The scope provisions of the national GDPR implementation laws wildly differ and will lead to unacceptable accumulation and incompatibility of applicable laws.
The applicability regime of the GDPR is creating some tricky issues. The GDPR only provides an applicability regime when it applies, but it does not also provide a regime when the national GDPR implementation laws of individual member states apply. It is not clear whether EU regulators found this so obvious that they did not find it necessary to provide a solution or just did not realize the issues at the time the GDPR was drafted. As a result, member states are left to their own devices and the first draft GDPR implementation laws show that regulating scope is apparently not self-evident, as we see many differing provisions.
Some member states (like The Netherlands) faithfully mirror the scope provision of the GDPR in their national GDPR implementation law, and others (such as Germany and the U.K.) broaden the scope, leading to an accumulation of applicable national implementation laws, even more so than under the current directive. It is not clear whether this is intentional or the result of imprecise drafting.
A main driver for replacing the current EU Data Protection Directive with the GDPR was that member states implemented the directive in such widely differing ways that it led, even in the opinion of the Article 29 Working Party, to an unnecessary accumulation of applicable laws.
The intention of the EU legislators was to solve this issue by choosing the form of a regulation as a legislative instrument instead of a directive. As EU regulations are directly applicable in all member states, there will only be one data protection law in the EU. The Commission further surmised that the business of controllers and processors with multiple establishments in the EU would become much easier under the GDPR because the GDPR provides for a one-stop shop, whereby the supervisory authority of the “main establishment” of such controller or processor in the EU would serve as the “lead SA” in respect of its cross-border processing activities.
Reality, however, is that the GDPR leaves the regulation of many issues to the member states. This is acknowledged in Recital 10, which states:
‘”(…) Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation (…) This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of sensitive data (…).”
These references correspond to the legal basis for processing of personal data of Art. 6(1) sub (c) and (e), for processing of special categories of data of Art. 9 and of criminal data of Art. 10. Other topics that the GDPR leaves to the member states are the regulation of exemptions for data processing for purposes of journalistic, artistic or literary expression (Art. 80); for health purposes (Art. 81); and in the context of employment (Art. 82). As a result, all member states are currently in the process of drafting their own national GDPR implementation laws providing for their own legal bases for these processing purposes.
These national implementation laws also provide a scope provision that will determine when the national implementation law applies. It is here that we again see differing provisions, bringing back again all the diversities in scope that the GDPR was intended to solve.
The GDPR applicability regime in summary
Art. 3(1) of the GDPR contains the main provision for the application of the GDPR. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place in the EU. To avoid circumvention of the GDPR, Art. 3(2) provides that the GDPR also applies to the processing of personal data of data subjects in the EU when the controller or processor is not established in the EU and where the processing activities are related to: (i) the offering of goods or services to such data subjects in the EU, or (ii) the monitoring of their behavior insofar as their behavior takes place within the EU.
The second applicability rule is meant as an alternative, and only applies when the first rule does not apply. The result therefore is that whenever a controller has one or more establishments within the EU and the relevant data is processed in the context of the activities of these establishments (“relevant establishments”), the GDPR will apply. The second applicability rule will not come into play.
The first applicability rule both broadens scope and limits scope. It broadens scope because the relevant controller may also target individuals outside the EU, and if that processing is within the context of the activities of an establishment of the controller in the EU, such processing is fully covered. It limits scope because only the national implementation laws of the member states where the relevant establishments are located should apply, even if the processing activities relate to offering goods or services or monitoring of individuals in other member states.
The second applicability rule should not kick in if the controller has establishments in the EU. If a multinational company has multiple establishments in the EU this, therefore, will lead to a partial accumulation of applicable laws of the member states, i.e., the laws of the member states with relevant establishments. This system is identical under the current directive.
The second applicability rule is a deviation of the current system which is based on territoriality and adopts a qualified “destination approach.” The GDPR applies to non-EU controllers or non-EU processors offering goods or services to or monitoring behavior of individuals in the EU, but this is qualified. The GDPR only applies where individuals in the EU are targeted (as de Hert and Czerniawski describe it: “You might be targeted by EU law only if you target,” link). For instance the mere accessibility of a website offering goods or services does not lead to applicability of the GDPR. See Recital 23:
“Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention (…).”
The extension of the scope through the requirement of targeting is therefore moderate — it is triggered only if there is a sufficient nexus between a particular activity and the EU.
One-stop shop
The GDPR provides for a one-stop shop whereby in respect of controllers or processors with multiple establishments in the EU, the SA of its main establishment will serve as the lead SA in respect to its cross-border processing activities.
Such lead SA will then be competent to supervise the entirety of the cross-border processing activities (Art. 56(1)), coordinating any of its activities with other relevant SAs in accordance with the cooperation procedure (Art. 60). This procedure, for example, entails that the lead SA initiating an investigation will have to invite the other SA to participate.
Take a look at the IAPP's Complaint Process Map for more insight on this process.
It would be logical to assume that in these cases the lead SA will apply its own national GDPR implementation law in addition to the provisions of the GDPR that are directly applicable. The GDPR is, however, silent on this topic and it is unclear how the lead SAs will address this issue in practice. It is clear that, in cases where controllers have establishments in many member states, complying with the national GDPR implementation laws of these establishments in each and every case will be a significant task indeed.
Scope provisions in the national GDPR implementation laws
Proper implementation: The Netherlands
The draft Dutch implementation law (Art. 4) provides that the GDPR is applicable when data is processed in the context of an establishment of the controller in The Netherlands. It applies the second rule only when the controller is established outside the EU and when the processing activities are related to: (i) the offering of goods or services to data subjects in The Netherlands or (ii) the monitoring of data subjects’ behavior in The Netherlands. In other words, the national implementation law applies when there is a relevant establishment.
If there is no relevant establishment in The Netherlands or elsewhere in the EU, the second applicability rule kicks in and the national law will apply if the individuals are targeted or monitored in The Netherlands. This is the correct way to implement the scope provisions in the GDPR on the national level.
Overly broad implementation: Germany
The German implementation law applies to the processing of personal information:
- In the context of activities of an establishment of a controller or processor in Germany. (Note: correct)
- If the controller or processor is not established in the EU or European Economic Area (Note: correct) but offers goods or services to individuals in the EU or monitors their behavior. (Note: incorrect)
The latter implies that the German implementation law applies also if goods or services are offered or behavior is monitored not only in Germany, but in other EU member states. Why would German law apply if the controller/processor has no establishments in Germany and no individuals in Germany are targeted or monitored? This is a clear departure from the principles in the GDPR and it is unclear why the German legislature felt that it was relevant to regulate in this manner.
- The law applies if the controller or processor processes personal information in Germany. (Note: incorrect)
Here, too, there is a departure from the principles of the GDPR. Under the GDPR, as under the current directive, the place where the processing takes place is not relevant. Indeed, Art. 3(1) explicitly provides that the connecting factor applies “regardless of whether the processing takes place in the Union or not.”
The German implementation law applies when the processing merely takes place in Germany, even if the controller or processor itself is established in another EU member state. Again, this is contrary to the applicability regime of the GDPR.
Overly broad implementation: The UK
In the U.K. draft implementation law (Art. 190), the main default rule is properly implemented. The second rule, however, provides that the national implementation law already applies “where the controller is established in a country or territory other than the United Kingdom and the purpose of the processing is to (i) offer goods or services to individuals in the United Kingdom, whether or not for payment; or (ii) monitor individuals’ behavior in the United Kingdom.
This means that when a controller has an establishment in another EU member state, U.K. law applies if individuals in the U.K. are targeted or monitored. This is contrary to the applicability regime of the GDPR, where the second rule only kicks in when the controller is not established in the EU. The result will be that instead of a partial accumulation of the applicable laws (those of the relevant establishments), also the laws of the member states will apply where individuals are targeted. This will lead to an unnecessary accumulation of applicable national laws, especially when applying the one-stop shop regime.
The U.K. draft GDPR implementation law also seems to apply to non-EU processors providing B2B services to companies, if such companies (i) are established in the U.K., or (ii) are not established in the U.K. but offer services or goods to or monitor behavior of individuals in the EU. The extension of the scope of the U.K. implementation law to these non-EU processors is contrary to the applicability regime of the GDPR and constitutes regulatory overreach. This issue will be more thoroughly investigated in part 2 of this series addressing the applicability regime of the GDPR as it applies to processors.
Conclusion
The scope provisions in the German and U.K. implementation laws are too broad and lead to unnecessary accumulation of the national laws of the member states. As the U.K. implementation law is still in the legislative process, I urge the U.K. government to amend its scope in accordance with the applicability regime of the GDPR. I further recommend the European Commission to closely monitor the scope provisions of other draft national implementation laws and, where relevant, to urge member states to align these with the GDPR.
In this context, it would obviously be helpful if the WP29 would shortly issue an opinion on the applicability regime of the GDPR to ensure uniform guidance on how the applicability rules of the GDPR should be interpreted and applied by companies (and member states). Given the substantial obligations of companies under the GDPR, there is no greater uncertainty than not knowing whether the GDPR applies and which national implementation laws apply.
photo credit: European Parliament March Plenary Session is on via photopin (license)