The European General Data Protection Regulation ("GDPR"), which came into force over six months ago, illustrates a significant evolution in European data protection law marked by the extension of territorial scope. On 23 November, the European Data Protection Board ("EDPB"), previously known as the Article 29 Working Party, issued new draft guidelines ("Guidelines") relating to the territorial scope of the GDPR. These draft Guidelines adopted by the EDPB are open for public consultation and feedback until 18 January 2019.

Article 3 GDPR sets out the territorial scope of the GDPR based on two criteria, namely the "establishment" criterion in Article 3(1) and the "targeting" criterion in Article 3(2). Where either one of these criteria is satisfied, the relevant Articles of the GDPR will apply to the processing of personal data by the controllers and/or processors concerned.

The establishment criterion – Article 3(1)

The GDPR "applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

The Guidelines recommend a threefold approach, to be applied on a case-by-case basis, for determining whether the processing of personal data by a non-EU entity would still be captured under Article 3(1).

  • Establishment in the Union: The GDPR does not provide a definition of "establishment" as it relates to Article 3, however Recital 22 provides some clarity, in the form of a unofficial description, that an establishment "implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect". This broad interpretation of "establishment" corresponds with several Court of Justice of the European Union ("CJEU") rulings. The EDPB explains that in some cases even the presence of a single employee or agent of the non-EU entity in the Union may be sufficient for an "establishment" to arise. However the EDPB confirms that simply because a non-EU undertaking's website is accessible in the Union, it cannot be concluded that an establishment has arisen pursuant to Article 3(1).
  • Processing in the context of the activities of an establishment in the Union: Article 3(1) makes clear that the processing of personal data need not be conducted by the EU establishment itself; the controller or processor will be subject to the GDPR whenever the processing is carried out "in the context of the activities" of its EU establishment. The EDPB considers that this element is to be interpreted and understood against the backdrop of relevant case law. Even if the EU establishment itself is not carrying out any data processing, its activities within the EU may be "inextricably linked" to the data processing activities of the non-EU controller or processor, triggering this second element of the EDPB's threefold approach. The EDPB provides an example that where an EU establishment of a controller or processor is significantly involved in raising the revenue of a non-EU controller or processor by means of marketing and commercial activities in the EU, their activities would be "inextricably linked" to the processing of personal data by the non-EU controller or processor and therefore this element would be satisfied.
  • Location of processing: The EDPB confirms that the location of processing of data – whether within or outside the EU – is not relevant in determining whether or not the processing, carried out in the context of the activities of an EU establishment, is subject to the provisions of the GDPR. Where an EU established company processes personal data obtained from a non-EU entity, that EU company will have to then process that personal data in accordance with the GDPR irrespective of where the personal data is located.

The "targeting" criterion – Article 3(2)

Absent of an establishment in the Union, a controller or processor established outside the EU would still be within the scope of the GDPR under the "targeting" criterion.

Article 3(2) applies "to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union."

For the targeting criterion to be satisfied, the Guidelines recommend a twofold approach.

  • Data subjects in the Union – 3(2)(a): It is only the location of the data subject that is the determining factor for this element and therefore the EDPB considers the nationality of the data subject not relevant. The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e., at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.
  • Offering of goods or services – 3(2)(a): First, the EDPB reiterates that the targeting criterion may apply irrespective of whether payment in exchange for the goods or services is required. The second consideration is whether the goods or services are directed to data subjects in the Union and the intention of the controller or processor in this regard, as clarified by Recital 23, may be determined by its conduct. It follows that the mere accessibility of a website in the EU is not inherently sufficient to satisfy this element. Furthermore, the Guidelines states that there needs to be a connection – whether direct or indirect – between the processing activity and the offering of good or service.

    The Guidelines introduced a list of factors which could be taken into account in that respect; e.g., whether the data controller offers the delivery of goods in EU Member States or whether there is use of a language or a currency other than that generally used in the trader's country, especially a language or currency of one or more EU Member states.
  • Monitoring the data subject's behaviour – 3(2) (b): Although there is no degree of "intention to target" within Article 3(2)(b), the use of the word "monitoring" suggests that the data controller or processor has a specific purpose in mind for the collection and subsequent reuse of such behavioural data and such purposes for and uses of the data would need to be taken into consideration. Pursuant to Recital 24, behavioural monitoring involves ascertaining "whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person....". The Guidelines state that tracking through types of network or technology involving personal data processing, apart from the internet, should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices.

Designating a representative

Controllers or processors subject to the GDPR by virtue of Article 3(2) are under the obligation to designate a representative in the Union, unless they meet the exemption criteria under Article 27(2). The Guidelines confirm that such a representative would not constitute an "establishment" within the meaning of Article 3(1). Furthermore, the function of representative in the Union is not compatible with the role of an external data protection officer ("DPO"). Therefore, the Guidelines recommend that a given representative may not also act as a DPO for the same data controller.

Following the end of the consultation period, the EDPB shall reflect on feedback received before formally adopting a final set of Guidelines in this important area.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.