EU: New EDPB Guidelines on the territorial scope of the GDPR

On 26 November 2018, the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR (Art. 3). The proposed Guidelines are open for public consultation until 18 January 2019. The Guidelines provide some clarification around the boundaries of what constitutes an establishment in the EU, the status of tourists and factors that determine whether data subjects in the EU are being targeted. The EDPB also provides some guidance on the conditions of appointment of an EU representative for non-EU controllers and processors. However, the Guidelines do not address other key interpretive questions arising from Art. 3 and Chapter V (transfer restrictions) and leave many key legal questions open.

 

  1. Processing in connection with activities of an EU Applying “establishment” (Art. 3(1))

Under Article 3(1), the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.

The EDPB largely confirms the existing approach under the CJEU’s Costeja and Weltimmo cases: A controller or processor will be considered to have an establishment in the EU if it exercises a real and effective activity (even a minimal one) exercised through stable arrangements, regardless of its legal form (e.g., subsidiary, branch, office, etc.), in the territory of a Member State. The threshold for “stable arrangement” can be quite low (e.g., presence of a single employee or agent of the non-EU entity in the EU, provided that such employee or agent acts with a sufficient degree of stability).

However, the non-EU entity may not be considered as having an establishment in the EU merely because, for example:

  • Its website is accessible from the EU;
  • It has designated a representative in accordance with Article 27 of GDPR; or
  • It uses a data processor established in the EU.

The EDPB also reiterates the “inextricably linked” test formulated in Costeja – if processing by a non-EU entity is inextricably linked to the activities of an establishment in the EU, GDPR applies, even though the local establishment is not taking any role in the data processing itself.

The EDPB also reminds us that the place of processing is irrelevant in determining whether or not processing carried out in the context of the activities of an EU establishment falls within the scope of GDPR.

What does this mean in practice for controllers and processors?

  • Where an EU controller (subject to GDPR) uses a non-EU processor (not subject to GDPR), it will be necessary to enter into a contract with this processor, in accordance with Article 28(3) of GDPR. The processor will become indirectly subject to some obligations imposed by the controller by virtue of contractual arrangements under Article 28.
  • Where a non-EU controller (not subject to GDPR) uses an EU processor (subject to GDPR), the controller will not become subject to the GDPR controller obligations simply because it chooses to use an EU processor. So far so good for European service providers with a global customer base; this clarification will be welcome news by removing a potential legal poison pill for sales to non-EU based customers, confirming that GDPR will not engage simply because a non-EU controller appoints an EU based processor. The less welcome news for European based processors dealing with non-EU controllers is that the processor will still be required to comply with the relevant GDPR provisions directly applicable to data processors, and notably the obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to enter into a data processing agreement, with the exception of those relating to the assistance to the data controller in complying with its (the controller’s) own obligations under the GDPR. European based service providers will be at a disadvantage to their non-EU competitors with respect to the length and complexity of GDPR paperwork they are required to put in place with non-EU based customers who would not otherwise be subject to GDPR. It is also unclear how the EU based service providers will be able to deal with some of the GDPR processor obligations in this scenario – particularly in relation to onward transfers for which there is a lack of any helpful guidance or obvious legal mechanism.

Notably, how the GDPR Chapter V restrictions on transfers of personal data from a processor in the EU to a controller in a non-EU country (so-called “reverse transfers” or “data repatriation”) still remain unclear. Given that the various Standard Contractual Clauses do not address these transfers and it is not immediately apparent whether the derogations in Article 49 GDPR would apply to them, it is regrettable that the Guidelines did not address this issue.

It is also unclear whether common intra-group transfers would trigger Article 3(1) establishment. For example where a US parent company carries out processing of HR data to determine salaries and benchmark performance reviews on behalf of all global affiliates, including those in the EU. In this scenario, the EU based affiliates will clearly be established within the EU and caught by GDPR. However, it remains unclear whether the US parent company would be directly caught by GDPR by virtue of the UK affiliate being treated as the parent’s establishment within the EU and the processing being deemed to be processed in the context of the activities of that establishment. Again, guidance would be helpful on this point.

 

  1. Processing by non-EU establishments (Art. 3(2))

Under Article 3(2) of GDPR, the GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union”.

The Guidelines clarify that the processing must concern data subjects located in the EU at the moment when the relevant trigger activity takes place (i.e., at the moment of offering of goods or services or the moment when the behavior is being monitored). The citizenship, residence or other legal status of the data subject are irrelevant.

GDPR will apply if goods or services are offered to data subjects in the EU, such as:

  • An offering of information society service or any other services;
  • Irrespective of whether a payment by the data subject is required;
  • If there is an actual intention of the controller or processor to offer goods or services; and
  • If the offer targets specifically data subjects located in the EU. For that purpose, the GDPR provides some factors which may be considered such as the language, the currency, the reference to customers or users who are in the EU, etc. In addition, based on the CJEU case law, the intention to establish commercial relations with consumers would evidence that the target is the consumer located in EU.

GDPR will apply if the behavior of data subjects is monitored provided that the monitored behavior relates to data subjects located in the EU; and takes place within the territory of the EU.

Such monitoring is not limited to online tracking and includes any other types of network or technology involving personal data (e.g., CCTV, internet of things applications such as wearable and other smart devices).

Any online collection or analysis of personal data of individuals in the EU does not necessarily count as monitoring. It depends on the controller’s intention to target and collect data for a specific purpose and any subsequent behavioral analysis or profiling activity, such as behavioral advertising, or geolocation services for marketing purposes.

What does this mean in practice for controllers and processors?

  • The Guidelines clarify that services offered to persons who are transient in the EU – such as tourists – will fall under GDPR. One example given is an app offered by a US start-up providing city mapping and targeted advertising for tourists, and including London, Paris and Rome maps.
  • Conversely, where a US tourist who while vacationing in Europe downloads a US news app targeting US residents, the personal data collected will not be subject to GDPR.
  • Similarly, a Taiwanese bank active only in Taiwan but holding data of German customers residing in Taiwan will not be subject to GDPR.
  • On the other hand, the Guidelines do not clarify a number of interpretive questions, such as whether persons in the EU who act solely on behalf of a legal person can be considered to be targeted.
  • The Guidelines do not explicitly address the question as to whether passive sales are caught by Article 3(2)(a) or not – i.e. where a customer within the EU approaches a service provider outside of the EU to conclude a contract and there is no other presence in the EU or active promotion or targeting by the non-EU service provider before concluding that contract and providing that service. That said, the Guidelines do emphasize the need for evidence of an intent to offer for Article (3)(2)(a) to engage and notably do not list the mere conclusion of contracts or provision of services to individuals within the EU as criteria evidencing an intent to offer goods or services to data subjects in the Union. This would suggest that passive sales are not caught by Article 3(2)(a) but the position remains unclear and each case will turn on its facts.
  • As to the scope of processing activities ‘related to’ the offer of goods or services, or the monitoring of behavior, the Guidelines state that the activities may directly or indirectly relate to such offer or monitoring.

 

  1. Designating an EU representative for a non-EU establishment

Data controllers and processors established outside the EU but subject to GDPR as per Article 3(2) are required to designate a representative in the EU, unless exempted under Art. 27: if the processing is occasional, does not include on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences. Unfortunately, the Guidelines do not clarify the meaning of ‘occasional’. 

GDPR provides that the representative must be established in the Member State where the data subjects whose personal data is processed are located. The Guidelines consider that if a significant proportion of data subjects are located in one particular Member Sate, it is good practice that the representative be established in that same Member State.

EDPB also reminds us that controllers are required to inform data subjects of the identity of its representative in the EU in accordance with Articles 13 and 14 of the GDPR, and that the representative is required to maintain the record of processing activities under the responsibility and with the help of the controller or processor. The EDPB considers that the maintenance of this record is a joint obligation.

Finally, the Guidelines reiterate the GDPR recital noting that the representative can face enforcement actions in the same way as controllers and processors. This includes the possibility to impose administrative fines and penalties, and to hold the representative liable.

What does this mean in practice for controllers and processors?

  • The Guidelines list various options for designating an EU representative:
  • The representative may be a natural or legal person established in the EU; if a legal person, a lead contact should be appointed in charge of each controller or processor.
  • The representative must be designated by a written mandate governing the relation and obligations between the representative and the controller or processor. Such mandate may be part of a service contract.
  • A representative may act on behalf of several non-EU controllers and processors. 
  • A representative may not act as an external DPO of the controller or processor, as the representative function is incompatible with the autonomy and independence required from a DPO. Similarly, a processor may not be appointed as the controller representative.
  • As the representative must be available and able to communicate in the language(s) used by the data subjects and the supervisory authorities concerned, the representative may rely on a team composed to communicate in the local language and as required by the local applicable law.

 

  1. Public international law (Art. 3(3))

Pursuant to Article 3(3) of GDPR, the GDPR applies to “the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”.

On this basis, the EDPB considers that GDPR notably applies to:

  • Member States’ embassies and consulates, insofar as such processing falls within the material scope of GDPR;
  • Ships registered in the EU, cruising and processing personal data in international waters.