International businesses headquartered outside the EU but doing business in the EU need to know if EU data protection laws apply to them in order to avoid compliance problems and the possibility of significant fines.
The starting point is the territorial scope of the EU General Data Protection Regulation (“GDPR”). Virtually all European businesses will fall within the scope of the GDPR. However, the question as to whether the GDPR applies to an organisation outside the EU is not always straightforward.
On 23 November 2018, the European Data Protection Board (“EDPB”) – an independent European body that is composed of representatives of national data protection authorities – published guidelines to help shed some light on the GDPR’s territorial scope.
The guidelines were open for public consultation until 18 January 2019 and so they are not the final version. Therefore, the existing version of the guidelines should be applied in the meantime, albeit with a degree of caution, to provide some insight as to what sort of factors international businesses should be considering when determining the extent to which the GDPR applies to them.
In this article, we discuss the EDPB’s territorial scope guidelines and highlight key points.
Determining the territorial scope of the GDPR
The GDPR applies to the processing of personal data in the context of the activities of an establishment of an organisation in the EU, regardless of whether the processing takes place in the EU or not.
This is the “establishment test”.
However, the GDPR also applies to the processing of personal data of people who are in the EU by an organisation not established in the EU, where the processing activities are related to either:
- the offering of goods or services (free or charged) to those persons in the EU (we shall refer to this as the “targeting test”); or
- the monitoring of their behaviour where their behaviour takes place in the EU (and we shall refer to this as the “monitoring test”).
Therefore, in order for the GDPR to apply to your business, either the establishment test, targeting test or monitoring test would need to be satisfied.
The establishment test
The establishment test is essentially split into two sub-tests:
Establishment: The GDPR does not define “establishment”. However the Recitals, together with EU case law, clarify that an establishment implies “real” and “effective” activity – even a minimal one – exercised through “stable arrangements”.
The threshold for “stable arrangement” can be quite low, particularly in the context of online services (although this does not at all mean that mere access to a website in the EU constitutes establishment). In some circumstances, the presence of a single employee or agent in the EU may be sufficient where that agent or employee acts with a sufficient degree of stability.
Context of activities: To satisfy this test, there must be an inextricable link between the activities of the EU establishment and the processing of data carried out by the non-EU counterpart. If there is an inextricable link, then the GDPR will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in the data processing.
Therefore, non-EU organisations should assess each of their data processing activities and determine whether there are any potential links between the processing activity and the activities of any presence of the organisation in the EU.
If the above two tests are satisfied, then the GDPR will apply. This is regardless of whether the processing takes place in the EU or not. Moreover, the residence or geographical location of the individual (whose data is being processed) is irrelevant.
The targeting test
An organisation with no establishment in the EU may still be caught by the GDPR if it meets the targeting test.
An organisation could be directly subject to the GDPR if it processes the personal data of individuals who are in the EU, where the processing activities are related to the offering of goods or services to those individuals.
The Recitals to the GDPR state that the “mere accessibility” of the business’ website, of an email address or other contact details or the use of a generally-used language in the country in which the business is domiciled would be “insufficient” in and of itself to conclude that the business is offering services to individuals in the EU.
The EDPB guidelines list a number of factors to take into consideration when determining whether goods or services are offered to individuals in the EU. These include the following activities (via the internet or otherwise):
- the designation (or “singling out”) of the EU or at least one Member State of the EU by name;
- launching marketing and advertising campaigns directed at an EU country audience;
- paying a search engine operator for an internet referencing service to facilitate access to its site by people in the EU;
- the international nature of the activity at issue;
- the mention of an international clientele composed of clients domiciled in various EU Member States; and
- the use of different languages or currencies.
Each activity on its own may not amount to a clear indication that the business offers goods or services to individuals in the EU. However, each factor should be taken into account to determine whether the business’ activities constitute the offer of services to individuals in the EU.
The monitoring test
An organisation outside the EU may also be caught by the GDPR if it is monitoring individuals’ behaviour where their behaviour takes place in the EU.
The Recitals state that in order to determine whether a processing activity can be considered to monitor the behaviour of individuals, it should be ascertained whether the individuals are tracked on the internet. Tracking on the internet includes “potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.
The EDPB guidelines also say that while the Recital exclusively relates to the monitoring of behaviour through the tracking of a person on the internet, it considers that tracking through other types of network or technology should also be taken into account, for example through wearable and other smart devices.
Therefore, international businesses should review their website tracking activity and uses of automated analytical tools (such as cookies to track website usage). It is possible that these activities fall within the scope of the GDPR to the extent that the information collected is capable of identifying individuals.
What if the targeting test or monitoring test is satisfied?
The business would be required to designate an EU representative in accordance with the requirements of the GDPR. This person or company would act as the main contact for any questions and concerns regarding data protection in the EU. The appointment of an EU representative does not have the effect of creating an establishment and meeting the establishment test.
Controller or processor
The GDPR draws a distinction between a data controller – which determines the purposes and means of the processing of personal data (that is, the “how” and “why” personal data is processed) – and a data processor which processes personal data on behalf of, or on the instruction of, the data controller.
The EDPB guidelines emphasise the importance of this distinction, particularly when assessing the territorial scope of the GDPR. When determining whether the GDPR applies, the above three tests would need to be undertaken with each legal entity. A processor in the EU is not considered to be an establishment of a data controller based outside the EU. In such a scenario, the processor would be required to comply with its requirements under the GDPR (due to its establishment in the EU) but the controller would not.
The opposite also applies: if a controller is based in the EU and uses a processor outside the EU, the controller will be subject to the GDPR but the processor will not be. However, in this scenario, the controller would be required to ensure that its processor will meet certain requirements (including that there is a written agreement with GDPR-compliant clauses) which effectively means that the processor would be caught by the GDPR, albeit indirectly.
The EDPB draft guidelines do not contain all the answers and, for many businesses, the answer to the question “does the GDPR apply to us?” may still not be straightforward despite the guidelines. It is possible that the guidelines’ shortcomings will be addressed in the final text. However, there is no guarantee that the final text will be any clearer.
In the meantime, international businesses need to adopt a systematic approach and review all of their data processing activities. In doing so, the above tests will then need to be applied to determine which of those activities might be caught by the GDPR. Where your business consists of a group of multiple entities, the tests should be applied to each entity within the group. Having done this, you can then move forward in determining which divisions of your business, if any, require a GDPR-compliance programme.
Arjun Majumdar is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org