulators and data subjects — precisely what the DPO will be focusing on doing — it seems odd to take the view that they cannot effectively be the same person.
In conclusion, the overall verdict on the guidelines is that it is a clear and helpful document. At this stage, it is positioned as a draft for consultation, so the EDPB is also leaving the door open for some refinement of what is set to become one of the defining pieces of regulatory guidance on the GDPR.
This article was originally published on IAPP’s Privacy Perspectives.