News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | EDPB's common sense approach to the GDPR's territorial scope Related reading: Brexit and data protection: Laying the odds

rss_feed

The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development.

As a result, and as essential as this is, the GDPR's territorial scope of application has become one of the most difficult issues to pin down.  Therefore, the publication of the European Data Protection Board's draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.

It is fair to say that the publication of regulatory guidance always generates some trepidation. Will it match our current understanding of the law? Will it be pragmatic? Will it be strict? Or a bit of both? Given the consequences of determining whether the GDPR applies or not to any given data activities, it is crucial to get this issue right.

On this occasion, the EDPB has produced a detailed 23-page document that is both authoritative and full of common sense.

Confirming old ground

The guidelines start by treading into well-known territory: the "establishment criterion." Following a principle that already existed under the 1995 Data Protection Directive, the GDPR will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. So the EDPB relies on existing case law to consolidate its opinion on this criterion. 

In other words, the EDPB does not change the interpretation of this criterion but simply follows the doctrine established by the Court of Justice of the European Union in various ground-breaking decisions. In essence, if the activities of a local establishment in an EU member state and the data processing activities of a data controller or processor established outside the EU are inextricably linked, that will trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself.

In interpreting this principle, the EDPB reasonably points out that in line with the CJEU's thinking, it is not possible to conclude that a non-EU entity has an establishment in the Union merely because its website happens to be accessible in the EU.

Furthermore, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly to conclude that the existence of any presence in the EU with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this processing within the scope of EU data protection law.

Perhaps even more crucially, the EDPB confirms that a processor in the EU should not be considered to be an establishment of a data controller merely by virtue of its status as processor.

Perhaps even more crucially, the EDPB confirms that a processor in the EU should not be considered to be an establishment of a data controller merely by virtue of its status as processor. As the EDPB puts it, the existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the EU. 

All in all, the guidelines do not break any new ground when confirming the regulators' interpretation of the establishment criterion but simply reiterate the existing reasoning under the previous legal framework.

Targeting Europe

It is in relation to the new "targeting criterion" where the EDPB's input is particularly helpful. The idea of determining the applicability of the GDPR by reference to where people are rather than where the equipment involved in the processing is located is perfectly logical, but a novel approach in European data protection.

So any guidance aimed at injecting practical thinking into this approach is to be welcomed. Fortunately, the EDPB delivers that, and the guidelines' stance on certain situations will be well received by overseas organizations.

In particular, there are some clarifications in relation to the way in which the "offering of goods and services" and the "monitoring of individuals' behaviour" that are set to become solid points of reference for the years to come. These include:

  • Processing personal data of individuals who are in the EU alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of "targeting" individuals in the EU, either by offering goods or services to them or by monitoring their behavior must always be present.
  • It is the conduct on the part of a controller or processor that demonstrates its intention to offer goods or services to individuals located in the EU, and this conduct can be ascertained through the notion of "directing an activity" to the EU market as developed by the CJEU's decisions on commercial jurisdictional matters.
  • The idea of monitoring implies that a controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual's behavior within the EU. Accordingly, EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring.” It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data. Nonetheless, monitoring goes beyond online tracking and it also covers CCTV usage and market surveys based on individual profiles.

Remaining questions

However, as helpful as the guidelines are in clarifying the points covered, there still are some open issues where understanding the regulators' stance would be extremely useful. For example, in relation to a situation where a non-EU controller engages an EU processor, the EDPB correctly points out that the processor will still be required to comply with the processor obligations imposed by the GDPR. The guidance that is missing is to what extent that processor needs to address – and how – the obligations in relation to international data transfers when the data is made available to the controller outside the EU.

Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion.

Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion. This is a question that continues to defy the logic of the GDPR given that by the very nature of their role, processors do not interact with individuals – let alone target them – in their own right but only on behalf of controllers. A possible interpretation of the law in this respect is that the GDPR applies to a non-EU processor where the data processing activities relate to the targeting of EU-based data subjects by the controller, but this has yet to be confirmed by the regulators.

One final issue which could and will be queried is the EDPB's assertion that the function of the EU-based representative of a non-EU controller or processor is not compatible with the role of external data protection officer. The EDPB goes on to say that the requirement for a sufficient degree of autonomy and independence of a DPO does not appear to be compatible with the function of the representative in the EU. 

However, taking into account that many of the practical functions of the representative, like interacting with regulators and data subjects — precisely what the DPO will be focusing on doing — it seems odd to take the view that they cannot effectively be the same person.

In conclusion, the overall verdict on the guidelines is that it is a clear and helpful document. At this stage, it is positioned as a draft for consultation, so the EDPB is also leaving the door open for some refinement of what is set to become one of the defining pieces of regulatory guidance on the GDPR.

photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin (license)

Author
Headshot Eduardo Ustaran, CIPP/E IAPP Member Contributor
Tags
Europe
Enforcement
Privacy Law
Privacy Operations Management
Privacy Opinion
Transborder Data Flow
5 Comments

If you want to comment on this post, you need to login.

  • comment Renate (Maria) Verheijen • Nov 26, 2018 
    Although the DPO and the representative both interact with regulators and data subjects, they do so from a different perspective: The role of the representative is a role that is clearly linked to the business interest of the non-EU controller or processor. This link is more explicitly expressed under article 27. 4 GDPR stating that : " The representative shall be MANDATED by the controller or processor TO BE ADDRESSED IN ADDITION TO OR INSTEAD OF THE CONTROLLER OR PROCESSOR....".
The role of the DPO is independent and is more related to the fact that the controller or processor should SUPPORT the DPO in performing the tasks (article 38.2 GDPR), to ENSURE that the DPO does NOT RECEIVE ANY INSTRUCTION regarding the exercise to the tasks (article 38. 3 GDPR) and shall be BOUND BY SECRECY OR CONFIDENTIALITY CONCERNING THE PERFORMANCE OF THE TASKS (article 38. 5 GDPR). These roles are therefore incompatible.    mr. drs. R.M. (Renate) Verheijen, CIPP/E, Data Privacy Manager FOX-IT and Data Privacy Manager NCC Group Europe.
  • comment Andor Demarteau • Nov 28, 2018 
    I agree with Renate.
The representative (article 27 GDPR) works on behalf of and as such instead of the direct contact with the business which is placed outside the EEA.
As such it may even take decisions related to processing activities, handling of data subject rights as well as contact with the supervisory authorities in relation to the business itself.
As such, if it would be the DPO as well, it will then effectively mark it's own homework.
Something explicitly not allowed by the GDPR for good reasons.
  • comment Andor Demarteau • Nov 28, 2018 
    "Perhaps the biggest gap in the guidelines is that they are silent on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion. This is a question that continues to defy the logic of the GDPR given that by the very nature of their role, processors do not interact with individuals – let alone target them – in their own right but only on behalf of controllers. A possible interpretation of the law in this respect is that the GDPR applies to a non-EU processor where the data processing activities relate to the targeting of EU-based data subjects by the controller, but this has yet to be confirmed by the regulators."

In other words: if the controller is bound by the GDPR, the professor is too pursuant to article 28.
As such I don't see the non-clarity here at all.
Maybe also the reason why it is missing from the EDPB guidance?
  • comment Sara Chelette • Dec 4, 2018 
    Eduardo, I agree with your statement that the GDPR and guidance are not clear "on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion." I have been struggling with this issue as well given that the processor does not deal with the data subject directly.  And I believe the guidance makes clear that a processor may not be subject to the GDPR but may be required to comply with certain GDPR requirements on a contractual basis under Article 28.  For example, a processor not subject to the GDPR would be obligated to protect personal data and only use authorized subprocessors, etc., but the processor would not have to designate a representative in the EU.  In these types of situations, I would view the remedy for any breach as sounding in contract rather than enforcement by a supervisory authority under the GDPR.
  • comment Miller Simon • Dec 11, 2018 
    Eduardo, I agree with your statement that the GDPR and guidance are not clear "on the applicability of the GDPR to non-EU processors by virtue of the targeting criterion." I believe the guidance makes clear that a processor may not be subject to the GDPR but may be required to comply with certain GDPR requirements on a contractual basis under Article 28. I would view the remedy for any breach as sounding in contract rather than enforcement by a supervisory authority under the GDPR.
Find the latest <a href="https://cyware.com/hacker-news" rel="nofollow">cyber hacking news</a> and articles at Cyware.com. Keep yourself updated with the hacker news and know more about security solutions that are essential to safeguard your sensitive data from Cyber Attacks.
Related Stories
Brexit and data protection: Laying the odds
5
Among other things, 2018 will go down in history as the year of panics over data protection. First, it was the GDPR and its impossible deadline for compliance. Now it is Brexit and the uncertainty as to what it will mean. The famous phrase "Brexit means Brexit" is as cryptic today as it was two year...
Read More queue Save This
Privacy in 2018: Expect the unexpected
1
Making predictions for the year ahead is possibly as desirable as unreliable. In a world of unlimited data and advanced science, it would be tempting to think that the future is already written. Algorithms and artificial intelligence will show us what lies ahead with immaculate accuracy. Or perhaps ...
Read More queue Save This
Untying the global dataflows mess
4
One of Harry Houdini's most difficult tricks consisted of escaping from a nail-fastened and rope-bound wooden crate with manacles on his hands and feet, while submerged in New York's East River. That feat is starting to look straightforward when compared to the prospect of lawfully exporting persona...
Read More queue Save This
Related Stories
Tags
Europe
Enforcement
Privacy Law
Privacy Operations Management
Privacy Opinion
Transborder Data Flow
Recent Comments