The European Data Protection Board (EDPB) is an independent advisory body, established by the GDPR that issues guidelines, recommendations, and best practices for the application of the GDPR.
At its Third Plenary on September 26th, the EDPB adopted the new draft guidelines on the GDPR’s territorial scope. The 3/2018 guidance was transformed in its final version and issued on November 23rd. The guidance is in draft form and is therefore subject to consultation until January 18th, 2019.
The Facts of GDPR’s Territorial scope
The GDPR has extra-territorial effect, meaning that it can apply to companies based outside of the EU. GDPR applies to a non-EU-based company where that company:
- Processes personal data in the context of the activities of an EU establishment (the establishment criterion);
- Processes personal data of an individual in the EU, for the purposes of either:
– offering goods or services to that individual in the EU, or
– monitoring the behaviour of that individual in the EU (the targeting criterion); or
3. Is subject to EU Member State law by virtue of public international law. This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.
This area has been a blur for international companies, operating or processing personal data and therefore the guidance was much awaited to introduce some clearance on the topic.
The EDPB has broken down the article into 2 different criteria and analysed them.
The Establishment Criterion
This criterion has been break down into three separate conditions:
The meaning of ‘establishment’
The EDPB present clarifications into the term “establishment” by clarifying that ‘establishment’ refers to the degree of stability of the arrangement between a non-EU-based company and a company located in the EU. The guidelines give the example of a USA headquartered company with a branch and office in the EU to take care of its operations in Europe. According to the guidance, this constitutes an EU establishment.
In addition, EDPB’s “establishment” will be assessed on the basis of the facts, taking into account the specific nature of economic activities and the provision of services. The very fact that a company’s website is accessible in the EU doesn’t make it an EU business. This is very important for all the big companies that have made their hosting global, but actually have no intention to enter the European market or at least not right now.
Data processing should be in the context of the enterprise’s activities
In order for GDPR to apply, the activities of the EU Institution and the data processing activities of non-EU companies must be “inextricably linked”.
“Geographical location” criteria
It does not matter whether processing takes place in the EU or if it involves processing of personal data of EU residents. If the above two considerations are met, GDPR will apply.
The Targeting Criterion
This criterion has been broken down into two separate conditions
Location of the data subject
The data subject must be located in the EU. This means that the data subject must be physically present within the borders of the EU; the nationality, citizenship, residence and any other legal status of the individual are irrelevant.
The Triggering Activity
The triggering activity is a key element in determining whether the data processing activities should be in compliance with the GDPR. This could be for example offering goods or services to data subject in the EU or monitoring the behaviour of the data subject in the EU.
The supply of goods or services requires an element of intention. The very fact that a company’s website is accessible from an EU Member State or simply mentioning an email or geographic address on the company’s website is not enough proof of an intention to target individuals in the EU.
EDPB gives examples of factors that may indicate an intention to offer goods or services to individuals in the EU:
- The European Union or EU Member State is mentioned by name or directly referred to by name with an explanation of the goods or services offered;
- A search engine operator has been paid to direct the site to the consumers on EU territory;
- The nature of the goods or services suggests an international element (for example, tourism services);
- The mentioned addresses and phone numbers are designed for EU residents;
- Domain names are designed for an EU country;
- The establishment is targeting mainly EU clients;
- The establishment uses an EU language and EU currency (either Euro or some othe currency form an EU country);
- Shipping of goods to EU Member States is offered.
All of the elements of the marketing/sale program of a given establishment should be examined altogether in order to determine whether a company is offering goods or services to data subjects in the EU. One of the most important indicators is the direct or indirect link between this offering and the processing of personal data of the data subject in the EU.
Alternatively, the triggering activity could be the monitoring of individuals’ behaviour in the EU. Monitoring can be conducted on the internet or through other types of network or technology.
Let’s take a look at another possibility considered by the Guidance. If the actual activity of the establishment is monitoring the behaviour of data subjects, then the monitoring can be conducted on the internet or through other types of network or technology.
The monitoring does not require an intention to target, unlike the offering of goods and services. However, the EDPB considers that ‘monitoring’ implies a specific purpose. This purpose must be considered carefully to determine whether the triggering activity is satisfied. A key consideration is whether the individual is tracked on the internet and subsequently profiled.
The EDPB gives examples of monitoring activities:
- Tracking of a person on the internet through their behavior;
- Tracking through other types of network or technology involving personal data processing, for example through wearable and other smart devices;
- Behavioural advertisement;
- Geo-localization activities, in particular for marketing purposes;
- Personalized diet and health analytics services online;
- Market surveys and other behavioural studies based on individual profiles; and
- Monitoring or regular reporting on an individual’s health status.
The EDPB clarifies that the online collection of personal data of data subjects in the EU doesn’t mean automatically “monitoring”. It is necessary to consider the controller’s purpose for processing the data and any subsequent behavioural analysis or profiling techniques involving that data.