GDPR’s territorial reach: how far does it go?

Arjum MajumdarInternational businesses headquartered outside the EU but doing business in the EU need to know if EU data protection laws apply to them in order to avoid compliance problems and the possibility of significant fines.

The starting point is the territorial scope of the EU General Data Protection Regulation (“GDPR”). Virtually all European businesses will fall within the scope of the GDPR. However, the question as to whether the GDPR applies to an organisation outside the EU is not always straightforward.

On 23 November 2018, the European Data Protection Board (“EDPB”) – an independent European body that is composed of representatives of national data protection authorities – published guidelines to help shed some light on the GDPR’s territorial scope.

The guidelines were open for public consultation until 18 January 2019 and so they are not the final version. Therefore, the existing version of the guidelines should be applied in the meantime, albeit with a degree of caution, to provide some insight as to what sort of factors international businesses should be considering when determining the extent to which the GDPR applies to them.

In this article, we discuss the EDPB’s territorial scope guidelines and highlight key points.

Determining the territorial scope of the GDPR

The GDPR applies to the processing of personal data in the context of the activities of an establishment of an organisation in the EU, regardless of whether the processing takes place in the EU or not.

This is the “establishment test”.

However, the GDPR also applies to the processing of personal data of people who are in the EU by an organisation not established in the EU, where the processing activities are related to either:

  • the offering of goods or services (free or charged) to those persons in the EU (we shall refer to this as the “targeting test”); or
  • the monitoring of their behaviour where their behaviour takes place in the EU (and we shall refer to this as the “monitoring test”).

Therefore, in order for the GDPR to apply to your business, either the establishment test, targeting test or monitoring test would need to be satisfied.

The establishment test

The establishment test is essentially split into two sub-tests:

Establishment: The GDPR does not define “establishment”. However the Recitals, together with EU case law, clarify that an establishment implies “real” and “effective” activity – even a minimal one – exercised through “stable arrangements”.

The threshold for “stable arrangement” can be quite low, particularly in the context of online services (although this does not at all mean that mere access to a website in the EU constitutes establishment). In some circumstances, the presence of a single employee or agent in the EU may be sufficient where that agent or employee acts with a sufficient degree of stability.

Context of activities: To satisfy this test, there must be an inextricable link between the activities of the EU establishment and the processing of data carried out by the non-EU counterpart. If there is an inextricable link, then the GDPR will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in the data processing.

Therefore, non-EU organisations should assess each of their data processing activities and determine whether there are any potential links between the processing activity and the activities of any presence of the organisation in the EU.

If the above two tests are satisfied, then the GDPR will apply. This is regardless of whether the processing takes place in the EU or not.  Moreover, the residence or geographical location of the individual (whose data is being processed) is irrelevant.

The targeting test

An organisation with no establishment in the EU may still be caught by the GDPR if it meets the targeting test.

An organisation could be directly subject to the GDPR if it processes the personal data of individuals who are in the EU, where the processing activities are related to the offering of goods or services to those individuals.

The Recitals to the GDPR state that the “mere accessibility” of the business’ website, of an email address or other contact details or the use of a generally-used language in the country in which the business is domiciled would be “insufficient” in and of itself to conclude that the business is offering services to individuals in the EU.

The EDPB guidelines list a number of factors to take into consideration when determining whether goods or services are offered to individuals in the EU. These include the following activities (via the internet or otherwise):

  • the designation (or “singling out”) of the EU or at least one Member State of the EU by name;
  • launching marketing and advertising campaigns directed at an EU country audience;
  • paying a search engine operator for an internet referencing service to facilitate access to its site by people in the EU;
  • the international nature of the activity at issue;
  • the mention of an international clientele composed of clients domiciled in various EU Member States; and
  • the use of different languages or currencies.

Each activity on its own may not amount to a clear indication that the business offers goods or services to individuals in the EU. However, each factor should be taken into account to determine whether the business’ activities constitute the offer of services to individuals in the EU.

The monitoring test

An organisation outside the EU may also be caught by the GDPR if it is monitoring individuals’ behaviour where their behaviour takes place in the EU.

The Recitals state that in order to determine whether a processing activity can be considered to monitor the behaviour of individuals, it should be ascertained whether the individuals are tracked on the internet. Tracking on the internet includes “potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.

The EDPB guidelines also say that while the Recital exclusively relates to the monitoring of behaviour through the tracking of a person on the internet, it considers that tracking through other types of network or technology should also be taken into account, for example through wearable and other smart devices.

The guidelines suggest that the use of the word “monitoring” implies that the business has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider, on the other hand, that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It is instead necessary to consider the business’ purpose for processing the data and, in particular, the subsequent behavioural analysis or profiling techniques involving that data. The guidelines also set out a non-exhaustive list of the sort of activities which would constitute monitoring which includes behavioural advertising, online tracking through the use of cookies, CCTV, market surveys, geo-localisation activities and other tracking techniques.

Therefore, international businesses should review their website tracking activity and uses of automated analytical tools (such as cookies to track website usage). It is possible that these activities fall within the scope of the GDPR to the extent that the information collected is capable of identifying individuals.

What if the targeting test or monitoring test is satisfied?

The business would be required to designate an EU representative in accordance with the requirements of the GDPR. This person or company would act as the main contact for any questions and concerns regarding data protection in the EU. The appointment of an EU representative does not have the effect of creating an establishment and meeting the establishment test.

Controller or processor

The GDPR draws a distinction between a data controller – which determines the purposes and means of the processing of personal data (that is, the “how” and “why” personal data is processed) – and a data processor which processes personal data on behalf of, or on the instruction of, the data controller.

The EDPB guidelines emphasise the importance of this distinction, particularly when assessing the territorial scope of the GDPR. When determining whether the GDPR applies, the above three tests would need to be undertaken with each legal entity. A processor in the EU is not considered to be an establishment of a data controller based outside the EU. In such a scenario, the processor would be required to comply with its requirements under the GDPR (due to its establishment in the EU) but the controller would not.

The opposite also applies: if a controller is based in the EU and uses a processor outside the EU, the controller will be subject to the GDPR but the processor will not be. However, in this scenario, the controller would be required to ensure that its processor will meet certain requirements (including that there is a written agreement with GDPR-compliant clauses) which effectively means that the processor would be caught by the GDPR, albeit indirectly.


The EDPB draft guidelines do not contain all the answers and, for many businesses, the answer to the question “does the GDPR apply to us?” may still not be straightforward despite the guidelines.  It is possible that the guidelines’ shortcomings will be addressed in the final text. However, there is no guarantee that the final text will be any clearer.

In the meantime, international businesses need to adopt a systematic approach and review all of their data processing activities. In doing so, the above tests will then need to be applied to determine which of those activities might be caught by the GDPR. Where your business consists of a group of multiple entities, the tests should be applied to each entity within the group. Having done this, you can then move forward in determining which divisions of your business, if any, require a GDPR-compliance programme.


Arjun Majumdar is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at 

ICO publishes blog on the EU-US Privacy Shield

Laura Monro
Laura Monro

Following the approval of the EU-US Privacy Shield on 1 August 2016, the ICO has published a blog summarising the “what, why, and how” of transferring data from the UK to the USA.

Whilst it remains the case that:

  1. the eighth data protection principle requires organisations that wish to transfer personal data outside of the EEA to ensure an adequate level of protection for data subjects; and
  2.  the European Commission has not deemed the USA as providing such adequate level of protection,

transfers to the USA are “adequate” if the organisation receiving the personal data is certified under the EU-US Privacy Shield.

The ICO makes it clear that any organisation still relying on the predecessor to the EU-US Privacy Shield, the Safe Harbor scheme, to transfer personal data from the UK to the USA needs to review their position. Seeking to continue to rely on the Safe Harbor scheme on its own will mean that an organisation is acting in breach of the Data Protection Act.

As a first step, the ICO recommends that any organisation looking to transfer data to the USA should ensure that the receiving organisation is certified under the EU-US Privacy Shield – if the receiving organisation is not certified you will need to rely on other ways to legally transfer the personal data to the USA.

At the present time, these include the model contractual clauses and binding corporate rules. However, the ICO is aware that such methods, whilst currently valid, are not free from uncertainty. This is not least because the model contractual clauses have been referred to the EU court by the Irish data protection regulator as to whether these clauses provide the adequate level of protection for international data transfers.

The ICO intends to issue guidance for organisations on international data transfers early in the Autumn – watch this space.

Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at

Privacy Shield, the new Safe Harbor

Nigel Miller
Nigel Miller

The EU has approved a new framework for transfers of personal data from the EU to the US, called the EU-US Privacy Shield. The Privacy Shield will replace the old ‘Safe Harbour’, which was ruled invalid in October 2015.

According to the EU, the EU-US Privacy Shield is fundamentally different from the old ‘Safe Harbor’. Like Safe Harbor, it is a self certification process. However, it imposes stronger obligations on companies handling the data to make sure that the rules are followed and enforced in practice.

Also, for the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. Privacy Shield also provides some mechanisms for redress including a specific ombudsman.

Registration for Privacy Shield can begin 1 August 2016. US companies that wish to take advantage of Privacy Shield can benefit from a nine month grace period to get into compliance if they register for Privacy Shield before end September 2016. So this does not give much time to decide about this and take action.

Unfortunately, while Privacy Shield is a very welcome development, it does not mean that the whole vexed issue of transfers from the EU to the US has been resolved. The Article 29 Working Party – made of the European data protection regulators – have been critical of certain aspects of Privacy Shield, which raises the possibility that Privacy Shield will itself be subject to challenge at some point.

In addition, the EU Model Clauses – the main enabling solution for transfers of personal data from the EU – has also been referred to the EU court by the Irish data protection regulator and could possibly suffer the same fate as Safe Harbor.

Privacy Shield – progress, but not the legal certainty that businesses need.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at

EU and US agree in principle on Safe Harbor 2.0: “EU-US Privacy Shield”

Nigel Miller
Nigel Miller

A couple of days after expiry of the 31 January deadline, political agreement has been reached for a new arrangement for data transfers from the EU to the US, to be known as the “EU-US Privacy Shield” (aka Safe Harbor 2.0).

This follows the European Court of Justice decision in October 2015 in the Schrems case that the (old) Safe Harbour arrangement was invalid.

The new arrangement will provide stronger obligations on US companies to protect the personal data of Europeans and stronger monitoring and enforcement by the US FTC.

To facilitate the data flows, the US has been forced for the first time to give a commitment that access by US public authorities to the personal data of EU citizens will be subject to clear conditions, limitations and oversight.  The US has also given an assurance that it will not conduct mass or indiscriminate surveillance of Europeans.

US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the FTC.

It is very common for EU based subsidiaries of US groups to transfer HR data to the US parent.  Under the EU-US Privacy Shield any US company handling HR data from Europe will have to commit to comply with decisions by European DPAs.

In addition, Europeans who consider that their data has been misused will be able to raise any enquiry or complaint with a dedicated new Ombudsperson.


While it is remarkable to reach agreement on such matters within such a short space of time, underlining the political urgency, it’s not all done yet. The EU have to prepare a draft “adequacy decision” in the coming weeks. And the US have to put in place the new monitoring mechanisms and new Ombudsman. We continue to watch the space!

Meanwhile, bear in mind that Safe Harbor / the EU-US Privacy Shield is not the only solution to data transfers from the EU to the US and we continue to work with many companies to put in place other solutions, such as contracts based on model clauses or binding corporate rules.


At last, agreement on EU data protection reform

Nigel Miller
Nigel Miller

First proposed in January 2012, agreement has finally been reached between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) regarding a new General Data Protection Regulation (GDPR).

Current data protection rules are based on the 1995 Data Protection Directive, which predates mainstream internet, social media, big data, the cloud and other advances in technology which shape the way business operates today. It’s a classic case of legislation not keeping pace with technological development; its overhaul is well overdue.

A key benefit of the GDPR will be a single harmonised data protection law covering the whole of the EU. At present, each EU state has implemented its own version of the 1995 Directive and differences can apply in different member states.

The main highlights are summarized as follows:

A stricter regulatory environment

Reflecting ever increasing concerns about how personal data is used in the digital economy, and the continuous flow of news reports about data security breaches, the GDPR imposes a much higher burden of compliance on business.  Specific points include:

  • Fines – the maximum fine for breach of the GDPR is to be set at 4 per cent. of a company’s worldwide turnover. Currently the maximum fine under the DPA is £500,000. This alone should be enough to put the GDPR onto every Board’s agenda.
  • Easier access to data: individuals will have (and businesses will be required to provide) more information on how their data is processed and this information should be available in a clear and understandable way.
  • Consent – a new more expansive and specific definition of consent requires that it must be a “freely given, specific, informed and unambiguous indication of his or her wishes” by which the data subject, either “by a statement or by a clear affirmative action”, signifies agreement to personal data relating to them being processed.
  • Additional administrative burden – businesses must keep a record of any data processing activities under their responsibility (referred to as documentation) and must carry out data protection impact assessments (DPIAs) if they are processing date using new technologies and this is likely to result in a high risk to personal data.
  • Rules for innovation – the regulation requires that data protection safeguards are built into products and services from the earliest stage of development (privacy by design). Privacy-friendly techniques such as pseudonymisation are encouraged by the GDPR, to allow the benefit of big data innovation while protecting privacy.
  • Data protection officers – companies will be required to appoint data protection officers if they process sensitive data or collect information from consumers on a large scale. This will be an additional cost to many companies, although there is an exemption applicable to SMEs – see below.
  • Data processors – the GDPR treats data processors as data controller if they process personal data otherwise than in accordance with the data controller’s instructions and subjects data to processors fines for breaches of the GDPR; under current rules, in general, only the data controller is responsible for compliance.
  • Data breach notification – companies and organisations must notify the national supervisory authority (that’s the ICO in the UK) of serious data breaches as soon as possible so that users can take appropriate measures.

Individual rights

As well as the above, the new rules strengthen existing rights to include:

  • a right to data portability – the GDPR will make it easier for consumers to transfer personal data between service providers such as social network platforms and SaaS service providers;
  • right to be forgotten– EU citizens will have a stronger right to require that their data is deleted provided that there are no legitimate grounds for retaining it, which may require a business to rethink its current policy on data retention and deletion.

International aspects

  • Impact on non-EU businesses – the new rules will apply to companies who do not have a physical presence in the EU but offer services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU.
  • International data transfers – the position regarding transfers of data outside of the EU is unsatisfactory, highlighted by the recent invalidation of the Safe Harbor framework in respect of transfers to the US. However, it seems that the position under the GDPR will be largely unchanged from the current position.
  • One continent, one law – The GDPR will establish one single set of rules for the whole of the EU which will make it simpler and cheaper for companies to do business in the EU.
  • One-stop-shop – businesses will only have to deal with one single supervisory authority.

Exemptions for SMEs

Under the new rules, SMEs benefit from certain exemptions to reduce the burden of compliance:

  • No more notifications: the requirement to notify to / register with the ICO is to be scrapped.
  • Subject access: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
  • Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
  • Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.

Next steps

Before the GDPR becomes law, the final text must be formally adopted by the European Parliament and Council, which is set to happen at the beginning of 2016.

The new rules will then become applicable across the EU two years thereafter.

For more information on how the GDPR will affect your business, please contact Nigel Miller (partner) or Sian Barr (associate) at Fox Williams LLP.