After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to?
By Gail Crawford, Ulrich Wuermeling, and Calum Docherty
Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look at the final guidelines on the territorial scope of the GDPR, which the European Data Protection Board (the EDPB) published on 12 November 2019 following public consultation of its draft guidelines dated 23 November 2018 (the Guidelines).
The Guidelines contain several helpful clarifications around when the GDPR applies to controllers and processors of personal data. At the same time, however, the Guidelines still present latent ambiguity as to when and to what extent the GDPR applies, particularly for multinationals.
Article 3 of the GDPR sets out its territorial scope and states that it applies to:
- Any processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of where the processing takes place (Article 3(1)) (the Establishment Criterion);
- Any processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where processing is related to the offering of goods or services (irrespective of payment) to data subjects in the Union (Article 3(2)(a)) or the monitoring of their behaviour as far as that behaviour takes place in the Union (Article 3(2)(b)) (the Targeting Criterion).
- The GDPR applies to specific processing activities, not to the controller or processor as an entity.
The Guidelines now confirm that only the particular processing activity caught by Article 3 falls within the scope of the GDPR, rather than all processing activities by that controller or processor.
This is a helpful clarification and, for controllers or processors outside of the EU, could limit GDPR risk to only the processing operation caught by Article 3(2). The clarification also helps those controllers or processors caught by Article 3(1), as it makes the GDPR applicable only to processing in the context of the activities of an establishment in the EU. However, as technology advances and systems are increasingly interdependent, it may be difficult to clearly distinguish and isolate such operations.
- The mere presence of an employee or agent in the EU does not itself trigger the application of the GDPR.
This will offer some comfort for non-EU entities, if they meet the following two requirements:
a.) Is the employee or agent an “establishment” of the non-EU entity? An employee or agent is likely to be regarded as an establishment if they act with “a sufficient degree of stability”. The Guidelines do not elaborate further, but relevant factors include whether the employee or agent is permanently based in the EU, whether the employee is full time, etc. If the employee or agent is not an establishment of the non-EU entity, then the Establishment Criterion is not met and the GDPR does not apply.
b.) If yes, is the non-EU entity processing personal data in the context of the activities of the employee or agent in the EU? If so, the Establishment Criterion is likely met and the GDPR will apply.
3. Intentional targeted advertisements to EU individuals will trigger the application of the GDPR.
Providing certain targeted advertisements to individuals in the EU triggers the application of the GDPR under the Targeting Criterion. The Guidelines set out three examples, all of which find that targeted advertisements trigger the GDPR. As these examples are so widely drawn, it seems that there are few scenarios in which the GDPR will not apply. However, the Guidelines confirm that the GDPR does not apply if services “inadvertently or incidentally” target individuals in the EU; therefore, unintentional targeting is not caught (e.g., targeting non-EU residents who may be on vacation in the EU).
4. An EU representative of a non-EU controller cannot be the processor for that controller.
The EDPB considers that a data processor should not also act as an EU representative for that same data controller, given inherent incompatibilities in the role that could impact the representative’s and processor’s respective responsibilities and compliance obligations.
Whilst the Guidelines are helpful, they fail to answer a number of outstanding questions and, at times, introduce further uncertainties.
- Does the Targeting Criterion apply to non-EU processors?
It is clear on a reading of Article 3(2) that data processing activities carried out by non-EU processors will be directly subject to the GDPR if the Targeting Criterion is met. However, the question arises as to how a processor can trigger the Targeting Criterion. For example, if the non-EU processor offers cloud services to EU data subjects, the Targeting Criterion is likely to apply. But if the non-EU processor hosts a website for a non-EU controller that offers products and services to EU data subjects, it is questionable whether this activity can be considered as targeting by the non-EU processor, since it is carried out on behalf of the non-EU controller.
The Guidelines do not suggest that the Targeting Criterion in Article 3(2) applies to non-EU processors acting for an EU controller. According to the Guidelines, a non-EU processor carrying out data processing activities for an EU controller will only be indirectly subject to some GDPR obligations (namely, Article 28 contractual arrangements and Chapter V obligations).
However, the Guidelines do suggest that non-EU processors acting for non-EU controllers would need to comply with the GDPR if the Targeting Criterion is met through activities that the non-EU processor carries out on behalf of non-EU controllers. It is unclear how the EDPB has come to this conclusion, but it seems to be a deliberate change compared to the draft Guidelines.
For context, during the drafting of the GDPR itself, processors were included in Article 3(2) only in the last stages of the negotiations between the European Parliament and the European Council. It is not clear whether this last stage change was intended to extend Article 3(2) to all activities of a processor or only those not carried out on behalf of a controller. If the latter is the case, the change might not have been necessary, because to the extent the processor is not acting on behalf of a controller, the processor would be considered to be a controller. The Guidelines seem to establish that the application of Article 3(2) should only apply if the non-EU processor acts for a non-EU controller. However, there is nothing in the wording of Article 3(2) that would justify such a distinction.
The Court of Justice of the European Union (CJEU) will look at this from an effectiveness perspective and ask whether there is a need to apply the GDPR not only to the non-EU controller, but also to the non-EU processor. Applying the GDPR to both would be somehow inconsistent, if the CJEU also accepts that a non-EU processor acting for a EU controller is not directly governed by the GDPR at the same time. It would be more consistent to apply Article 3(2) only to non-EU processors, to the extent they offer their processing services to EU data subjects.
- What is the liability position of EU representatives?
The first draft of the Guidelines indicated that EU representatives were liable for the failure of controllers’ or processors’ obligations to comply with the GDPR, stating a supervisory authority could “initiate enforcement against a representative” (emphasis added). The final Guidelines amended this to read “initiate enforcement through a representative” (emphasis added), suggesting that the EU representative itself will not be directly liable, but merely a liaison through which the supervisory authority could pursue the controller or processor.
The Guidelines do make clear that the EU representative can be held directly liable for violations of its own obligations, including under Articles 30 and 58(1)(a), which suggests that the EU representative will not be held directly liable for other violations.
- Does the offering of goods and services by a non-EU controller to a non-EU citizen fall within the Targeting Criterion?
The Guidelines specify that the territorial application of the GDPR is not predicated on the “nationality or legal status of the data subject”. The Guidelines confirm that a non-EU controller offering goods or services to a non-EU citizen in the EU is still caught by the GDPR if the goods or services are specifically targeted to individuals located in the EU. The Guidelines include an example of a US company providing a city-mapping application for tourists whilst they visit Paris and Rome. The Guidelines specify that even if the users are US citizens, the US company is still specifically targeting individuals when they reside in the EU, so the Targeting Criterion is met. On the other hand, where a non-EU company offers services exclusively to non-EU citizens and that non-EU citizen travels to the EU and continues to use the service, the Targeting Criterion is not met because the offer inadvertently or incidentally targets a data subject in the EU (see above).
The Guidelines also specify that the protection afforded by the GDPR only applies to natural persons. Therefore, it can be inferred that the Targeting Criterion is not met if goods and services are offered to businesses, rather than to individual natural persons. However, the Guidelines are not clear on whether non-EU controllers providing business-to-business goods and services to a company are caught by the Targeting Criterion because they incidentally process personal data of that company’s employees. One may argue that if the individual is targeted merely as an employee of the business, the Targeting Criterion should not apply. Otherwise, the distinction between offers towards data subjects and offers towards legal entities would have very limited effect.
Whilst the Guidelines are not legally binding, they are the clearest indication of regulatory intent to date. As the Guidelines reemphasise the broad territorial scope of the GDPR, non-EU businesses should continue to consider (or reconsider, following these Guidelines) whether any of their processing activities will be caught by the GDPR.
The EDPB notes that it is continuing to assess the interplay between the territorial scope rules of the GDPR and the provisions on international transfers; the authors expect further guidance to be issued in the future.
This post was prepared with the assistance of Victoria Wan in the London office of Latham & Watkins.
Submit a comment about this post to the editor.