When the EU General Data Protection Regulation comes into force next May, companies will have had two years to prepare and map out implementation. While some may be well ahead of the game, many others are still left wondering whether regulations will even apply to them.
Recent surveys show these companies are not alone. A recent survey by the Institute of Directors’ indicates that four out of ten of respondents did not know if the GDPR will impact their company.
Does the GDPR even apply to you?
To help figure this out, Bird & Bird's Ruth Boardman and Fieldfisher's Phil Lee, CIPP/E, CIPM, FIP, recently joined IAPP Knowledge Manager, Dave Cohen, CIPP/E, CIPP/US, for a webinar, "GDPR Triggers: Exploring the Jurisdictional Scope."
To understand how privacy is changing under the GDPR, it’s important to first recognize the current framework in place, Lee said. Namely, the Data Protection Directive.
The directive was put in place in 1995 when the internet was in its nascent stage, long before the growth of e-commerce would change the landscape of how companies operate. The directive’s focus was on the concept of where a business was established and where it used equipment to process personal information.
Now, we have the GDPR, which considers the evolution of businesses in an increasingly fluid world. No longer confined by their region, companies and institutions are operating in new ways and across territorial lines. The GDPR’s focus is on where an organization is established, if it is offering goods and services to EU data subjects, and if it monitors a person’s behavior within the EU.
Here are three key concepts to help you determine if your organization will fall under the territorial scope of the GDPR: First, if you have an EU presence, European law will apply. Second, if it is apparent you envisage selling to Europeans, European law will apply. And finally, if you’re using an advertising technology platform to track EU data subjects, and profiling them, GDPR will apply.
“From a regulatory perspective,” Lee said, “these make sense. They can however prove very challenging to implement in practice.”
To help, Boardman and Lee walked through four hypothetical scenarios where the law's application can be slightly challenging to understand.
Hypothetical scenario #1: U.S.-based story, online sales, small incidental sales to EU customers
You are the CPO for a U.S.-based online store. Your CEO has heard of the GDPR and asks you if the company's incidental EU sales — one percent of total sales — could trigger GDPR compliance. Lee described three tests that should be applied.
First to consider is the establishment test. Is the processing conducted “in the context of the activities” of an establishment in the EU? With this being an online store based in the U.S., Lee said, “we can confidently say no.”
Second, is the company offering good and services to data subjects in the EU? There are a few different considerations to take into account here. The test is not so much whether you have sales in the EU or not. The test is whether it is “apparent that you envisage sales in the EU.”
Questions to consider: Have you localized the website in anyway by having a local domain? Is there an option to translate the site into European languages? Do you accept EU currencies? Are you accepting orders from EU addresses? Are you collecting email addresses and them using them beyond confirmation of receipt? If the answer is yes to any combination of the questions above, particularly the email marketing usage, Lee said this could “tip the balance” towards appearing to promote your services within the EU market, particularly if the marketing emails have been localized somehow to better promote your service in the EU.
Finally, the monitoring test. Lee said it's important to know if your website employs advertising technology to target and retarget customers. He added, if you are monitoring the behavior of data subjects in the EU, the GDPR will technically apply.
Does hypothetical situation #1 trigger the GDPR? Phil Lee said, “In the time-honored tradition of all private practice lawyers, I will conclude with “Maybe.”
Lee said “mere accessibility” is not enough to make the website subject to the GDPR; you should take a balanced view considering all the elements.
“You may conclude that technically the GDPR does apply,” Lee said, “but that doesn’t mean that as the CPO you don’t have that flexibility to take the risk-based decision on whether or not you’re going to apply the full weight of GDPR to the business.” He explained that as the CPO, it is important to balance the overhead of compliance with the likelihood of some of those risks crystallizing. In this hypothetical situation, it's probably going to be pretty “low risk” to continue as if the GDPR does not apply until your marketing changes or your EU sales increase.
Hypothetical scenario #2: U.S.-based retail company, small incidental sales to EU customers
Let’s say that you’re the chief privacy officer for a U.S.-based company that has a chain of stores. In walks an EU citizen who purchases something, and in the process, gives you his data. Will the GDPR apply to you?
First, you pass the establishment test since you have no presence or establishment in the EU.
Second comes the goods and services test. Boardman said, “At the moment they’re in your store, they are not in the EU, so the rule wouldn’t apply.” While it may be confusing, the GDPR does not apply strictly to EU citizens, rather, it applies to EU data subjects, which can be either citizens or visitors, who are within the boundary of the EU.
What happens when your customer goes back? In this situation, Boardman said, you’re looking at if it “is apparent that you envisage processing their data, are you intending to process their data when they go back to the EU? Probably not.”
If you notice you have a high volume of EU customers and start to deliberately profile the EU customers that come to your store by sending them targeted emails, then this would change.
Third, the monitoring test. Are you monitoring whether the customer opens the email? Boardman said this is not a gray area, “If you are monitoring individuals in the EU, it doesn't matter if you intended to or not, the rules will always automatically apply to you.”
Does hypothetical situation #2 trigger the GDPR? Boardman said GDPR compliance will only be triggered if you track data subjects in the EU, "Someone from the EU goes into your store, purchases something, and you ask for their email address to send the invoice. You then send email marketing to them. If you track whether the email has been opened or forwarded, at that point GDPR will apply to you whether you intended to monitor EU data subjects or not."
Hypothetical scenario #3:
U.S.-based company, online sales, EU-based processor
This scenario revisits scenario #1. The same U.S. company has now decided to host all the data it's collecting via its website and use a data processor based in Ireland. The CEO is nervous that using this data processor will make the company subject to the GDPR. Will it?
No change will result for the goods and services test or the monitoring test, but this will make the establishment test a bit trickier.
The GDPR asks, “Is the processing in the context of the activities of an establishment of a controller or processor in the European Union?” By using an EU-based processor, which provides cloud services, does that change the outcome?
The answer is unclear. The cautious approach, Lee said, is if you're using a data processor in the EU that is hosting your data, there is a strong likelihood that the GDPR will apply. Even if that’s not the case, you may still find yourself indirectly subject to GDPR provisions. Your processor will have GDPR compliance obligations, which may put obligations on you as a result of Article 28. Lee said, “Simply by virtue of engaging with a European-based vendor, it tries to float up some data protection responsibilities to you.”
Hypothetical scenario #4:
HR data processed outside of the EU, with EU employees potentially in the system
Let's say you’re the chief privacy officer for a financial services company with staff in the EU. You’re planning to roll out a centralized human resources system that will give headquarters more access to EU staff data. Will GDPR apply to you?
You have an establishment in the EU, meaning your EU entities will have to comply with the GDPR. Boardman said there is an argument that can be made that GDPR would apply to you directly in the states as well, “to the extent that you are accessing and processing staff data ‘in the context of’ the operations of your EU entity.” She added that the company will have to be aware of, and comply with, EU rules in any event. The EU entity would have to ask for the U.S. office to commit to EU principles in order to meet EU data transfer requirements.
It's clear there are a lot of "ifs" involved in determining whether the GDPR applies. The hope is these scenarios help provide some clarity on the right questions to ask in making that determination.
If you want to comment on this post, you need to login.