European Union: The European Data Protection Board Issues Guidelines On GDPR's Territorial Scope

The European Data Protection Board ("EDPB" or the "Board") recently released new draft Guidelines 3/2018 on the territorial scope of the European Union's ("EU") General Data Protection Regulation ("GDPR") (the "Guidelines"). The Guidelines are intended to provide a common interpretation of Article 3 of the GDPR, and provide further clarification on the application of the GDPR–particularly where the data controller or processor is established outside of the EU. The EDPB has published this first version of the Guidelines to allow for public consultation about its contents until January 18, 2019, at which time the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. The Guidelines are intended to assist both relevant data protection authorities and businesses by providing a common interpretation on the scope of application of the GDPR. We've broken them down and highlighted some of the key insights from the Board.

One of the biggest changes in the GDPR (as compared to the EU's Data Protection Directive (EU 95/46/EC), which it replaces) is its jurisdictional scope. Article 3 defines the territorial scope of the GDPR, explaining that the GDPR applies on the basis of three criteria:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Although the Guidelines provide analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, as well as additional clarification about the requirement for controllers and processors not established in the EU to appoint a representative, of primary relevance to most businesses are the discussion and examples relating to the "establishment" criterion, as set forth in Article 3(1), and the "targeting" criterion as set forth in Article 3(2). We have outlined the key information presented in the Guidelines below.

Key Issues Addressed by the Guidance

Article 3(1): The Establishment Criterion

The first criterion for falling within the scope of the GDPR is where a controller or processor processes personal data "in the context of the activities of an establishment . . . in the Union." The EDPB recommends a threefold approach to determining whether an organization is subject to the GDPR under Article 3(1):

1. • Consideration 1: "An establishment in the Union"
   • Consideration 2: Processing of personal data carried out "in the context of the activities of" an establishment
   • Consideration 3: Application of the GDPR to the establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.

Each of these considerations is addressed in further detail below.

1. • Consideration 1: "An establishment in the Union"

The Guidelines point out that although the GDPR does not expressly define the term "establishment" for the purpose of Article 3, Recital 22 states that an "[e]stablishment implies the effective and real exercise of activities through stable arrangements". The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."

The Guidelines explain that when determining whether an "establishment" exists, "both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned." They further state that the threshold for having an establishment is a low one, and depending on the particular circumstances may be satisfied even where an entity has just a single employee or agent in the EU. According to the Guidance, an establishment may exist even in the absence of a branch or subsidiary in the EU. On the other hand, and highly relevant for many U.S. organizations, the Guidelines explicitly state that the mere fact that a non-EU entity maintains a website accessible from the EU alone is not sufficient to create an establishment.

Unfortunately, the Guidelines do not provide much greater insight into what factors are considered to determine whether the "degree of stability" or "exercise of activities" create an establishment. They include only a single, fairly straightforward example of a US automobile manufacturing company that has a fully-owned branch office located in the EU that oversees European operations and assert that this constitutes a sufficiently stable arrangement, exercising real and effective activities so as to create an establishment. The Guidelines further reference several Court of Justice of the European Union cases, including Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12), Weltimmo v NAIH (C-230/14), Verein für Konsumenteninformation v Amazon EU (C-191/15), Wirtschaftsakademie Schleswig-Holstein (C-210/16), and Verein für Konsumenteninformation v. Amazon EU Sarl, (C-191/15); however, there are no tangible additional criteria provided.

1. • Consideration 2: Processing of personal data carried out "in the context of the activities of" an establishment

Article 3(1) makes clear that that the applicability of the GDPR depends not on the location where the processing takes place, but rather whether the processing is carried out "in the context of the activities" of its EU establishment. This determination is largely factually driven and the Guidelines confirm that some commercial activity led by a non-EU entity within a Member State may be so far removed from the processing of personal data by this entity that the commercial activity in the EU would not be sufficient to bring that data processing within the scope of the GDPR.

Thus, to assess this factor, the Guidelines suggest that the analysis focus on identifying potential links between the activity for which the personal data is being processed, and the activities of the entity's EU establishment. If the processing is linked to activity of the EU establishment, then the analysis should turn to the nature of any links identified between the processing and the EU establishment. The Guidelines further state that revenue raising within the EU may also be a factor in the analysis of this consideration.

1. • Consideration 3: Application of the GDPR to the establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not

The final consideration merely reiterates the Board's view that the location of the processing is not relevant in the assessment of the GDPR's applicability under Article 3(1). The Guidelines make clear that the GDPR may apply even where processing activities take place wholly outside the EU (e.g., an EU-based controller who outsources data processing to a processor located outside of the EU) and even where the personal data being processed belongs to data subjects located outside of the EU.

Article 3(2): The Targeting Criterion

The next criterion for falling within the scope is whether the processing of personal data is "related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union." The EDPB recommends a twofold approach to determining whether an organization is subject to the GDPR under Article 3(2):

1. • Consideration 1: Data subjects in the Union
   • Consideration 2a: Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union
   • Consideration 2b: Monitoring of data subjects' behavior

Each of these considerations is addressed in further detail below.

1. • Consideration 1: Data subjects in the Union

The Guidelines make clear that under this first consideration related to Article 3(2), for the GDPR to apply data subjects must be located in the EU; however, this does not require that data subjects be EU citizens, residents, or have other specific legal status. Location is assessed at the moment the relevant trigger activity takes place, i.e., the moment the goods or services are offered or the data subject is monitored.

The EDPB explains, however, that presence in the EU alone or processing of personal data belonging to EU data subjects itself is not determinative of GDPR's applicability. Rather, the element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behavior (as discussed in Consideration 2b below), must always be present in addition to presence in the EU.

1. • Consideration 2a: Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union

Next, the Guidelines address the requirement of offering goods and services to data subjects in the EU. The Guidelines make clear that this consideration relies heavily upon intent and payment for goods and services is not necessary. In addition to traditional factors such as offering goods and services in local languages and currencies, the Guidelines describe several factors to be considered as evidencing such an intent, including:

1. • Referencing the EU or a Member State;
   • Paying a search engine operator for an internet referencing service to facilitate access to the site by EU consumers;
   • Marketing/advertising in the EU;
   • The international nature of the activity at issue;
   • Posting a dedicated EU address or phone number;
   • Using EU domain names;
   • Including travel instructions from a Member State to the place where the product or service is provided;
   • Including testimonials or other mentions of international clientele from the EU or Member States;
   • Using a language or currency other than that used in the entity's country (especially where the language or currency is one used in one or more Member States); and
   • Offering EU delivery.

The Guidelines state that none of the above in isolation should be considered a "clear indication" of offering goods or services to data subjects in the EU, but all should be considered collectively, on a case-by-case basis, to make the determination.

1. • Consideration 2b: Monitoring of data subjects' behavior

On the monitoring consideration, the Guidelines confirm that to trigger the application of the GDPR under Article 3(2)(b), "the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union." The Guidelines explain that with respect to monitoring, unlike the offering of goods and services consideration, there is no requisite "intention to target." However, "monitoring" implies that the controller must have a "specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behavior in the EU." In addition to monitoring through the tracking of a person on the internet as referenced in Recital 24, the EDPB believes other types of tracking, such as through wearable and smart devices, constitutes monitoring. Additional examples referenced in the Guidelines include:

1. • Behavioral advertising;
   • Geo-locating activities;
   • Personalized diet and health analytics services online;
   • CCTV;
   • Market surveys and other behavioral studies based on individual profiles; and
   • Monitoring or regular reporting on an individual's health status.

The Guidelines warn that with respect to the targeting criterion, entities must take into account other applicable texts, such as EU or Member States' sectorial legislation and national laws. Because certain provisions of the GDPR allow Member States to introduce additional conditions and define a specific data protection framework at national level in certain areas, organizations must ensure that they address any additional conditions and frameworks which may apply.

Article 3(3): Applicability Based on Public International Law

The final way in which the GDPR might apply based on territorial scope relates to the operation of public international law. The Guidelines explain that international law, such as the Vienna Convention on Diplomatic Relations of 1961 and the Vienna Convention on Consular Relations of 1963, may result in the GDPR applying to processing carried out by EU Member States' embassies and consulates, so long as the processing falls within the material scope of the GDPR.

1. • Article 27: EU Representative

The Guidelines also provide further detail on the designation of a representative by entities that are subject to the GDPR under Article 3(2). The obligation to designate a representative comes from Article 27(1), which states that "[w]here Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union."

The Guidelines provide further insight into the obligations and responsibilities of a designated representative, explaining that the representative should:

1. • Facilitate communication between data subjects and the controller and/or processor relating to the exercise of data subject rights (however, the representative is not responsible for actually complying with or responding to data subject rights requests);
   • Maintain Article 30 records of processing activities (however, that this is considered a joint obligation with the controller and/or processor); and
   • Cooperate with supervisory authorities by acting as point of contact in connection with any matter relating to the compliance obligations of the entity and facilitating informational or procedural exchanges between the entity and the supervisory authority.

The Guidelines also set out certain criteria for the representative, explaining that the representative should be:

1. • A natural or legal person (this may include a commercial or non-commercial entity, including law firms, consultancies, etc.);
     • The Guidelines recommend however that where an entity serves as the designated representative, the controller or processor should designate a single individual point of contact as a lead contact or "person in charge" and to do so in the service agreement with the representative;
   • Established in one of the Member States where the data subjects are located;
   • Able to communicate effectively with data subjects and supervisory authorities, including in local languages and with the help of a team if necessary; and
   • Listed in the controller's / processor's privacy notice.

Interestingly, the Guidelines state that the EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer ("DPO"). This is because there exist potential conflicts of obligation and interests between the two roles. For example, Article 38(3) requires that controllers or processors ensure that the DPO "does not receive any instructions regarding the exercise of [his or her] tasks" and Recital 97 adds that DPOs, "should be in a position to perform their duties and tasks in an independent manner." Conversely, a representative is governed by contract with the controller or processor and would be acting on its behalf and, therefore, under its direct instruction. Because of this incompatibility, the Board indicates that the same individual or entity should not be used to fulfill both roles.

Lastly, the Guidelines point out that designating a representative pursuant to Article 27 does not create an establishment under Article 3(1).

Takeaways

Overall, the Guidelines provide some additional insight and color around the GDPR's territorial scope but, in many cases, include only very straightforward examples of the application of Article 3. Moreover, the EDPB does not attempt to address more complicated issues, such as those involving multiple related entities established in different countries. The guidance also leaves unanswered the potential jurisdictional questions that may be involved with attempting enforcement against an entity based completely outside of the EU.

The Guidelines state throughout that while they are intended to provide assistance in interpreting these requirements, to truly evaluate the GDPR's applicability under Article 3, a case-by-case analysis should be done taking into account the specific facts at issue. Therefore we suggest that organizations with specific or more complicated issues seek guidance from legal counsel with experience advising on GDPR issues.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.