Adoption of the General Data Protection Regulation of the European Union (EU) 2016/679 ("GDPR"), applicable as of 25 May 2018, marked a watershed in the regulation of personal data protection and the rights of persons whose data is being processed, while also setting down penalties and making substantial progress in safeguarding the personal right to privacy.
Owing to the ambiguity of Article 3 of the GDPR regulating territorial scope and the necessity for additional interpretation, the European Data Protection Board adopted Guidelines 3/2018 on 16 November 2018, on the territorial scope of the GDPR (the "Guidelines"). The Guidelines are a response to uncertainties surrounding the territorial scope of the GDPR and serve to ensure consistency and uniform practice in this matter.
Article 3 of the GDPR regulates the matter of territorial scope. Fulfilling one of the three prescribed criteria triggers application of the GDPR:
Establishment of a controller or processor in the EU;
Targeted activity/Targeting towards the EU territory, even though the controller or processor is not in the EU;
Application by virtue of public international law.
The above definition is a solid foundation for determining the territorial scope of the GDPR, but leaves itself open to a broad range of interpretations – hence the need for an "in concreto" assessment.
In this article, we will consider detailed explanations of the extended application rules, as well as practical examples to gain a comprehensive understanding of the significance and impact of these rules on non-EU countries.
1. Application based on establishment of a controller or processor in the EU
"GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
This definition allows for a case-by-case interpretation of whether the GDPR is applicable or not. While characteristic for application within EU Members, in some cases it may also apply to non-EU countries. Establishment implies the effective and real exercise of activity, regardless of the legal form of the controller or processor. What this really means depends on each case. A more precise definition is not provided so that the field of application is determined as broadly as possible. The GDPR may thus potentially apply to non-EU established business entities with branches in the EU.
In particular, a link must be established between the collection and processing of personal data and activities in the EU. Nevertheless, collection and processing of personal data by the controller or processor in the EU will suffice for the GDPR to apply.
Example 1: A company established in Belgium that manufactures car parts solely for buyers in the USA and Canada collects and processes personal data only in the United States. Nevertheless, application of the GDPR is mandatory, because the controller is a Belgian company.
Even where personal data are not directly processed by an EU processor or controller, but by an affiliate outside the EU, and where there is a link between the activities of the EU establishment and the processing of data by a non-EU processor or controller, the application of the GDPR is mandatory.
Example 2: A marketing company registered in India has established a branch in France. The Indian company processes all data in respect of market research and the improvement of its services on the territory of France. It may be considered that the business of the branch established in France is related to data processing and therefore the company in India will be obliged to apply the GDPR because of the link with its EU established branch, even if in this specific case it is not possible to prove the direct involvement of the French branch in the data processing, because a certain connection is definitely present, which is enough for application of the GDPR.
The general conclusion is that the existence of a branch or other establishment may trigger application of the GDPR. In some circumstances, i.e. online services, the presence of a single employee or agent of the non-EU entity may be sufficient to trigger application of the GDPR. However, while the definition of "establishment" is broad, it is not without limits. For example, it does not mean that the GDPR will apply to a Serbian company just because its website is accessible to people in the EU.
Application of the GDPR should be considered separately for the controller and processor. It is not enough to conclude that the application of the GDPR is mandatory for the processor simply because it was previously determined that it applies to the controller or vice versa.
The second part of this application criterion demonstrates that data processing does not have to take place within the EU. The GDPR will apply to entities that collect and process personal data only in non-EU countries if they have a business presence, i.e. establishment, in the EU.
2. Application based on targeted activity, i.e. targeting, towards the EU territory, even if a controller or processor have no presence in the EU
"GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union."
This criterion leaves greater scope for application to be extended to non-EU countries, although satisfaction of the application criterion must be examined on a case-by-case basis. While the citizenship of the data subject is irrelevant, its location in the territory of the EU is a determining factor.
In the first scenario, simply offering goods or services to data subjects in the EU would trigger the application of the GDPR, but it is necessary to determine whether the "offer" has been made. Various factors can be taken into consideration when determining whether a particular action is considered offering goods or services to data subjects in the EU. These include, but are not limited to: the use of a language of an EU Member State other than the language used in the country of the supplier of the goods or services; allowing payment in a foreign currency; offering the delivery of goods in EU Member States; mentioning dedicated phone numbers or addresses for EU users; the use of common EUR domain names such as ".de" or ".eu". Taken alone, these factors may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the EU; however, they should each be taken into account to determine whether a combination of factors can together be considered as an offer of goods or services directed at data subjects in the EU and in turn trigger application of the GDPR. The key point here is to determine whether an activity is targeted towards data subjects in the EU.
Example 3: The internet address of a Chinese company, established in China, sells cameras and related equipment. The website is available in Chinese, English, German and French. It offers delivery to England, Germany and France, and accepts payment in euros and pounds. If these parameters are fulfilled, they together lead to the application of the GDPR in this particular situation, even though all data collection and processing is carried out in China.
Example 4: The Russian Agency for Programming and Software Development has announced a job vacancy on its website, stating that knowledge of English and German is required. The question here is whether it is subject to the GDPR given that these languages are widely spoken in the EU? In this context, the answer is no. Knowledge of English and German cannot serve as the sole indicator that data subjects in the EU are being targeted exclusively. The presence of other factors would be necessary for such a conclusion.
In the second scenario, the GDPR applies if the behaviour of a data subject in the EU is monitored, but only if that monitoring is performed in the EU. It is necessary to determine precisely what data subject behaviour is being monitored, the purpose of the monitoring, and whether the data subject will be subject to profiling and certain conclusions will be drawn as a result.
Example 5: A marketing agency from Mexico provides consultation services in the field of tourism. With the help of a Wi-Fi network, the behaviour of a data subject in Berlin is monitored and local restaurants in the city are recommended via social networks.
It is clear from this example that monitoring is being carried out to provide restaurant recommendations and that the data subject is in the EU, hence the GDPR applies.
Controllers or processors not established in the EU but engaging in processing activities falling under Article 3(2) are required to designate a representative in the EU. Appointment should be by written agreement, which will regulate a connection between the controller or processor and the EU representative, as well as mutual rights, obligations and responsibilities.
It is commonplace for non-EU controllers and processors to engage specialised companies with experience in this field as a representative. The role of representative and the role of Data Protection Officer are not compatible and should be kept separate. The role of the representative is to act as a point of contact for subjects whose data are processed and the controller, to maintain a registry of communications with the competent EU authorities in charge of data protection. The designation of a representative does not affect the responsibility or liability of the controller or processor outside the EU.
Designating a representative is not mandatory where collection and processing is occasional, where there is a remote risk of personal data being breached, or where processing is carried out by a public authority or body.
Example 6: If we look back to Example 3, where it is concluded that the GDPR is applicable, there is an obligation to designate a representative either in England, France or Germany. It is also necessary to provide the name and contact information of the controller among the data available to customers on the website.
3. Application based on Member State law by virtue of public international law
"GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where the EU Member's law applies by virtue of public international law."
This application criterion differs from that set down in the Serbian Data Protection Act, which does not make specific provision for it. The scope of this criterion is limited, but still leads to the application of the GDPR to non-EU countries. This criterion primarily concerns foreign diplomatic and consular missions, but also several other situations.
Example 7: The German Embassy in Russia has opened an application process for the recruitment of administrative staff to process the data of temporary work visa applicants. Although the German Embassy is not established in the EU, as it is an EU Member State embassy in accordance with public international law, the application of German law – and thus the GDPR – is mandatory. Applicants' personal data should therefore be collected in accordance with the GDPR.
Example 8: An Austrian aircraft flying over Mexican territory processes the data of passengers on board to improve the quality of its services and send special offers from the airline for future flights. Although the aircraft is located outside EU territory, the fact that it is registered in Austria means that by virtue of public international law, the laws of Austria – and therefore the GDPR – shall be applicable.
The impact of the GDPR on non-EU countries is plain to see in the legislation enacted in this area by EU candidate countries, which for the most part incorporate the uniform GDPR rules. Meanwhile, the rules on the extended territorial scope of the GDPR move its impact far beyond the borders of Europe. The loose wording in respect of its application has left the door open for multiple interpretations, hence the need to develop legal practice to establish rules for every possible situation. Clearly the effect of the GDPR is significant even outside Europe, but it remains to be seen how it will be implemented in practice, in particular the provisions on the obligation to designate a representative in the EU.
By Marija Zdravkovic, Partner Schoenherr