On May 25, the most important EU data protection law reform to date entered into force. The General Data Protection Regulation promises the biggest shape up to European privacy laws for 20 years, particularly with a view to the extremely high fines. The GDPR applies to businesses established in the EU and, under certain circumstances, to businesses based outside the EU. This article is intended to demonstrate real-life scenarios showing when U.S.-based enterprises may be caught by the GDPR, even though at first glance there seems to be no connection to the EU.

The GDPR introduces two principles with regard to territorial applicability: establishment and extra-territorial effect. According to Aricle 3 of the GDPR, the new regulation applies:

  • If the processing of personal data takes place in the context of the activities of an establishment or organization in the EU, regardless of whether the processing itself takes place in the EU (Article 3, Section 1 of the GDPR).
  • If the personal data of individuals who are in the EU is processed by an organization not established in the EU and the processing concerns the offering of goods or services to individuals in the EU, or  monitoring the behavior of individuals that takes place in the EU (Article 3, Section 2 of the GDPR).

Establishment principle

According to the GDPR (Recital 22) “establishment in the EU” means the real and effective exercise of activity through stable arrangements in the EU. The legal form of the establishment is not a determining factor; establishment could be through a branch or a subsidiary. Further, the concept of establishment is flexible and not formalized. Therefore, one representative of an organization might suffice. Under Directive 95/46, companies are already considered to have an establishment in a member state of the EU if they have a bank account in that member state.

In this context, the Court of Justice in Weltimmo states that “even a minimal” establishment is sufficient. However, this has not been carried over to the GDPR. It therefore remains unclear whether a "de minimis" threshold will apply to the size of establishments.

Processing of personal data must take place in the context of the establishment’s activities; the establishment does not need to carry out the data processing itself. Further, it does not matter if the data processing activities are performed within or outside the EU. Whenever the organization is based in the EU, it is fully caught by the GDPR even if the processing of personal data takes place outside the EU.

Extra-territorial effect

Pursuant to Article 3, Section 2 of the GDPR, the processing of personal data also falls into the scope of the GDPR if the processing activities are performed by a controller or a processor not established in the EU and where: Processing activities are related to the offering of goods or services to such data subjects located in the EU, or processing activities are related to monitoring the behavior of data subjects, as far as their behavior takes place within the EU.

This provision features one of the most significant changes introduced by the GDPR. Article 3, Section 2 of the GDPR protects data subjects who are in the EU. Individuals living outside the EU are not in the scope of the GDPR even though they might be citizens of an EU member state. The applicability of the GDPR in this regard is tied to the physical presence of a data subject in the EU (even temporarily), irrespective of the individual`s nationality, residence or intention to stay within the EU. An individual “who is in the Union” can be an EU citizen or a citizen of a non-EU country, such as a tourist, cross-border commuter, expatriate, refugee or stateless person.

Controllers and processors are caught whenever the processing activities relate to the offering of goods and services to individuals in the EU. The term “goods” refers to tangible property while “services” means any commercial activity. Services offered from outside the EU must have an international character in such a way that they must target EU individuals from the outset. Foreign offers target EU individuals if they are provided on a European top-level domain, e.g. "de" or "eu." The use of such domains by the service provider clearly demonstrates that its commercial activities target consumers in the EU. The EU connection is more obvious if the non-EU organization seemingly expresses its intention to deal with EU users by e.g. offering local currency payment, shipment to the EU or local telephone hotline numbers.

Specific considerations

Targeting EU-people from the outset

The GDPR focuses on offering, rather than providing or performing, goods or services. The GDPR does not apply where U.S. users are addressed only. For instance, if services are offered to U.S. residents by local advertisements in U.S. dollars issued by U.S. companies, the GDPR will not come into play. The key consideration is where the marketplace is located. If an individual who lives in the U.S. takes a loan from his local bank, this loan certainly will not be subject to the GDPR since the actual marketplace would be in the U.S. and not in the EU.

To get more complicated: What happens if a U.S.-based vendor renders data hosting services on behalf of a corporation located in the U.S., and the data set comprises a large collection of personal data, mostly related to EU data subjects? The key issue around Article 3, Section 2 of the GDPR boils down to the question whether services are offered to individuals in the EU. The scenario described above has nothing to do with targeting EU people from the outset by offering services in order to boost sales. Hence, the GDPR does not apply.

U.S. companies caught by the GDPR after entering into a service agreement

In this scenario, a U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement  may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1. Therefore, U.S. companies should closely review their service contracts from the perspective of group member involvement.

If the review reveals that the involvement of an EU group member has been contractually included in a service agreement with a U.S.-based processor, the GDPR needs to be taken into consideration. The EU group member is considered to be a controller, along with the other group members concerned. This indicates that the service agreement, including the data processing component therein, has to be lined up with the GDPR requirements arising from Article 28 of the GDPR, even though the initial contracting parties are located in the U.S. Depending on the particular service contract, the service element provided to EU based group members might be separated and aligned with the GDPR, while other, non EU based group members receiving services remain outside the applicability of the GDPR.

Extra-territorial application to U.S. processors

Another interesting question: how do these extra-territorial provisions apply to processors? There are some instances in which overseas processors will be caught. For example, a U.S. company offering a consumer cloud service in the EU would clearly be affected by the GDPR (Aricle 3, Section 2). However, in most cases the overseas processor is only acting on the instructions of a controller, so would not be dealing with individuals in the EU of its own volition. This circumstance does not shield it from the GDPR in general. The processor might still be caught where it is a sub-processor of a principal processor based in the EU. This is because the processor is processing personal data “in the context of the activities of” a controller or processor in the EU. In other words, any provision of services to an entity in the EU might bring the overseas processor within the scope of the GDPR.

The following scenario illustrates how an overseas processor might be caught even if it only deals with entities based outside the EU. Company C supplies services to a controller or processor, which in turn supplies services to provide goods or services to, or to monitor, individuals in the EU. In particular, processors activities are considered to “relate to” the offering of goods or services, or to monitoring activities pursuant to Article 3, Section 2 of the GDPR. In this case, the provision of services by Company C falls within the applicability of the GDPR.

Whether the GDPR would in practice be applied to processors further down the supply chain remains to be seen, but the potential reach of the GDPR is demonstrably extensive.

Practical advice for U.S. companies

Organizations seeking to ensure that the GDPR does not apply to them must avoid giving the impression that they do offer goods or services to users in the EU. This can be accomplished by:

  • Removing the top level domain names of EU member states from the organization`s website, e.g. “de.”
  • Not offering services to EU users on websites or via marketing materials.
  • Removing all EU countries from website address fields or similar drop-down menus.
  • Not using EU member state languages.
  • Not referring to individuals in a EU member state in order to promote goods and services, e.g. if the organization's website talks about German customers who use the related products.
  • Not allowing users hosted in the EU to sign up for services.
  • Not offering shipments to the EU or payment in euros.
  • Including disclaimers on the landing page of the organization`s website stating that neither goods nor services are envisaged as being offered to users in the EU.
  • Not entering into direct contractual relationships with EU end users/customers.

Consquences

Article 3 of the GDPR contains pitfalls, especially for non EU companies that want to do business in the EU. Where these extra-territorial provisions apply, the controller or processor, even though located in the U.S., must appoint a representative (Article 27). That representative must be based in an EU member state in which the relevant data subjects are based. This might be quite onerous for U.S. companies, as the representative will have to accept liability for breach of the GDPR. More importantly, the representative has to manage the consequences if the competent data protection authorities impose fines on the company. Fines can amount to 20 million euros or 4 percent of the annual group-wide turnover, whichever is greater.

photo credit: Allie_Caulfield  via photopin