We keep discussing about new technologies with our TMT Bites. From big data to blockchain, from IoT to artificial intelligence. All these technologies and developments raise a number of challenges, including the "jurisdiction creep", i.e. the possibility to "attract" in a jurisdiction data protection, security requirements or other regulations that are applicable in foreign countries, without being fully aware of all the rules to take into account. This is a persistent issue (for instance this was one of the main concerns raised by the WP29 back in 2014 when addressing IoT technologies). Certain technologies may inevitably be "cross border" (for instance, when data are processed in other jurisdictions, when devices are produced elsewhere or maintained remotely). With this post we will address one data privacy element to consider, namely the territorial scope under the GDPR, also taking into account the recent European Data Protection Board ("EDPB") guidelines.
Why has the EDPB issued guidelines on the territorial scope of the GDPR?
On November 12, 2019, following a public consultation, the EDPB adopted the final version of its guidelines on the territorial scope under Article 3 ("Guidelines") of the EU General Data Protection Regulation ("GDPR" or "Regulation"). The Guidelines have been drawn up to assist data protection authorities on certain data-processing activities and to provide a common interpretation of the GDPR when assessing whether a particular processing by a controller or a processor, rather than an entity, falls within the territorial scope of GDPR. In particular, the Guidelines set out and clarify the criteria for determining the application of Article 3 of the GDPR. Such a common interpretation is also essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity.
Establishment and targeting criteria: what are the main point of attention?
As a general principle, the EDPB asserts that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing. The GDPR defines the territorial scope of the Regulation on the basis of Article 3.1 (the "Establishment criterion"), according to which the GDPR applies to processing "in the context of an establishment" of a controller or processor in the EU, and Article 3.2 (the "Targeting criterion"), according to which the GDPR applies to non-EU controllers or processors in certain specific circumstances. Where one of these two criteria is met, the GDPR will apply to relevant processing of personal data by the controller or processor concerned.
The Establishment criterion
The EDPB confirms an expansive interpretation of the Establishment criterion. In particular, according to the Guidelines:
- the application of the GDPR to the establishment of a controller or processor applies regardless of whether the processing takes place in the European Economic Area ("EEA"). In other words, the geographical location is not important for the purpose of Article 3.1 with regard to the place in which processing is carried out, or with regard to the location of the data subjects;
- in order to determine whether an entity based outside the EEA has an establishment in a Member State, it is necessary to consider "both the degree of stability of the arrangements (regardless of its legal form) and the real and effective exercise of activities (even a minimal one) in that Member State [...] in the light of the specific nature of the economic activities and the provision of services concerned";
- "the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR" since the processing activity "must also be carried out in the context of activities of the EU-based employee". It follows that the threshold for stable establishment is "quite low" and even just the presence of one single employee with sufficient degree of stability could lead to the GDPR application. However, even if the notion of establishment is broad, it is not without limits; indeed it is not possible to consider a non-EU entity as established merely because its website is accessible in the Union.
Moreover, the Guidelines highlight the importance of consideing whether the processing of personal data takes place "in the context of the activities of" a stable establishment. In particular, the EDPB recommends to:
- conduct such an evaluation on a case-by-case basis and based on an analysis in concreto;
- to understand such wording in light of the relevant case law;
- to take into account two main factors
to determine whether processing is carried in the context of an
establishment in the Union, namely the:
- relationship between a data controller or process outside the Union and its local establishment in the Union;
- revenue raising in the Union, to the extent that such activities can be considered as "inextricably linked" to the processing of personal data taking place outside the EU.
The Targeting criterion
In addition to the Establishment criterion, the application of the GDPR to controllers and processors is also triggered when the Targeting criterion applies. Indeed, the absence of an establishment in the Union does not necessarily mean the exclusion from the scope of the GDPR, since Article 3.2 sets out the circumstances in which the GDPR applies to a controller or processor not established in the Union. In assessing the conditions for the application of the targeting criterion, the EDPB recommends a twofold approach:
- First, the processing relates to
"personal data of data subjects who are in the Union". In
particular, according to the Guidelines:
- while the location of the data subject in the territory of the Union is a determining factor, the Targeting criterion is not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed;
- the data subject's presence in the Union "must be assessed at the moment when the relevant trigger activity takes place";
- Article 3.2 "is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU";
- the processing of personal data of data subjects in the Union alone is not sufficient to trigger the application of the GDPR; "the element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behaviour, must always be present in addition".
Second, it must be assessed whether processing relates to (a) the offering of goods or services to individuals in the EU or (b) the monitoring of the behaviour of individuals in the EU.
- With reference to the first scenario, the Guidelines specify that:
- the offering of services also includes the offering of information society services, that is to say, "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services";
- the targeting criterion applies irrespective of whether a payment by the data subject is required;
- when assessing the "offering of goods or services", it is advisable to take into account also the following specific factors:
- the EU or at least one Member State is designated by name with reference to the good or service offered;
- the data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- the international nature of the activity at issue, such as certain tourist activities;
- the mention of dedicated addresses or phone numbers to be reached from an EU country;
- the use of a top-level domain name other than that of the third country in which the controller or processor is established, for example ".de", or the use of neutral top-level domain names such as ".eu";
- the description of travel instructions from one or more other EU Member States to the place where the service is provided;
- the mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- the use of a language or a currency other than that generally used in the trader's country, especially a language or currency of one or more EU Member states;
- the data controller offers the delivery of goods in EU Member States;
- When goods or services "are inadvertently or incidentally provided to a person on the territory of the Union, the related processing of personal data would not fall within the territorial scope of the GDPR".
- With reference to the monitoring of the behaviour of individuals in the EU, the Guidelines specify that:
- the monitoring activity "must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the EU";
- the application of Article 3(2)(b) encompass a broad range of monitoring activities, such as:
- behavioural advertisement;
- geo-localisation activities, in particular for marketing purposes;
- personalised diet and health analytics services online;
- market surveys and other behavioural studies based on individual profiles;
- monitoring or regular reporting on an individual's health status;
- it is not possible to consider any online collection and analysis as a "monitoring" activity. It is instead necessary to "consider the controller's purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data".
Overall, the Guidelines strongly emphasize the GDPR ambitious extra-territorial application. Companies established outside the EU should be aware that even a minimal activity or presence is sufficient to meet the GDPR's applicability threshold and that non-compliance with the Regulation will expose themselves to significant fines and liability, as well as reputational damages. Hence, it is advisable to undertake, prior to any international processing activity (including launching new technologies applications), a territorial scope assessment to determine whether the related processing of personal data falls under the scope of the GDPR.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.