In the lead-up to the now imminent coming into effect of the General Data Protection Regulation (GDPR) on 25 May 2018, much focus has understandably been on what steps need to be taken to ensure compliance. However, for certain non-EU organisations, an alternative (and possibly more cost- and time-efficient approach) has been to explore what steps can be taken to help avoid falling within the scope of the GDPR altogether. We explore this in some further detail in the sections which follow.
When does the GDPR apply?
One of the key elements of the GDPR is the broad potential for extra-territorial impact that it has. This is one prominent factor that distinguishes the GDPR from its soon to be predecessor framework under the European Data Protection Directive 95/46/EC (Directive). Under the Directive, an organisation would only be subject to European data protection legislation if it had some kind of "establishment" in an EU member state or if it used equipment located in an EU member state.
The GDPR continues to recognise the concept of an entity having some kind of "establishment" as being one of the relevant limbs under which the entity would be caught by the GDPR 1. However, it extends the scope even further by stating that even organisations without any kind of EU establishment (Non-EU Entities) may still be caught by the GDPR in the context of their data-processing activities where they are:
(a) offering goods or services to; or
(b) monitoring the behaviour of,
individuals who are located in the EU. As to the first extra-territorial "offering goods or services to" limb, it is important to note that under the GDPR this would apply even if such goods or services are not being offered for a fee. As to the second "monitoring the behaviour of" limb, such behaviour must itself also take place in the EU in order for this limb to apply.
Non-EU Entities – "offering goods or services to"
Whether or not a Non-EU Entity may be considered to be "offering goods or services to" individuals based in the EU is a question of both fact and appearances, requiring assessment on a case-by-case basis. However, the very fact that a Non-EU Entity has a website that may be accessed by an individual in the EU alone is not sufficient for it to be caught by this limb. Rather, it needs to be "apparent" (taking into account all relevant factors) that the Non EU-Entity envisaged offering goods or services to EU-based individuals. If the entity is caught under this limb, then it would be subject to compliance with the GDPR in relation to its relevant data-processing activities.
Many Non-EU Entities looking to be in this situation are understandably opting to seek out the necessary compliance steps required under the GDPR – which may involve comprehensive auditing exercises, redrafting of internal and external policies, technical solutions implementation, and knowledge and awareness campaigns. Of course, such exercises are potentially both time-consuming and costly, depending on the level of compliance-driven reform that is required. Alternatively, some Non-EU Entities have instead been reviewing their actual goods and services offerings with a view to reforming them in order to mitigate the risk of GDPR application, and to structure any future offerings accordingly. Whether or not an approach focused on compliance would be favoured over an approach aimed at avoidance is very much a case-by-case driven assessment. However, for Non-EU Entities offering or planning to offer goods or services which would not be of particular relevance to EU-based individuals, or where EU-based individuals would only form a very small or incidental component of their customer base, then an avoidance-driven approach may be preferred.
Unfortunately, there is no simple or singular answer as to exactly what steps a Non-EU Entity should be taking to help ensure it is not caught by the GDPR by being considered to be "offering goods or services to" individuals in the EU. Again, this would be a very individually-driven assessment taking into account the particulars of the organisation and its operations. However, there are certain general factors that may be helpful as a starting point. These include:
- Currencies – where a Non-EU Entity's website is offering goods or services for sale, will it include options to purchase these goods or services in euros or other currencies used by EU member states?
- Languages – will the Non-EU Entity's website or any other materials (or any component thereof, such as order forms or payment gateways) be made available in any uniquely or widely spoken European languages?
- Contact details – will the Non-EU Entity list any contact details with a European nexus (for example, a P.O. box based in the EU or a local EU telephone number)?
- Website addresses – will the Non-EU Entity's website use a generic top level domain such as .com or .org, as opposed to any European top level domains?
- Marketing and promotional materials/activities – will any marketing or promotional activities highlight or appear to promote the goods or services to EU-based individuals (for example, including testimonials from EU-based customers on a website)?
The above are just a handful of factors that should be taken into consideration (collectively) when assessing whether or not a Non-EU Entity's activities or proposed activities may potentially trigger the application of the GDPR under this extra territorial limb. Ultimately, however, whether a Non-EU Entity would be considered to be "offering goods or services to" EU-based individuals is a question of fact – and one which requires a comprehensive assessment of how such offerings are structured.
Non-EU Entities – "monitoring the behaviour of"
It is important at this point to underscore that, as noted above, even if a Non-EU Entity is not determined to be "offering goods or services to" EU-based individuals they may still be caught under the "monitoring the behaviour of" EU-based individuals limb of the extra-territorial test.
Unfortunately, there is not any definition of what constitutes "monitoring" under the GDPR – so at present it is not entirely clear when this test would be triggered. One potential interpretation (stemming from the recitals to the GDPR) is that "monitoring" would mean when an individual based in the EU is "tracked on the internet". However, related guidance which has been issued suggests that the intended notion of what this is meant to capture may be much broader. We will look at this facet in further detail in a future article, but for present purposes suffice it to say it is important that Non-EU Entities looking to avoid being potentially caught by the GDPR bear in mind both the "offering goods or services to" and "monitoring the behaviour of" tests in equal measure.
The GDPR will usher in a new era of data protection considerations – not only in the EU but also on a larger global stage for organisations that may be caught by its broad extra-territorial provisions. Whether or not a Non-EU Entity will be potentially caught by the GDPR is a matter of both fact and perception. And whether or not that entity, if potentially caught, is best advised in taking steps toward compliance or avoidance depends entirely on the unique facts and circumstances of the organisation and its operations.
We have provided some insights in this article as to certain steps Non-EU Entities have been taking in order to help mitigate against the risk of the GDPR applying to them under the "offering goods or services to" limb of the extra-territorial tests. The factors noted, however, are not exhaustive. When in doubt, your legal advisers should be able to assist.
1 It is worth noting that the concept of what constitutes an "establishment" for GDPR purposes is likely to be construed rather broadly (that is to say, not limited to a "bricks and mortar" presence), as ihas been historically in certain cases considered under the Directive.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.