Dec 122019

EDPB Provides Clarity and Raises New Questions with Publication of Final Guidelines on the Territorial Scope of the GDPR

William RM Long, Francesca Blythe and Jasmine Agyekum
, , ,

Following an extensive public consultation, the European Data Protection Board (“EDPB”) has published a final version of its guidelines on the territorial scope of the GDPR (“Guidelines”). This comes almost one year since the draft guidelines were originally published.  Please read this blog together with our previous blog on the draft guidelines, as this blog addresses only the key differences between the draft guidelines and the Guidelines.

Key takeaways:

Establishment Test (Article 3(1), GDPR) – states that the GDPR applies to processing in the context of an establishment of a controller or processor in the EU

  • The mere presence of an employee in the EU processing personal data relating only to the activities of a non-EU controller outside of the EU will not automatically bring the non-EU controller within scope of the GDPR. Instead, the relevant processing activities must be carried out in the context of the activities of the EU-based employee (i.e., in the context of the EU establishment). Organisations should assess this on a case by case basis.

Targeting Test (Article 3(2), GDPR) – states that the GDPR applies to controllers and processors established outside of the EU where the processing activities relate to (i) the offering of goods/services to individuals in the EU, or (ii) the monitoring of the behaviour of individuals in the EU.

  • Processing activities of non-EU based processor will be subject to the GDPR where these activities ‘relate’ to the targeting by a non-EU based controller of individuals in the EU. This represents a significant change from the draft guidelines and indicates the EDPB is taking a broad view of the extraterritorial reach of the GDPR, even with respect to, for example, passive processing services such as, the operation of a virtual data room. In particular, the Guidelines provide that where the processing activities of a controller concern the offering of goods or services to, or the monitoring of the behaviour of, individuals in the EU, non-EU based processors contractually required to carry out such targeting on behalf of the controller, will fall within scope of the GDPR, with respect to the specific processing activity. For example, a U.S. organisation offering wellbeing services including, to individuals in the EU, monitors the behaviour of individuals in the EU via a health app. The U.S. organisation engages a cloud provider in the U.S. to host the app. In turn, the hosting of the health data of individuals in the EU by the U.S. cloud provider is “related to” the targeted offer of services by the U.S. controller and therefore, the specific processing activity falls within the scope of the GDPR.
  • The GDPR applies to the specific processing activities undertaken by a non-EU organisation as opposed to the non-EU organisation as a whole. In turn, certain processing activities undertaken by the non-EU organisation may be subject to the GDPR whilst others may not. This is the case also for non-EU organisations subject to the GDPR by virtue of the Establishment Test (i.e., Article 3(1), GDPR).
  • The offer of goods or services to individuals in the EU must be intentional, rather than inadvertent or incidental. For example, where a Japanese company offers subscription services exclusively to Japanese residents, but the service is not withdrawn when the individuals enter the EU e.g., for work or leisure purposes, the Japanese company would not become subject to the GDPR by virtue of the ongoing offering of the service.

The EU Data Protection Representative (Article 27, GDPR)

  • The EU data protection representative (“DPR”) should not also be the organisation’s data protection officer. Nor should the DPR role be fulfilled by a third party engaged in processing activities as a processor for an on behalf of the non-EU organisation.
  • According to the Guidelines, the concept of a DPR was introduced with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controller or processors that fall under Article 3(2) of the GDPR. In turn, enforcement proceedings can be initiated “through” the DPR – as opposed to “against” the DPR as was the wording in the draft guidelines.
  • The DPR is liable only for breaches of obligations directly imposed on the DPR under the GDPR i.e., the obligation to maintain the data processing record and to respond to information requests from the supervisory authorities. The appointment of a DPR in turn, does not affect the liability or responsibility under the GDPR of the non-EU organisation.
William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Jasmine Agyekum

jagyekum@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.