In their November 2018 plenary meeting, the European Data Protection Board (EDPB) adopted a set of guidelines on the territorial scope of application of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR). Article 3 GDPR, which regulates the matter, surprised subject matters experts for its potential reach, and the guidelines, which are open for public consultation until January 2019, essentially reconfirm the extremely-wide scope of application of the GDPR.
The guidelines are structured to cover the three paragraphs of Article 3 GDPR, dealing with the application of the establishment criterion (Article 3(1)), with the application of the targeting criterion (Article 3(2)), and clarifying the meaning of Article 3(3) on Public-international-law-based application. Also, the EDPB interestingly chose to address the matter of the EU representative for non-EU controllers in these guidelines.
This article summarises the key contents of the guidelines, which may still have limited practical relevance for EU-based organisations but may become extremely relevant once the United Kingdom leaves the European Union.
Scope of application of the establishment criterion (Article 3(1))
The establishment criterion has been the centre of harsh academic debate and of several court rulings, most notably the Google Spain (most often remembered in relation of the so-called ‘right to be forgotten’) and Weltimmo judgments of the Court of Justice of the European Union. The main question is – in fact – to what extent an organisation may be considered established in the Union.
The EDPB essentially reconfirms the Weltimmo definition of establishment, stating that an organisation has an establishment in the Union if it exercises a real and effective activity through stable arrangements in the territory of a Member State. These ‘stable arrangements’ are not codified, and can have any legal form (a branch, a subsidiary, and even the presence of one single employee or agent, if that person acts with a sufficient degree of stability).
At the same time, the EDPB clarified that certain elements do not constitute a manifestation of an establishment. For instance, having contracted a data processor that is established in the Union is not sufficient to consider an organisation as being established in the Union, and having a website that is simply accessible from a Member State is also not a manifestation of an establishment in the EU.
Scope of application of the targeting criterion (Article 3(2))
While a website that is merely accessible from a Member State would not automatically trigger the application of the GDPR, the fate of websites that target people in the Union is a different matter.
In fact, the EDPB again adopts and readapts the Weltimmo doctrine in reconfirming that organisations that are not established in the EU are subject to the GDPR when they target data subjects who are in the EU when the relevant triggering activity takes place (when the good or service is offered, or when the profiling takes place).
Notably, the EDPB confirms that no relevance is given in this context to residence, alongside the more trivial case of citizenship. In fact, it is sufficient that a natural person is located in the Union at the moment of the trigger activity (and that the data controller targets people in the Union) for the GDPR to apply. This would include tourists who are in the Union, exchange students, travelling employees, etc. Curiously, no clarity is given regarding the opposite case, i.e., the case of EU residents who are subject to the relevant activity while they are visiting a non-EU country and continue to use a non-EU-targeting service when back on EU soil.
Processing in a place where Member State law applies by virtue of public international law
The EDPB also argued on the meaning of Article 3(3), which is of limited relevance for most organisations and determines that the GDPR applies outside the Union when Member-State law applies by virtue of public international law. It is the case of ships, on which the law of the State of registration is applied, and diplomatic missions of EU Member States, where the law of the sending State is applicable instead of the local law.
The role of the EU representative
The role of the EU representative for extra-EU controllers has interestingly been addressed in these guidelines. This part would have possibly better fitted in the guidance on DPOs since it describes a new (contracted) role, but the EDPB chose to address the representative here because the applicability of Article 3(2) GDPR automatically triggers the requirement to appoint a representative.
Since the EU representative may become a relevant role after Brexit, we will issue a dedicated piece on this next month, to ensure that our clients have a good understanding of this role and of to what extent it may be required in their case.
Key take-home messages from the guidelines
While these guidelines will fuel expert discussion for years to come, some key take-home messages can be extracted for immediate consideration:
- If an EU-based processor is contracted by a controller that has no establishment in the EU, the latter will not become subject to the GDPR, but the former is – this means that EU processors are subject to the regulatory burden of the GDPR even if they process data on behalf of a non-EU controller, and this might jeopardise the processor’s competitiveness on the market;
- If an EU controller contracts a processor that has no establishment in the EU, the latter will not be automatically subject to the GDPR – nevertheless, the EU controller is subject to the GDPR, and he will be required to enter in a Data Processing Agreement that will de-facto extend some GDPR provisions to the processor;
- Even a minor presence in the EU may suffice to determine that an establishment exists;
- Service and goods providers established outside the Union are subject to the GDPR if they target people who are in the EU, including foreign residents.
In practice, this will not change much with respect to UK-established organisations just yet, but such guidelines will be read in a different light when the UK leaves the EU. In fact, UK organisations targeting people in the EU after Brexit will have to assess whether and to what extent the GDPR (which will no longer be applicable in the UK) will be applicable in each case. The positive note is, however, that the hard compliance work carried out so far will not go wasted, as it will ensure that organisations are compliant in all cases in which the GDPR applies.
For more information visit Trilateral Data Governance page and contact our team.