Nov 302018

EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR

Colleen Theresa Brown, William RM Long, Lauren Cuyvers, Geraldine Scali, Cameron F. Kerry, Stephen W. McInerney and Wim Nauwelaerts
, , , , ,

On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”).  The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them.  The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2).  The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).

The proposed Guidelines are open for public consultation until January 18, 2019.  It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation.

Some key takeaways include:

  • Not all companies that process personal data relating to individuals in the EU are necessarily subject to the GDPR. Where, for example, a controller in the EU designates a processor located outside the EU to perform processing activities, the processor will not be subject to the GDPR merely because it is exposed to personal data that originates from the EU.  However, the processor will have to comply with certain contractual obligations that the controller is required to impose on the processor pursuant to Article 28   Similarly, a controller outside of the EU which processes personal data relating to individuals in the EU may fall outside the ambit of the GDPR if it does not “target” or monitor individuals in the EU.
  • Companies outside the EU processing personal data relating to individuals in the EU may be subject to the GDPR when they have an establishment in the EU and their processing activities outside of the EU can be considered “inextricably linked” to the (business) activities of that EU establishment.
  • The application of the GDPR to processing activities must be assessed per controller/processor.  For instance, the designation of a processor in the EU by a controller outside of the EU for certain processing activities does not automatically bring both the controller and the processor in scope of the The processor is not considered an establishment of the controller for purposes of GDPR application.  As such, the mere fact that the GDPR applies to, for example, a French subsidiary of a U.S.-based company acting as processor does not necessarily trigger application of the GDPR to the parent/controller in the U.S. In that case, the French processor will be subject to the GDPR’s processor obligations only.
  • Minor commercial presence on EU territory may suffice as an “establishment” for GDPR purposes. One single sales agent or employee, operating through stable arrangements in the EU, may trigger application of the GDPR if the processing of EU-originating personal data is in the context of the activities of that establishment.
  • The GDPR’s extraterritorial reach only extends to the “targeting” or monitoring of individuals who are in the EU.  EU citizenship, residency or other type of legal status is therefore irrelevant to determine the scope of application of the GDPR.  This would in theory also capture non-EU citizens whose behavior is monitored by an app whilst traveling in the EU.
  • Indications that contribute to the targeting intention of service offerings to the EU market are the launching of marketing campaigns directed at an EU audience, the inclusion of addresses or phone numbers in EU Member States , the use of a top-level domain name specific to an EU Member State, the inclusion of travel instructions to a country in the EU, but also the mere international nature of the commercial activity itself in some instances (e.g. certain tourist activities).
  • “Monitoring” appears broader than foreseen in the GDPR’s recitals. According to the Guidelines, “monitoring” not only potentially covers online activity tracking via cookies, but could also include CCTV, Wi-Fi tracking and geo-localization activities.  A case-by-case assessment needs to be performed in order to establish whether “monitoring” is performed.
  • Controllers and processors in scope of the GDPR by virtue of Article 3(2) must appoint an EU representative via a written mandate, such as a service agreement, and the EU representative  can be a law firm, consultancy firm or an individual.  In the opinion of the EDPB, EU representatives should not take on the role of Data Protection Officer for the same controller/processor.  Data controllers should inform individuals about the identity of their EU representative at the time of data collection, e.g. in the privacy notice.
  • The guidance leaves legal uncertainty for controllers and processor outside the EU on how to deal with the GDPR’s data transfer restrictions (Chapter V).  Controllers and processors outside the EU that find themselves subject to the GDPR are required to implement a GDPR compliance program, through which they offer an adequate level of protection to the personal data that are “imported” from the EU.  Hence there are arguably no restricted data transfers in that case. Unlike recent UK ICO guidance, the Guidelines do not explicitly confirm that in such a case data transfer mechanisms are no longer required, and the EDPB did not address this question, leaving room for legal uncertainty. Hopefully this void will be addressed during the consultation round.
Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Geraldine Scali

gscali@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.