TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | EDPB's common sense approach to the GDPR's territorial scope Related reading: Brexit and data protection: Laying the odds

rss_feed

""

GDPR-Ready_300x250-Ad
PrivacyTraining_ad300x250.Promo1-01

The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development.

As a result, and as essential as this is, the GDPR's territorial scope of application has become one of the most difficult issues to pin down.  Therefore, the publication of the European Data Protection Board's draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.

It is fair to say that the publication of regulatory guidance always generates some trepidation. Will it match our current understanding of the law? Will it be pragmatic? Will it be strict? Or a bit of both? Given the consequences of determining whether the GDPR applies or not to any given data activities, it is crucial to get this issue right.

On this occasion, the EDPB has produced a detailed 23-page document that is both authoritative and full of common sense.

Confirming old ground

The guidelines start by treading into well-known territory: the "establishment criterion." Following a principle that already existed under the 1995 Data Protection Directive, the GDPR will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. So the EDPB relies on existing case law to consolidate its opinion on this criterion. 

In other words, the EDPB does not change the interpretation of this criterion but simply follows the doctrine established by the Court of Justice of the European Union in various ground-breaking decisions. In essence, if the activities of a local establishment in an EU member state and the data processing activities of a data controller or processor established outside the EU are inextricably linked, that will trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself.

In interpreting this principle, the EDPB reasonably points out that in line with the CJEU's thinking, it is not possible to conclude that a non-EU entity has an establishment in the Union merely because its website happens to be accessible in the EU.

Furthermore, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law.

Perhaps even more crucially, the EDPB confirms that a processor in the EU should not be considered to be an establishment of a data controller merely by virtue of its status as processor.

Perhaps even more crucially, the EDPB confirms that a processor in the EU should not be considered to be an establishment of a data controller merely by virtue of its status as processor. As the EDPB puts it, the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the EU. 

All in all, the guidelines do not break any new ground when confirming the regulators' interpretation of the establishment criterion but simply reiterate the existing reasoning under the previous legal framework.

Targeting Europe

It is in relation to the new "targeting criterion" where the EDPB's input is particularly helpful. The idea of determining the applicability of the GDPR by reference to where people are rather than where the equipment involved in the processing is located is perfectly logical, but a novel approach in European data protection.

So any guidance aimed at injecting practical thinking into this approach is to be welcomed. Fortunately, the EDPB delivers that, and the guidelines' stance on certain situations will be well received by overseas organizations.

In particular, there are some clarifications in relation to the way in which the "offering of goods and services" and the "monitoring of individuals' behaviour" that are set to become solid points of reference for the years to come. These include:

  • Processing personal data of individuals who are in the EU alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behavior must always be present.
  • It is the conduct on the part of a controller or processor that demonstrates its intention to offer goods or services to individuals located in the EU, and this conduct can be ascertained through the notion of "directing an activity" to the EU market as developed by the CJEU's decisions on commercial jurisdictional matters.
  • The idea of monitoring implies that a controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behavior within the EU. Accordingly, EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring.” It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data. Nonetheless, monitoring goes beyond online tracking and it also covers CCTV usage and market surveys based on individual profiles.

Remaining questions

However, as helpful as the guidelines are in clarifying the points covered, there still are some open issues where understanding the regulators' stance would be extremely useful. For example, in relation to a situation where a non-EU controller engages an EU processor, the EDPB correctly points out that the processor will still be required to comply with the processor obligations imposed by the GDPR. The guidance that is missing is to what extent that processor needs to address – and how – the obligations in relation to international data transfers when the data is made available to the controller outside the EU.

Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion.

Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion. This is a question that continues to defy the logic of the GDPR given that by the very nature of their role, processors do not interact with individuals – let alone target them – in their own right but only on behalf of controllers. A possible interpretation of the law in this respect is that the GDPR applies to a non-EU processor where the data processing activities relate to the targeting of EU-based data subjects by the controller, but this has yet to be confirmed by the regulators.

One final issue which could and will be queried is the EDPB's assertion that the function of the EU-based representative of a non-EU controller or processor is not compatible with the role of external data protection officer. The EDPB goes on to say that the requirement for a sufficient degree of autonomy and independence of a DPO does not appear to be compatible with the function of the representative in the EU. 

However, taking into account that many of the practical functions of the representative, like interacting with regulators and data subjects — precisely what the DPO will be focusing on doing — it seems odd to take the view that they cannot effectively be the same person.

In conclusion, the overall verdict on the guidelines is that it is a clear and helpful document. At this stage, it is positioned as a draft for consultation, so the EDPB is also leaving the door open for some refinement of what is set to become one of the defining pieces of regulatory guidance on the GDPR.

photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin (license)

4 Comments

If you want to comment on this post, you need to login.

  • comment Renate (Maria) Verheijen • Nov 26, 2018
    Although the DPO and the representative both interact with regulators and data subjects, they do so from a different perspective: The role of the representative is a role that is clearly linked to the business interest of the non-EU controller or processor. This link is more explicitly expressed under article 27. 4 GDPR stating that : " The representative shall be MANDATED by the controller or processor TO BE ADDRESSED IN ADDITION TO OR INSTEAD OF THE CONTROLLER OR PROCESSOR....".
    The role of the DPO is independent and is more related to the fact that the controller or processor should SUPPORT the DPO in performing the tasks (article 38.2 GDPR), to ENSURE that the DPO does NOT RECEIVE ANY INSTRUCTION regarding the exercise to the tasks (article 38. 3 GDPR) and shall be BOUND BY SECRECY OR CONFIDENTIALITY CONCERNING THE PERFORMANCE OF THE TASKS (article 38. 5 GDPR). These roles are therefore incompatible.    mr. drs. R.M. (Renate) Verheijen, CIPP/E, Data Privacy Manager FOX-IT and Data Privacy Manager NCC Group Europe.
  • comment Andor Demarteau • Nov 28, 2018
    I agree with Renate.
    The representative (article 27 GDPR) works on behalf of and as such instead of the direct contact with the business which is placed outside the EEA.
    As such it may even take decisions related to processing activities, handling of data subject rights as well as contact with the supervisory authorities in relation to the business itself.
    As such, if it would be the DPO as well, it will then effectively mark it's own homework.
    Something explicitly not allowed by the GDPR for good reasons.
  • comment Andor Demarteau • Nov 28, 2018
    "Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion. This is a question that continues to defy the logic of the GDPR given that by the very nature of their role, processors do not interact with individuals – let alone target them – in their own right but only on behalf of controllers. A possible interpretation of the law in this respect is that the GDPR applies to a non-EU processor where the data processing activities relate to the targeting of EU-based data subjects by the controller, but this has yet to be confirmed by the regulators."
    
    In other words: if the controller is bound by the GDPR, the professor is too pursuant to article 28.
    As such I don't see the non-clarity here at all.
    Maybe also the reason why it is missing from the EDPB guidance?
  • comment Sara Chelette • Dec 4, 2018
    Eduardo, I agree with your statement that the GDPR and guidance are not clear "on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion." I have been struggling with this issue as well given that the processor does not deal with the data subject directly.  And I believe the guidance makes clear that a processor may not be subject to the GDPR but may be required to comply with certain GDPR requirements on a contractual basis under Article 28.  For example, a processor not subject to the GDPR would be obligated to protect personal data and only use authorized subprocessors, etc., but the processor would not have to designate a representative in the EU.  In these types of situations, I would view the remedy for any breach as sounding in contract rather than enforcement by a supervisory authority under the GDPR.