On 23 November 2018, the European Data Protection Board (the "EDPB") published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe's data protection legislation.
The guidelines are only in draft form and subject to consultation but they do go some way to clarifying key questions regarding the application of the GDPR. That being said, they do not cover every possible permutation of Article 3, meaning that there remain gaps where organisations will need to exercise judgment without any comfort that their interpretation will align with that of the regulators. In particular, there would seem to still be question marks around the application of Article 3(2)(a) and what actually constitutes the offering of goods and services to individuals in the EU.
Background
The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing personal data either:
- in the context of an establishment of a controller or a processor in the EU; or
- relating to the offer of goods or services to individuals in the EU; or
- relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU.
The emphasis highlighted above demonstrates the broad drafting of the legislation and potentially extremely wide application of the GDPR to organisations located outside of the EU. This has left many organisations worldwide in a state of uncertainty as to the fundamental application of this important legislation to their activities. Guidance on Article 3 is therefore long overdue.
The draft guidelines published on 23 November 2018 are open for consultation, with interested parties being given until 18 January 2019 to provide comments. However, even in their current draft state, the guidelines give invaluable insight into the European regulators' view on interpretation of Article 3.
At a high level, the guidelines confirm that non-EU organisations directly caught by the GDPR and with no establishment in the EU will not be able to benefit from the one-stop shop mechanism. This confirms that such organisations will need to comply with national privacy laws in each of the Member States in which they have customers.
Article 3(1): Processing in the context of the activities of an establishment of a controller or a processor in the EU
The key highlights of the guidelines in the context of Article 3(1) are set out below:
- The simple fact that an organisation's website is accessible in the EU will not mean that the non-EU entity has an establishment in the EU.
- The existence of an "establishment" should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring processing within the scope of the GDPR.
- Where a controller subject to the GDPR uses a non-EU processor, it will need to ensure by contract that the processor processes the data in accordance with the GDPR. The processor will become indirectly subject to some GDPR obligations by virtue of its contractual arrangements with the controller but will not be directly subject to the GDPR by virtue of Article 3(1).
- A non-EU controller using an EU processor will not become subject to the GDPR simply because it chooses to use a processor in the EU. By instructing a processor in the EU, the non-EU controller is not carrying out processing “in the context of the activities of the processor in the Union”. The processing is carried out in the context of the controller’s own activities; the processor is merely providing a processing service.
Article 3(2)(a): Processing relating to the offer of goods or services to individuals in the EU
The key highlights of the guidelines in the context of Article 3(2)(a) are set out below:
- Article 3(2) refers to “personal data of data subjects who are in the Union”. This is regardless of citizenship (i.e. it does not just apply to EU citizens). The requirement that the data subject be located in the EU must be assessed at the moment of offering of goods or services.
- The processing of personal data of an individual in the EU alone is not sufficient to trigger the application of the GDPR. The element of "targeting" individuals in the EU, by offering goods or services to them, must always be present in addition.
- The offering of goods or services will apply regardless of whether a payment by the individual is required. Article 3(2)(a) is not dependent upon payment being made in exchange for the goods or services provided.
- When considering whether or not goods or services are being offered, the EDPB suggests taking into account the following factors:
- The EU or at least one Member State is designated by name with reference to the good or service offered;
- The controller (or processor) pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the EU;
- The controller (or processor) has launched marketing and advertisement campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states; or
- The controller offers the delivery of goods in EU Member States.
Article 3(2)(b): Processing relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU
The key highlights of the guidelines in the context of Article 3(2)(b) are set out below:
- For Article 3(2)(b) to apply, the behaviour monitored must first relate to an individual in the EU and, in addition, the monitored behaviour must take place within the EU.
- Although Recital 24 only talks about the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data should also be taken into account, for example through wearable and other smart devices.
- The online collection or analysis of personal data of individuals in the EU would not automatically count as “monitoring” (i.e. just having some cookies on a website will not be enough). It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.
- Examples of monitoring activities could include:
- Behavioural advertising;
- Geo-localisation activities, in particular for marketing purposes;
- Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
- Personalised diet and health analytics services online;
- CCTV;
- Market surveys and other behavioural studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
The guidelines finally also consider the requirement for non-EU organisations with no establishment in the EU to appoint an EU representative. The guidelines confirm that it was the intention of the legislation to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties against representatives, and to hold representatives liable.
The EDPB draft guidelines are available here.
The GDPR hub