At the end of November, the European Data Protection Board (the "EDPB") released Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (the "Guidelines") for public consultation.

The Guidelines reiterate that the General Data Protection Regulation (the "GDRP") has a broad scope for the protection of personal data, not only of EU citizens, but for everyone. In other words, the GDRP applies to data subjects in the EU, regardless of nationality or legal status. 

Article 3 of the GDRP defines its territorial scope on the basis of two main criteria: (1) the "establishment" requirement (Article 3(1)) meaning an EU-based data controller or processor); and (2) the "targeting" requirement (Article 3(2) where a controller or processor is not established in the EU but is engaging in certain processing activities). Where one of these two criteria is met, the GDPR will apply to the processing of personal data by the controller or processor. 

It is important to note that, for an organization not established in the EU, merely processing the personal data of an individual in the EU is not sufficient to trigger the application of the GDPR to the processing activity. In addition to the processing, the element of targeting individuals in the EU must be present. The Guidelines give the following example:

A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist's personal data via the app by the U.S. company is not subject to the GDPR.

It is this "targeting" requirement that has left Canadian businesses, who do not meet the "establishment" requirements, scratching their heads.

To help businesses understand whether they are "targeting", the Guidelines recommend a two-step analysis set out below:

Step 1 of the Analysis: Determine whether the processing activity relates to the personal data of data subjects who are in the EU.

When considering whether the GDRP applies, Canadian businesses must first assess whether they are dealing with data subjects physically located in the EU. This assessment should take place at the moment when the relevant trigger activity takes place (i.e., at the moment of offering goods or services, or the moment when the behaviour is being monitored).

Step 2 of the Analysis: Is there a triggering event?

Once Canadian businesses have concluded that data subjects physically within the EU are implicated, then they move to the second step of the analysis, which is whether they are engaged in a "targeting" activity.

Offering goods or services

The first type of activity that triggers the application of Article 3(2) is the "offering of goods and services" directed at an individual in the EU and specifically, a demonstrated intention to offer goods or services to an individual in the EU. 

The Guidelines list certain factors that could be taken into consideration, possibly in combination with one another, when determining whether goods or services are offered to a data subject in the EU. For example, the mention of a dedicated address or phone number to be reached from an EU country, the data controller offers the delivery of goods in EU Member States or the use of a language or currency other than one generally used in the organization's country (particularly a language or currency of one or more EU Members States) may indicate an intention to offer goods or services to data subjects in the EU. The targeting requirement of "offering of goods or services" applies regardless of whether a payment by the data subject is required. 

The Guidelines reiterate that Recital 23 confirms that the mere accessibility of a website in the EU, the mention on a website of its email or geographical address or of its telephone number without an international code does not, of itself, provide sufficient intention to offer goods or services to data subjects in the EU.

Monitoring data subjects' behaviour

The second type of activity that triggers the application of Article 3(2) is the monitoring of data subject behaviour that takes place within the EU (Article 3(2)(b)).

Contrary to Article 3(2)(a), when making a determination of whether a monitoring activity falls under Article 3(2)(b), there is no consideration of whether the organization had an "intention to target". Having said that, the EDPB "does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as "monitoring"." As a result, Canadian businesses must consider their purpose for processing the data and any behavioural analysis or profiling techniques involving that data. Some examples of "monitoring" listed in the Guidelines are:

  • Geo-localization activities, in particular for monitoring purposes
  • Online tracking through the use of cookies or other tracking techniques (i.e., fingerprinting)
  • CCTV
  • Market surveys or other behavioural studies based on individual profiles.

The Guidelines also discuss designating a representative of controllers or processors not established in the EU as well as processing in a place where Member State law applies by virtue of public international law.

Canadian businesses, particularly those with no physical presence in the EU, have been struggling to manage their compliance efforts with respect to the GDRP. These Guidelines should help organizations better understand when they may be subject to the GDPR. The Guidelines are in draft form and comments must be submitted before January 18, 2019. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.