Recent guidance from the European Data Protection Board explains some of the more unclear concepts regarding territorial scope under Article 3 of the EU General Data Protection Regulation. This installment of The eData Guide to GDPR breaks down the guidelines, which provide insight into both the establishment criteria and the targeting criteria; guidance on Article 3(3), which states that the GDPR applies to any place where EU law applies “by virtue of public international law”; and guidance on the responsibility of data processors and controllers who fall under the scope of Article 3(2) to designate a representative in the European Union.
The European Data Protection Board (EDPB) released “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)” (the Guidelines) on November 23 to help define some of the more ambiguous concepts in Article 3 that determine which organizations are subject to the regulation’s rules for processing personal data. The Guidelines are open for comment until January 18, 2019.
The Guidelines state that Article 3 of the GDPR reflects the intention to ensure comprehensive protection of EU data subjects’ rights and to establish a level playing field for companies active on the EU markets. Article 3 bases the GDPR’s territorial scope on two criteria:
Thus, on its face, Article 3 can be interpreted to apply to almost any organization that has a presence in the EU or that processes the personal data of any EU citizen, regardless of where that organization is located. Since the GDPR took effect in May 2018, companies outside the EU have been eagerly anticipating more guidance from the EDPB on this subject, to either confirm or restrict the regulation’s extraterritorial breadth.
The newly released Guidelines are split into four sections. Sections 1 and 2 provide insight into the establishment and targeting criteria, respectively. Section 3 provides guidance on Article 3(3), which states that the GDPR applies to any place where EU law applies “by virtue of public international law.” Section 4 provides guidance on the responsibility of data processors and controllers to designate a representative in the EU if they fall under the scope of Article 3(2). Some of the most important highlights from each of these sections are outlined below.
As stated above, Article 3(1) applies if the processing of personal data is conducted through an “establishment” of a controller or a processor within the EU. The Guidelines recommend the following two-step approach to determine if the processing of personal data meets this standard, along with some important guidance on how to correctly apply the test:
As stated above, under Article 3(2), even if the controller or processor is not established in the EU, the GDPR will apply to any company whose activities are related to the offering of goods or services to data subjects in the EU or the monitoring of data subject behavior when such behavior takes place in the EU. Here, the Guidelines also recommend a two-step approach to determine whether a processing activity meets this standard:
Important guidance provided by the Guidelines regarding each of these steps includes the following:
The Guidelines provide a list of specific factors that, taken together, can be considered to determine whether goods and services are being “targeted” to EU citizens:
Unlike the offering of goods or services, there is no requirement that a company must be targeting EU citizens specifically in order to be considered as “monitoring” them. However, the collection of data must be done with the specific purpose and subsequent reuse of the data regarding the individual’s behavior within the EU. This could include a broad range of monitoring activities:
Under Article 3(3), the GDPR also applies to “the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” The Guidelines elaborate on this by stating that the GDPR applies to personal data processing carried out by EU member states’ embassies and consulates when the processing falls within the material scope of Article 2 of the GDPR.[1] It would also apply to EU cruise ships traveling in international waters that may be processing data of guests on board.
Data controllers or processors subject to the GDPR under Article 3(2) (i.e., through the targeting criterion) have a duty to designate a representative in the EU.[2] The Guidelines elaborate on that requirement, noting the following:
[1] Article 2: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”
[2] The Guidelines note that designating a representative in the EU does not constitute creating an “establishment” under Article 3(1) (i.e., the establishment criterion).