By Fabio Di Resta

In a globalised world where every place is interconnected via the Internet and new technologies, companies—both big multinationals and SMEs—are operating more and more in different jurisdictions. Particularly, in the Internet environment, companies provide services and products remotely and they collect data that they can easily share among an undetermined group of enterprises. These are widespread activities in the Information Society that can raise problems if not carried out lawfully.

New Regulation and Harmonisation

In order to ensure legal certainty for controllers, individuals and stakeholders, the EU legislative body is trying to address applicability and jurisdictional issues. The European Commission will publish its new proposed data protection framework on Wednesday, January 25. According to an official draft (version no. 56, 29 November 2011) of the new regulation released late last year for inter-service consultation, one of the main objectives of this document is to fulfill the ambitious harmonisation of the data protection laws of EU Member States. This is particularly relevant for multinationals, who struggle with the lack of sufficient harmonisation, which creates legal uncertainties and barriers to free movements of data in Europe.

External scope of the EU data protection law

In more detail, the following example of a common electronic transaction shows the main challenges that faced in protecting personal data in the EU:

A buyer resides in Europe, while the vendor’s place of business is outside of the EU. In this case, many privacy experts say that the rules and conditions under which the buyer controls his own personal data should be applied; these rules should come from the country in which the buyer (data subject) resides rather than those in which the place of business of the operator of electronic commerce is located (data controller).

The simple above-mentioned case illustrates one of the most crucial issues of the EU data protection law and the ongoing debate on the review of EU data protection law framework. On this subject, the provisions on applicable law provide a set of rules to determine the external scope of EU law, this means that provisions determine the extent to which the EU data protection law is applicable to data processing that has taken place wholly or partially outside the EU or European Economic Area (EEA) (Iceland, Liechtenstein and Norway).

The “Equipment/Means” Criterion

Regarding European data protection law applied outside the EU, there is a clear principle stated in the 95/46/CE Directive that will be revised. The article 4 (1) c provides that the national law of Member States is applicable when the data controller is not established in the EU/EEA but for purposes of data processing that “makes use of equipment, automated or otherwise, situated on the territory of the said Member States.” The principle expressed here is called “equipment/means” criterion, and it is rather relevant in network environments such as cloud computing and for multinational companies. It should be considered that the scope of protection of a person residing in the EU cannot be reduced only to a national or resident in EU, taking into account that the right to protection of personal data is a fundamental right that can be infringed even by data processing wholly or partially operated outside of the EU. On the other hand, there should be a mitigation of the application the “equipment/means” criterion, otherwise there could be a serious risk to apply EU law to data processing thta does not have any real connection with EU/EEA.

For this reason, this principle is combined with a complementary criterion which takes into account the relevant targeting of the data processing to individuals. This is a criterion that is widespread in different jurisdictions: the EU regulation on jurisdiction and recognition and enforcement of judgments of civil and commercial matters; the United States’ legislation on the protection of children online (COPPA), and some national laws transposing the Directive 2000/31/EC on electronic commerce. In these cases, national law applies respectively when individuals, children or purchasers are targeted by the data processing.

Case 1: Geo-Location Services

For the sake of clarity, two cases in which the criteria apply should be considered. These examples were analysed in the Opinion 8/2010 on the applicable law adopted on 16 December 2010 by the Article 29 Data Protection Working Party. The first case refers to geo-location services. A company located in New Zealand used cars globally, including in EU Member States, to collect information on Wi-Fi access points (which also includes private terminal equipment of individuals). In this case, the cars collecting Wi-Fi information along the streets were considered as data processing “equipment.” Moreover, the company provided a geo?location service to individuals processing data through dedicated software installed in the individuals’ devices. In this case data protection law applies to the data controller located in New Zealand because of the presence of the “equipment” (cars and devices).

 Case 2: Cloud computing

The other case refers to cloud computing. In this IT model, personal data are usually processed and stored on servers in several places around the world. The exact place where the data are stored is not always known, and it can change over the time. In order to trigger the applicability of EU law, the relevant information includes the context of activity within the EU (principle of establishment) and the location of the equipment.

The first step is to identify the data controller and its activities. In this context, the user of the cloud service could be a data controller. A company uses an agenda service online: if the company uses the agenda in the context of activity of its establishment in the EU, the EU law will be applicable. However, the cloud provider could also be under some circumstances a data controller. This is the case when it provides for an agenda online where private parties can upload all their personal appointments and contacts. Even if the cloud provider is located outside the EU, it uses means in the EU, thus there is a “use of equipment” that means EU law will be applicable. In order to further explain when EU law is applicable, it is important to note that the directive does not apply when means are used for transit purpose only, but it will again be applicable if the service uses calculating facilities, runs java scripts or installs cookies for the purpose of storing and retrieving personal data of the user. A further consequence of the application the EU law is the appointment of a representative established in the EU, in such a way the controller can eventually be responsible under the EU law.

To sum up, the use of the “equipment/means” criterion must always take into account all relevant elements, otherwise there could be a real risk of the absence of connecting factors with the territory.

The New Perspective in the Regulation Proposal: “Directed To” Criterion

The criteria analysed above could be amended by the European Commission’s recent proposal of regulation. The article 2 (2) provides that “the regulation applies to the processing of personal data of data subjects residing in the Union not carried out in the context of the activities of an establishment of a controller in the Union, where the processing activities are directed to such data subject, or serve to monitor the behavior of such data subject.” The Article 2 (5) d states the regulation does not apply to the data processing when operated “by a person without any gainful interest in the course of its own exclusively personal or household activity, unless personal data of other natural persons is made accessible to an indefinite number of individuals.”

The article 2 (2) eliminates the “equipment/means” criterion to be substituted only by the relevant targeting of the data subject (nationals and residents), this entails that it is sufficient to direct an online service to a European resident to make the controller subject to the EU Law. The recital 15 of regulation proposal specifies that the overall activity of which the data controller was envisaging processing the personal data of the data subject should be taken into account, considering in particular the international nature of the activities or use of the language or currency other than the language or currency generally used in controller’s country of establishment or the use of top-level domain name. In the last part of the recital there is an interesting statement: “The mere accessibility of the controller’s website by a data subject residing in EU is insufficient.” This last provision should bring to the exclusion of “necessary” cookies as a valid ground to claim the EU law application.

Furthermore, it should be considered that any economic operator who targets to an EU data subject (i.e. operator of electronic commerce) will be obliged to appoint a representative established in the EU, leading to a further economic burden to do business in EU territory. This should bring an exemption for SMEs, who cannot afford this burden. Without this exemption, there could be several negative consequences. For example, the representative appointment could be an economic barrier, which strongly restricts the choice of EU consumers who will not be able to purchase online products and services coming from outside of the EU.

With respect to article 2 (5) d, this provision could imply that an individual who posts the personal data of others in a social network or on the Internet could be subject to the EU law.


The choice of the European Commission to enhance the threshold to trigger the application of EU law outside the EU does not seem appropriate to address the future challenges of Internet and could use some amendment. On the other hand, the lack of stronger law enforcement and thus the effectiveness of data protection provisions seems to be the real priority in the international context. Lastly, it should be regarded that the “directed to” criterion pushed towards an exterritorial jurisdiction of the EU law. The worry is that this legal criterion will be considered a mere theoretic principle by Extra EU/EEA countries without further international legal agreements and  strong international cooperation at the EU level.

Fabio Di Resta is an attorney at the Di Resta Law Firm, where he specialises in data protection and IP law. 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»