Dec 122019

EDPB Provides Clarity and Raises New Questions with Publication of Final Guidelines on the Territorial Scope of the GDPR

William RM Long, Francesca Blythe and Jasmine Agyekum
, , ,

Following an extensive public consultation, the European Data Protection Board (“EDPB”) has published a final version of its guidelines on the territorial scope of the GDPR (“Guidelines”). This comes almost one year since the draft guidelines were originally published.  Please read this blog together with our previous blog on the draft guidelines, as this blog addresses only the key differences between the draft guidelines and the Guidelines.

Key takeaways:

Establishment Test (Article 3(1), GDPR) – states that the GDPR applies to processing in the context of an establishment of a controller or processor in the EU

  • The mere presence of an employee in the EU processing personal data relating only to the activities of a non-EU controller outside of the EU will not automatically bring the non-EU controller within scope of the GDPR. Instead, the relevant processing activities must be carried out in the context of the activities of the EU-based employee (i.e., in the context of the EU establishment). Organisations should assess this on a case by case basis.

Targeting Test (Article 3(2), GDPR) – states that the GDPR applies to controllers and processors established outside of the EU where the processing activities relate to (i) the offering of goods/services to individuals in the EU, or (ii) the monitoring of the behaviour of individuals in the EU.

  • Processing activities of non-EU based processor will be subject to the GDPR where these activities ‘relate’ to the targeting by a non-EU based controller of individuals in the EU. This represents a significant change from the draft guidelines and indicates the EDPB is taking a broad view of the extraterritorial reach of the GDPR, even with respect to, for example, passive processing services such as, the operation of a virtual data room. In particular, the Guidelines provide that where the processing activities of a controller concern the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EU, non-EU based processors contractually required to carry out such targeting on behalf of the controller, will fall within scope of the GDPR, with respect to the specific processing activity. For example, a U.S. organisation offering wellbeing services including, to individuals in the EU, monitors the behaviour of individuals in the EU via a health app. The U.S. organisation engages a cloud provider in the U.S. to host the app. In turn, the hosting of the health data of individuals in the EU by the U.S. cloud provider is “related to” the targeted offer of services by the U.S. controller and therefore, the specific processing activity falls within the scope of the GDPR.
  • The GDPR applies to the specific processing activities undertaken by a non-EU organisation as opposed to the non-EU organisation as a whole. In turn, certain processing activities undertaken by the non-EU organisation may be subject to the GDPR whilst others may not. This is the case also for non-EU organisations subject to the GDPR by virtue of the Establishment Test (i.e., Article 3(1), GDPR).
  • The offer of goods or services to individuals in the EU must be intentional, rather than inadvertent or incidental. For example, where a Japanese company offers subscription services exclusively to Japanese residents, but the service is not withdrawn when the individuals enter the EU e.g., for work or leisure purposes, the Japanese company would not become subject to the GDPR by virtue of the ongoing offering of the service.

The EU Data Protection Representative (Article 27, GDPR)

  • The EU data protection representative (“DPR”) should not also be the organisation’s data protection officer. Nor should the DPR role be fulfilled by a third party engaged in processing activities as a processor for an on behalf of the non-EU organisation.
  • According to the Guidelines, the concept of a DPR was introduced with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controller or processors that fall under Article 3(2) of the GDPR. In turn, enforcement proceedings can be initiated “through” the DPR – as opposed to “against” the DPR as was the wording in the draft guidelines.
  • The DPR is liable only for breaches of obligations directly imposed on the DPR under the GDPR i.e., the obligation to maintain the data processing record and to respond to information requests from the supervisory authorities. The appointment of a DPR in turn, does not affect the liability or responsibility under the GDPR of the non-EU organisation.
William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Jasmine Agyekum

jagyekum@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.