The European Data Protection Board (“EDPB”) recently released Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). The Guidelines, which address the key threshold issue of the GDPR’s applicability, are particularly important for companies outside the European Union seeking to understand the GDPR’s application to their business activities. The Guidelines are open to public comment until January 18, 2019, after which time the EDPB will publish a final version of the Guidelines.
The Guidelines primarily focus on two criteria that define the GDPR’s territorial scope: the “establishment” criterion (Article 3(1)) and the “targeting” criterion (Article 3(2)). The “establishment” criterion applies the GDPR to processing in the context of the activities of a controller or processor’s establishment in the EU. The “targeting” criterion applies the GDPR to processing related to the offering of goods or services to individuals in the EU or the monitoring of behavior in the EU. The Guidelines also address the requirement for a controller or processor not established in the EU to appoint a representative in the EU.
The Establishment Criterion
In discussing the “establishment” criterion, the EDPB first clarifies the meaning of “an establishment in the Union.” An establishment is any real or effective activity exercised through stable arrangements. An establishment can be a formal arrangement such as a subsidiary or branch, but it does not have to be. Significantly, the EDPB states that “the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.” To determine whether a processing activity is “in the context of” an EU establishment, the EDPB recommends that non-EU organizations conduct an assessment of processing activities to identify any links between the processing activity and the organization’s presence in the EU.
The EDPB also addresses the question of whether the GDPR applies to a controller by virtue of its use of a processor established in the EU. The EDPB clarifies that, where the controller is not otherwise subject to the GDPR, the use of a processor in the EU will not bring the controller’s activities within the scope of the GDPR. The EU-established processor, however, will remain responsible for complying with all GDPR-provisions directly applicable to processors.
The Targeting Criterion
In discussing the “targeting” criterion, the first step in the EDPB’s analysis is to clarify that the GDPR’s reference to data subjects in the EU does not require a data subject to have any citizenship or residency status. Indeed, the EDPB’s first example in this section illustrates how the GDPR applies to a city mapping application designed for use by tourists visiting EU cities.
In discussing the offering of goods and services, the EDPB clarifies that for the GDPR to apply, the conduct of the controller or processor must indicate the intent to offer goods and services to individuals in the EU. Factors to consider include any reference to the EU or a Member State when marketing the goods or services; marketing activities directed to the EU market; international nature of the activity (e.g., tourist services); the mention of dedicated addresses or phone numbers to be reached from the EU; use of certain top-level domain names (e.g., .de, .eu); travel instructions from the EU to the place where services are to be provided; referencing clients in the EU; use of language or currency other than that generally used in the trader’s country (particularly if an EU language or currency); or offering to deliver goods to the EU.
In contrast, the EDPB notes that, if monitoring the behavior of individuals in the EU, the GDPR may apply even absent an “intention to target.” However, the mere collection of data from individuals in the EU will not constitute “monitoring.” For the activity to constitute “monitoring,” the EDPB takes into account the purpose of processing and any subsequent behavioral analysis or profiling. Examples of monitoring activities include behavioral advertisement, geo-localization activities, online tracking through cookies, personalized diet and health analytics services online, CCTV, market surveys and other behavioral studies based on individual profiles and monitoring or regular reporting on an individual’s health status.
Appointment of a Representative
The EDPB provides guidance on the Article 27 requirement for a controller or processor to appoint a representative in the EU, which applies to controllers and processors subject to the GDPR via the targeting criterion. To meet this requirement, an organization may contract a service provider established in the EU. Significantly, the EDPB clarifies that a data protection officer cannot also serve as the representative in the EU, so an organization may not appoint the same service provider to fulfill both roles.
The EDPB Guidelines address a number of previously unanswered questions regarding the territorial scope of the GDPR. We expect to see further clarification over time through enforcement actions and case law. In addition, we recommend reviewing the final version of the Guidelines after the public consultation period, which may alter the EDPB’s initial analysis.