Does the GDPR Apply to My Organization? The “Extraterritoriality” of the New European Data Protection Regulation

Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) repeals Directive 95/46/EC and expands on the protection of natural persons with regard to the processing of personal data and the free movement of such data.

The GDPR will come into force in May 2018 and will have an expanded territorial scope of application compared to the previous Directive 95/46/EC. What does it mean for businesses?

  • EU establishment triggers GDPR application

Before. Under Directive 95/46/EC, the data protection law of one or more EU Member States applies if “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. Article 4(1)(a) Directive 95/46/EC. Should the same controller have establishments on the territory of several Member States, each of these establishments should comply with the obligations laid down by the applicable national law. Id. The EU data protection law also applies when the controller does not have an establishment in the EU but, for processing personal data, uses “equipment … situated on the territory” of a Member State. Article 4(1)(c) Directive 95/46/EC.

After. The new GDPR applies to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. Article 3, GDPR. In other words, it becomes unimportant for purposes of application whether the processing takes place in the EU or not; for the GDPR to be applicable it is sufficient for the controller or the processor to have an establishment in the EU.[i]

Two recent judgments of the Court of Justice of the European Union (ECJ) have introduced expansive interpretations of the meaning of “in the context of the activities” and “establishment”. Google Spain (here) and Weltimmo (here). In both decisions the ECJ found that for an organization to be “established” in a Member State for purposes of application of data protection law it is only required that the organization exercises there “any real and effective activity – even a minimal one” – through “stable arrangements.” The presence of a single representative is sufficient to have an “establishment”. See also WP29’s Opinion 8/2010 on applicable law.

GDPR applies to organizations without EU presence

Before. Directive 95/46/EC has some limited “extraterritorial effect”. In fact, it applies to controllers having no establishment in the EU but using equipment situated in a Member State for purposes of processing personal data. National DPAs took the position that the use of cookies or requests to complete forms, would amount to using “equipment” in the EU, triggering the application of EU law.

After. The GDPR expands the territorial scope of application to those controllers or processors not established in the EU that process personal data of EU data subjects by:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the EU. (Article 3(2)(a)(b) GDPR)

Intent matters. In fact, in order to determine whether such a controller or processor is offering goods or services to data subjects in the EU, it should be ascertained whether “it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.” Whereas 23, GDPR. Emphasis added.

The accessibility of a website in the Union, the availability of an email address or of other contact details, or the use of a language or a currency, may aid in ascertaining such intention but no factor alone controls. Also the mentioning on the website of customers who are in the EU, may make it apparent that the controller envisages offering goods or services to data subjects in the Union. Id.

As for the monitoring, in order to determine whether a processing activity can be considered to monitor the behavior of data subjects in the EU, it should be ascertained whether individuals are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions. (Whereas 24, GDPR)

It is paramount that foreign organizations targeting or monitoring EU individuals, understand the impact of the GDPR, and comply with its requirements. Such as, for example, appointing a EU-based representative. Whereas 80, GDPR.

The consequences of what above is that many organizations that – under the Directive are outside the scope of application of EU data protection law, will be directly subject to the GDPR.

US controllers and processors, who are not established in the EU but collect and process data on EU residents through websites, cookies or other remote activities, might have to comply with the GDPR’s requirements. Furthermore, E-commerce providers, online behavioral advertising networks, and analytics companies that process EU residents’ personal data may all be subject to the GDPR.

Multinational businesses with affiliates or service providers may be caught under the GDPR, and might need to consider its impact as well.

This means more stringent requirements of transparency, consent, accountability, privacy by design, privacy by default, data protection impact assessments, data breach notification, data subjects rights, and data processors agreements. For more information, see here.

To understand whether the European Data Protection applies to your organization and how a business can comply with the European Data Protection, contact Francesca Giannoni-Crystal, Federica Romanelli.

———————

[i] Whereas (22) clarifies that

Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Whereas 36, GDPR is also instructive:

The presence and use of technologies and technical means for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not a determining criteria for the definition of “main establishment” .