Part 2 of 2: Territorial Scope of the GDPR
You may be wondering if the EU General Data Protection Regulation (“GDPR”)applies to your organization. How are you to know? As you might expect, the answer isn’t always clear.
The GDPR asserts two primary bases for territorial jurisdiction that are relevant to businesses: (1) being established in the EU and conducting data processing in the context of that business’ activities; or (2) either: (a) offering goods or services, for free or for a fee, to individuals in the EU; or (b) monitoring the behavior of individuals within the EU. This extraterritorial scope is one of the primary reasons that the GDPR is so consequential for international businesses. This is a big departure from the GDPR’s predecessor, the Data Protection Directive, which was generally limited to EU-based business.
Note that there is also a third basis for jurisdiction and a series of exemptions from the regulation, but these are generally inapplicable to most commercial enterprises.
Organizations Established in the EU
Article 3(1) of the GDPR asserts jurisdiction over EU-based organizations,stating that it applies to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
In other words, if your organization has an “establishment” anywhere in the EU and the processing of personal data is performed “ in the context of the activities of that establishment”, then the processing of personal data will be governed by GDPR, regardless of where the processing actually occurs.
What is an “Establishment”?
The GDPR doesn’t define “establishment”, but Recital 22 provides some elaboration, stating that an establishment “implies the effective and real exercise of activity through stable arrangements.” Furthermore, the “legal form of such arrangements, whether through a branch or a subsidiary with a legal personality” will not be the determining factor.
The Article 29 Working Party (“WP29”), an advisory body, and the Court of Justice of the European Union (“CJEU”) have both indicated that the availability of “human and technical resources” is most relevant, and not just where an entity is incorporated. Additionally, CJEU has opined that the term is “broad” and “flexible” and that an organization may be established where it exercises “through stable arrangements in the territory of that member state, a real and effective activity even a minimal one”. One representative located in the EU can be sufficient, but a single server would not.
What is “In the context of the activities”?
CJEU and WP29 have indicated that this phrase will also be interpreted broadly. The key concept is whether there was an “inextricable link”between the establishment and the processing activities. If your organization has an EU sales office, promotes, sells, or markets to EU residents, this will be enough to establish an inextricable link.
Organizations Not Established in the EU
Even if your organization doesn’t have an establishment in the EU, the GDPR may still apply. This is because Article 3(2) contains an extraterritorial or “long-arm” provision asserting that it also applies to the processing of personal data of data subjects who are in the EU by a non-EU organization,if the processing involves:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
What is Offering Goods or Services to EU Data Subjects?
Recital 23 explains that to determine whether a controller or processor is offering goods or services to data subjects who are in the EU, it should be determined whether it is “apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.” Mere accessibility of your organization’s website or of an email address or of other contact details, or the use of a language generally used in the country where your organization is based isn’t enough. However, a number of factors such as using a language or a currency generally used in one or more EU countries, coupled with the ability to acquire goods and services in that language, or mentioning EU customers or users (e.g., testimonials) suggest your organization envisages offering goods or services to data subjects in the EU.
What is Monitoring Behavior?
According to Recital 24 of the GDPR, monitoring occurs when “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviours and attitudes.” Thus, if your company is EU-facing and in the e-commerce and advertising sectors, or simply uses behavioral targeted advertising for marketing purposes, you will likely be governed by the GDPR.
Despite the emphasis Recital 24 places on the internet, monitoring can occur by other means. The key is profiling, which is defined in Article 4(4) as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person…” Thus, profiling has three elements: (1) automation; (2) it involves the processing of personal data; and (3) the objective of the profiling is the evaluation of personal aspects about a human.
WP 29 in its 2017 publication, “Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation”, provided this example of profiling:
A data broker collects data from different public and private sources,either on behalf of its clients or for its own purposes. The data broker compiles the data to develop profiles on the individuals and places them into segments. It sells this information to companies who wish to improve the targeting of their goods and services. The data broker carries out profiling by placing a person into a certain category according to their interests. Whether or not there is automated decision-making as defined in Article 22(1) will depend upon the circumstances.
What about B2B?
The GDPR does not distinguish between business to consumer and business to business. As such, there is no reason to believe that non-EU organizations offering goods or services to businesses based in the EU will be exempt if they process personal data related to EU residents. Organizations engaging in this sort of activity seem to fall squarely under the scope of Article 3(2)(a) and should take steps to comply with the GDPR.
As we have discussed, the GDPR will impact businesses well beyond the borders of the EU. If your organization has a physical presence in the EU,it will almost certainly be regulated by the GDPR. But even organizations based outside of the EU will be regulated by the GDPR if they offer products or services to EU individuals or monitor their behavior. To learn more about the GDPR and VeraSafe’s GDPR compliance solutions, contact one of VeraSafe’s privacy experts today for a free GDPR consultation.