Nov 302018

EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR

Colleen Theresa Brown, William RM Long, Lauren Cuyvers, Geraldine Scali, Cameron F. Kerry, Stephen W. McInerney and Wim Nauwelaerts
, , , , ,

On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”).  The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them.  The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2).  The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).

The proposed Guidelines are open for public consultation until January 18, 2019.  It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation.

Some key takeaways include:

  • Not all companies that process personal data relating to individuals in the EU are necessarily subject to the GDPR. Where, for example, a controller in the EU designates a processor located outside the EU to perform processing activities, the processor will not be subject to the GDPR merely because it is exposed to personal data that originates from the EU.  However, the processor will have to comply with certain contractual obligations that the controller is required to impose on the processor pursuant to Article 28   Similarly, a controller outside of the EU which processes personal data relating to individuals in the EU may fall outside the ambit of the GDPR if it does not “target” or monitor individuals in the EU.
  • Companies outside the EU processing personal data relating to individuals in the EU may be subject to the GDPR when they have an establishment in the EU and their processing activities outside of the EU can be considered “inextricably linked” to the (business) activities of that EU establishment.
  • The application of the GDPR to processing activities must be assessed per controller/processor.  For instance, the designation of a processor in the EU by a controller outside of the EU for certain processing activities does not automatically bring both the controller and the processor in scope of the The processor is not considered an establishment of the controller for purposes of GDPR application.  As such, the mere fact that the GDPR applies to, for example, a French subsidiary of a U.S.-based company acting as processor does not necessarily trigger application of the GDPR to the parent/controller in the U.S. In that case, the French processor will be subject to the GDPR’s processor obligations only.
  • Minor commercial presence on EU territory may suffice as an “establishment” for GDPR purposes. One single sales agent or employee, operating through stable arrangements in the EU, may trigger application of the GDPR if the processing of EU-originating personal data is in the context of the activities of that establishment.
  • The GDPR’s extraterritorial reach only extends to the “targeting” or monitoring of individuals who are in the EU.  EU citizenship, residency or other type of legal status is therefore irrelevant to determine the scope of application of the GDPR.  This would in theory also capture non-EU citizens whose behavior is monitored by an app whilst traveling in the EU.
  • Indications that contribute to the targeting intention of service offerings to the EU market are the launching of marketing campaigns directed at an EU audience, the inclusion of addresses or phone numbers in EU Member States , the use of a top-level domain name specific to an EU Member State, the inclusion of travel instructions to a country in the EU, but also the mere international nature of the commercial activity itself in some instances (e.g. certain tourist activities).
  • “Monitoring” appears broader than foreseen in the GDPR’s recitals. According to the Guidelines, “monitoring” not only potentially covers online activity tracking via cookies, but could also include CCTV, Wi-Fi tracking and geo-localization activities.  A case-by-case assessment needs to be performed in order to establish whether “monitoring” is performed.
  • Controllers and processors in scope of the GDPR by virtue of Article 3(2) must appoint an EU representative via a written mandate, such as a service agreement, and the EU representative  can be a law firm, consultancy firm or an individual.  In the opinion of the EDPB, EU representatives should not take on the role of Data Protection Officer for the same controller/processor.  Data controllers should inform individuals about the identity of their EU representative at the time of data collection, e.g. in the privacy notice.
  • The guidance leaves legal uncertainty for controllers and processor outside the EU on how to deal with the GDPR’s data transfer restrictions (Chapter V).  Controllers and processors outside the EU that find themselves subject to the GDPR are required to implement a GDPR compliance program, through which they offer an adequate level of protection to the personal data that are “imported” from the EU.  Hence there are arguably no restricted data transfers in that case. Unlike recent UK ICO guidance, the Guidelines do not explicitly confirm that in such a case data transfer mechanisms are no longer required, and the EDPB did not address this question, leaving room for legal uncertainty. Hopefully this void will be addressed during the consultation round.
Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Geraldine Scali

gscali@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.