This is the second post in a two-part series. You can read the first installment on controllers here.
Regulatory overreach: The draft U.K. implementation law will apply to non-EU processors providing B2B services to their customers, if these in turn offer services or goods to individuals in the EU
In part one of conundrums related to the GDPR applicability regime, I discussed how the applicability regime of the GDPR affects controllers and concluded that the scope provisions in the German and U.K. implementation laws are too broad and lead to unnecessary accumulation of the national laws of the member states. The draft U.K. implementation law, however, also seems to apply to non-EU processors providing B2B services to companies, if such companies (i) are established in the U.K. or (ii) are not established in the U.K., but offer services or goods to or monitor behavior of individuals in the EU.
See:
- 190(2): the draft implementation law applies to a processor not established in U.K., if the controller is established in the U.K. and the data are processed in the context of the activities of the U.K. establishment of the controller.
This would mean that any U.S. processor that has B2B clients in the U.K. that process data of U.K. individuals would be directly covered by the GDPR.
- 190(4): if both the controller and the processor are not established in the U.K., the draft implementation law applies, if conditions of (3)(b) and (c) are met (note: these conditions concern the targeting of individuals by the controller only).
This seems to mean that if the non-EU processor offers B2B services to a non-U.K. controller which targets individuals in the U.K., then the processor is also covered.
These scope extensions are contrary to the applicability regime of the GDPR and constitute regulatory overreach. The issue may only be understood if we discuss the background of the applicability regime of the GDPR as it applies to processors.
GDPR: Applicability to processors
The applicability rules of the GDPR now also include processors. The reason for this inclusion is that the GDPR provides for direct obligations of processors (especially security obligations), which should be triggered independently whether or not the GDPR applies to the controller.
Art. 3(2): Processing in context of activities of an establishment in the EU
The main applicability rule that the GDPR applies if the "processing is in the context of the activities of an establishment of a processor in the EU" assumes that if a processor processes data on behalf of, for example, a U.S. controller, it does so in the context of its own activities and not in the context of those of the controller. Any other interpretation and the GDPR would never apply to processors and the direct obligations of the processor would never be triggered.
The reason for applying certain GDPR provisions directly to processors established in the EU was that it was considered a risk that the EU could otherwise be used as a digital haven. In cases where the controller would not be subject to the GDPR, there would otherwise be no legal basis under EU data protection law to act against these data processing activities in EU territory, even if the relevant data processing would be considered “unethical to EU standards” (Opinion on applicable law, p. 32). However, rather than applying the full scope of the GDPR, EU legislators (following the opinion of the Article 29 Working Party, see Opinion on applicable law, pp. 31–32) required that the data processor must meet specific EU data protection provisions only, such as the EU data security provisions (as inadequate security in EU territory would expose the EU to cybercrime).
The EU legislators therefore made the choice that the GDPR should only trigger limited processor obligations when, for example, a U.S. controller (not subject to EU law) involves an EU processor rather than impose the full scope of the GDPR upon such U.S. controller (because it involves an EU processor). They clearly rejected the alternative (in the current directive) whereby any data transferred by a U.S. controller (or another non-adequate country) to the EU processor attracted the full scope of EU data protection law.
The above makes clear that the main concern of EU legislators was the applicability of the GDPR to processors in the EU (when their customers would not be subject to EU law), and not the direct applicability of the GDPR to processors outside the EU. Under the Directive, the rule is “processor follows controller.” In other words, the main concern is the applicability of the law to the controller. If applicable, protection of the data is ensured by the requirement that an appropriate contract must be in place between the controller and the processor in accordance with Art. 28 of the GDPR.
Art. 3(2) offering goods and services to individuals in EU
In this light, the second applicability rule of Art. 3(2) reveals some issues. The second rule seems to be very much drafted with controllers in mind. The GDPR applies to the processing of personal data of data subjects in the EU when the controller or processor is not established in the EU, where the processing activities are related to: (i) the offering of goods or services to such data subjects in the EU or (ii) the monitoring of their behavior insofar as their behavior takes place within the EU.
The most logical interpretation of this provision is that it applies only to non-EU processors when such processors offer goods or services directly to individuals in the EU.
Example where a non-EU processor offers services directly to consumers is a cloud provider offering cloud storage services for photos directly to consumers. In those cases, the cloud provider would qualify as the controller insofar as it is processing personal details required for contracting purposes (i.e., for invoicing and payment) and as a processor where it hosts the relevant data only on behalf of the individual.
In many cases, however, processors will act on behalf of controllers and therefore will not offer goods or services directly to individuals in the EU. If they start doing so on their own behalf, it would imply they are a controller and the GDPR would on that basis kick in (and protection would be ensured).
This seems to be also the thinking of the WP29. The right to data portability applies only to controllers and would therefore not apply to the photos stored by the data subject in the cloud in the example above. The WP29 has creatively ”solved” this issue by stating that for these cases the cloud provider would be considered a data controller and would have to comply with data portability requirements (see WP Opinion on data portability, p. 5 fn. 4).
This interpretation is in line with Recital 23:
“In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
Applying Art. 3(2) to non-EU processors that act on behalf of controllers only (as currently provided for by the draft U.K. implementation law), would be contrary to the rationale of art. 3(2).
In part 1 of this series, I discussed that the second applicability rule is designed to avoid circumvention of the GDPR, whereby the controller or processor avoids having establishments in the EU while subsequently targeting individuals in the EU (e.g., by means of websites that allow payment in Euros).
I further discussed that second applicability rule is a deviation of the current system which is based on territoriality and adopts a qualified "destination approach." The GDPR applies also to non-EU controllers or non-EU processors offering goods or services to or monitoring behavior of individuals in the EU (destination approach), but this is qualified. The GDPR only applies where individuals in the EU are targeted, for example the mere accessibility of a website offering goods or services, does not lead to applicability of the GDPR (see explicitly Recital 23). The extension of the scope is therefore triggered only if there is a sufficient nexus between the relevant activity and the EU.
A. Non-EU controllers targeting individuals in the EU
These rationales rule out applicability of Art. 3(2) in cases where the non-EU processors acts on behalf of non-EU controllers targeting individuals in the EU. In those cases it is the controller who targets individuals in the EU. There is no targeting of individuals in the EU by the processor and therefore no nexus of the activities of the processor with the EU.
Any other interpretation would require non-EU processors to verify for each and every one of their corporate customers (wherever they are located in the world), whether these customers target individuals in the EU for services or goods or monitor their behavior, which may also change over time. This would be an impossible task for processors to establish let alone monitor over time. The only way a non-EU processor could protect itself to exposure under GDPR would be to assume that every one of its global customers might (at a certain moment) target individuals in the EU and thus fully comply with GDPR. That is disproportionate effort and not what the GDPR was intended to achieve.
Applying the GDPR in these cases directly to processors is also not necessary to avoid a loophole in the protection of the personal data of EU individuals.
Here the GDPR already applies to the controller targeting individuals in the EU. This will require the controller to impose a data processor contract upon such non-EU processor in accordance with Art. 28 GDPR, which ensures that the applicable processing requirements are foreseeable for the processor and further proportional to the processing at hand.
Recall also that, the main concern of EU legislators was the applicability of the GDPR to processors in the EU, when their customers would not be subject to EU law, and not the direct applicability of the GDPR to processors outside the EU, when their customers are already subject to EU law. The rule is “processor follows controller.”
The scope rule in the U.K. draft GDPR implementation law providing that the law applies to non-EU processors providing services to companies, if such companies are not established in the U.K., but offer services or goods to or monitor behavior of individuals in the EU, is therefore contrary to the applicability regime of the GDPR.
B. Controllers established in the EU
The above applies a fortiori in cases where an EU controller offers services to individuals in the EU involves a non-EU processor. In this case the EU controller has an establishment in the EU and the GDPR applies to such controller pursuant to Art. 3(1), Art. 3(2) is therefore irrelevant to the controller's processing activities. In fact, we saw that Art. 3(1) broadens territorial scope by applying the GDPR to the full range of data processing activities in the context of the EU establishments, even when these target individuals outside the EU.
Protection of the data processed by a non-EU processor is ensured by the requirement that the controller will have to impose a proper data processor contract upon such processor in accordance with Art. 28. Again, the main concern of EU legislators was the applicability of the GDPR to processors in the EU when their customers would not be subject to EU law.
An application of Art. 3(2) to non-EU processors, as its processing activities are related to the targeting by the EU controller to individuals in the EU, is contrary to the rationale underlying the applicability regime.
The scope rule in the U.K. draft GDPR implementation law providing that the law applies to non-EU processors providing services to companies, if such companies are established in the U.K. is therefore contrary to the applicability regime of the GDPR.
C. Non-EU controllers not subject to the GDPR
Above we discussed the situation where the processing by the controller is subject to GDPR; but what if the processing is by a non-EU controller not subject to the GDPR (the non-EU controller therefore does not target individuals in the EU)? Also in that case no loopholes exist. The GDPR, in that case, also does not apply to the non-EU processor. The processor is not established in the EU and further does not target individuals in the EU, which is a given since the controller does not target individuals in the EU. The activities of the processor have no nexus with the EU.
Conclusion
The scope provisions as they apply to non-EU processors in the U.K. implementation law lead to unacceptable regulatory overreach. As the U.K. implementation law is still in the legislative process, I urge the U.K. government to amend the scope in accordance with the applicability regime of the GDPR. I further recommend the European Commission to closely monitor the scope provisions of other draft national implementation laws and, where relevant, to urge member states to align these with the GDPR.
In this context, it would obviously be helpful if the WP29 would shortly issue an opinion on the applicability regime of the GDPR, to ensure uniform guidance on how the applicability rules of the GDPR should be interpreted and applied by companies and member states. Given the substantial obligations of companies under the GDPR, there is no greater uncertainty than not knowing whether the GDPR applies and the national implementation laws apply.
As the topics discussed in the conundrums on the GDPR applicability regime may be somewhat abstract, I list below the different options and summarize how the applicability rules of Art. 3 apply.
EU controller and EU processor
Both have establishments in the EU and therefore are subject to the GDPR based on the main default rule of Art. 3(1). The EU controller will have to impose a data processor contract upon such processor in accordance with Art. 28. The EU processor also has to comply with the processor obligations directly applicable to processors under the GDPR.
EU controller and non-EU processor
The EU controller has an establishment in the EU and the GDPR applies to such controller pursuant to Art. 3(1). Art. 3(2) therefore does not kick in for the controller and it is not relevant whether the processing activities relate to the offering of goods or services to data subjects in the EU or the monitoring of their behavior. The EU controller will have to impose a data processor contract upon such processor in accordance with Art. 28 GDPR.
The processor does not have an establishment in the EU and the main default rule of Art. 3(1) does not apply. The second applicability rule of Art. 3(2) does also not apply as the processor does not target individuals in the EU (which if done, is done by the controller). The activities of the processor have no nexus with the EU.
Non-EU controller and EU processor
There are two options. The first is where the data processing by the non-EU controller is not governed by the GDPR and the second is when the data processing by the non-EU controller is governed by the GDPR.
- Processing by non-EU controller is not governed by GDPR
In this situation the data processing by the non-EU controller is not governed by the GDPR (i.e., the controller does not have establishments in the EU and further the data processing is not related to (i) the offering of goods or services to data subjects in the EU; or (ii) the monitoring of their behavior). The EU processor has an establishment in the EU, is subject to the GDPR, and has to comply with the processor obligations that are directly applicable to processors under the GDPR. This ensures the EU cannot become a digital haven for processors.
- Processing by non-EU controller governed by GDPR
In this situation the data processing by the non-EU controller is governed by the GDPR (i.e., the controller does not have establishments in the EU, but the data processing is related to (i) the offering of goods or services to data subjects in the EU; or (ii) the monitoring of their behavior). The non-EU controller will have to impose a data processor contract upon such processor in accordance with Art. 28. The EU processor is subject to the GDPR and has to comply with the processor obligations that are directly applicable to processors under the GDPR.
Non-EU controller and non-EU processor
Again there are two options.
- Processing by non-EU controller is not governed by GDPR
In this situation the original data processing by the non-EU controller is not governed by the GDPR (i.e., the controller does not have establishments in the EU and further the data processing is not related to (i) the offering of goods or services to data subjects in the EU; or (ii) the monitoring of their behavior).
The GDPR, in that case, also does not apply to the non-EU processor. The processor is not established in the EU and further does not target individuals in the EU, which is a given since the controller also does not target individuals in the EU. The activities of the non-EU processor have no nexus with the EU. There is no risk of the EU becoming a digital haven for processors.
- Processing by non-EU controller governed by GDPR
In this situation the original data processing by the U.S. controller is governed by the GDPR (i.e., the controller does not have establishments in the EU, but the data processing is related to (i) the offering of goods or services to data subjects in the EU; or (ii) the monitoring of their behavior). The non-EU controller will have to impose a data processor contract upon such processor in accordance with Art. 28 GDPR.
The GDPR does not apply to the non-EU processor. The processor is not established in the EU and further does not target individuals in the EU, which is done by the controller. The activities of the processor have no nexus with the EU.
Non-EU processor directly targeting individuals in the EU (processing data on behalf of data subjects)
The processor is not established in the EU, so the main default rule of Art. 3(1) does not apply. The processor targets individuals in the EU, so the second applicability rule applies and the non-EU processor is directly subject to the GDPR and has to comply with the processor obligations that are directly applicable to processors under the GDPR. Note, however, that if processors provide goods and services directly to individuals in the EU, such processor will process the data on behalf of data subjects. In these cases they will likely be treated as a data controller and the GDPR will apply on that basis.
photo credit: European Parliament March Plenary Session is on via photopin (license)
3 Comments
If you want to comment on this post, you need to login.