The European Data Protection Board (the "EDPB"), the body in charge of the application of the General Data Protection Regulation (EU/2016/679) ("GDPR"), has published proposed guidelines in relation to the territorial scope of the application of the GDPR.  These are open to public consultation until 18 January 2019.

This note sets out a brief summary of what the Guidelines say.  They can be read in full here.  

The territorial scope of the GDPR is set out in Article 3 and is defined by reference to two key criteria, namely: (1) the "establishment" criterion, and (2) the "targeting" criterion.   Where one of these is met, the GDPR will apply to the processing of the personal data by the controller / processor concerned.  

The Establishment Criterion 

The establishment criterion is recorded in Article 3(1), which provides that the GDPR "applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not".  

The key points from the Guidelines in relation to the interpretation of this Article are as follows:

  • The meaning of "establishment" is assessed by reference to whether there is any real and effective activity being carried out (even minimal activity), exercised through stable arrangements.  Note that the threshold for stable arrangements can be quite low, particularly in the context of an online business (the Guidelines give the example that the presence of one employee operating with sufficient stability could be sufficient).
  • The GDPR will apply to a non-EU entity if its activities are inextricably linked to the activities of an EU entity, even if the latter has no role in the data processing activities.   The actual place of the processing is not relevant (so a Swedish company processing personal data in Singapore, through its branch there, will still be caught by the GDPR where it is determining the purposes and means of the data processing);
  • A non-EU data controller will not become subject to the GDPR just because it uses an EU data processor (though that does not change the fact that the EU data processor would still be subject to the data processor obligations).  EU service providers may therefore find themselves at a disadvantage to their non-EU counterparts, because of the additional compliance obligations they will be required to meet.
  • Where an EU data controller uses a non-EU data processor, the latter will become indirectly subject to the GDPR in any event, because the former will be required to enter into a contract imposing obligations on the data processor in accordance with Article 28 GDPR.  
The Targeting Criterion 

Article 3(2) provides that the GDPR "applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union; or (b) the monitoring of their behaviour as far as their behavior takes place within the Union". 

The key points from the Guidelines in relation to the interpretation of this Article are as follows:

  • It is not the citizenship, residence or other type of legal status of the data subject which determines whether a data subject is "in the Union".  The location of the data subject is assessed with reference to the moment the trigger activity takes place, namely the offering of the goods and services or the moment when behaviour is being monitored.  
  • The goods/ services do need however to be targeted at individuals in the EU.  The Guidelines give the example that a US start up offering a city mapping application to tourists in London, Rome and Paris would be deemed to be targeting individuals in the EU and therefore the processing of that data would be subject to the GDPR.  However, by contrast, a US tourist that downloads an app targeted only at the US market when travelling in Europe would not mean that the processing of that tourist's data would be subject to the GDPR.
  • The Guidelines also state that whether any payment is required for the relevant goods / services is irrelevant when assessing whether EU data subjects are being targeted, as is the mere fact of the accessibility of a website within the EU.  What could be determinative is the use of a language or currency used in one or more Member States, together with the possibility of ordering goods / services in that language.
  • With regard to the monitoring element of the provision, the Guidelines record that the GDPR will apply if the monitored behaviour relates to data subjects in the EU and takes place within the territory of the EU.  The EDPB gives a number of examples of monitoring activities, including online tracking through cookies, CCTV and market surveys.
  • Any data controller/ processor subject to the GDPR by virtue of Article 3(2) must designate a representative established in a Member State (which could be a natural or legal person) within the Union, unless the Article 27 exemption applies (i.e. it is a public body or the processing carried out by it is occasional, does not include large scale processing of special categories of data or data relating to criminal offences and is unlikely to result in a risk to the rights and freedoms of the individuals in question).  The representative should be established in the Member State where the majority of data subjects whose data is being processed are located.  This requirement is intended to make enforcement of the GDPR against non-EU entities easier.  
 
Processing in a Place Where Member State Law Applies by Virtue of Public International Law

Article 3(3) records that the Regulation applies "to the processing of personal data by a controller not established in the Union, but in a place where Member State Law applies by virtue of public international law". 

The EDPB considers that the GDPR will apply to personal data processing carried out by EU Member States' embassies and consulates, where such processing falls within the material scope of the GDPR.  Data processing by an EU registered cruise ship travelling through international waters would be caught, despite the ship being located outside of the Union.

 
First Case of Extra-Territorial Enforcement by the UK's Data Protection Regulator 

The Information Commissioner's Office (the "ICO") has taken action under the GDPR and the UK's Data Protection Act 2018 against an analytics business in Canada, namely AggregateIQ Data Services Ltd, for processing personal data of UK individuals in relation to political campaigns, including names and email addresses.  Although the enforcement notice does not state the basis of the ICO's jurisdiction, it is presumably on the basis of the targeting criterion referred to above.  In its notice, the ICO took the view that the personal data was processed for purposes and in a manner which was incompatible with the purposes the data was originally collected for.  The ICO required AggregateIQ to cease processing any personal data of UK or EU citizens obtained from UK political organisations for the purpose of data analytics, political campaigning or any other advertising purposes. 

Following an appeal filed by AggregateIQ, the action required of AggregateIQ under the notice was narrowed in exchange for AggregateIQ dropping the Appeal.  AggregateIQ shall, subject to a notification to be issued to it by the Office of the Information and Privacy Commissioner of British Columbia, erase any personal data of individuals in the UK as determined by the domain name of the email addresses processed by AggregateIQ .  

The enforcement notice provides that the ICO may serve a penalty notice requiring payment of a fine in the event that the notice is not complied with. 

It is clear from this case that the ICO is prepared to take action against entities outside of the EU in relation to their data processing activities.  It will be interesting to see how and whether it seeks to enforce any fines against non-EU entities.  Clearly that will represent a challenge where no EU representative is appointed, which itself presents an interesting dynamic, because, whilst not having a representative is itself a breach of the GDPR, the reality is that not having one is may make enforcement for any breaches harder.

FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT:

Mark A. Lubbock

P: +44.207.851.6062

F: +44.207.851.6100

Hattie Chessher

P: +44.207.851.6166

F: +44.207.851.6000