When Does the GDPR’s Extraterritorial Scope Apply?

Any organization operating within the European Union will be subject to the General Data Protection Regulation no matter where the company is headquartered. But the regulation extends far beyond those borders—essentially any organization that has customers in the EU or collects information or data about EU data subjects will be subject to the regulation. This installment of The eData Guide to GDPR explores the regulation’s extraterritorial scope.

Data controllers and data processors, the organizations regulated by the General Data Protection Regulation (GDPR), are defined by the information they collect and the processing they perform. Under the 1995 EU Data Privacy Directive, the regulation of these entities was determined by the location of the data in the European Union or the organization’s business activities in the EU.[1] The GDPR changes that by expanding the types of business activities that qualify for regulation including activities of entities outside of the EU.

Extraterritorial regulation under the GDPR is explained in two sections of the regulation. Under Article 3(1), the regulation applies to the “processing of personal data” by a controller or processor that is “established” in the EU, regardless of where the data is processed.[2] See our previous Insight, GDPR Obligations for Controllers and Processors Both Inside and Outside the EU, for a discussion on controllers and processors. A controller or processor is considered established in the EU by “effective and real exercise of activity through stable arrangements,”[3] which can include the presence of branches or subsidiaries located in the EU. Although the legal form of the entities present in the EU is not a determining factor,[4] the current GDPR is silent on what constitutes “stable arrangements.” EU case law predating the GDPR, however, does provide some guidance:[5]

• Whether staff members of the entity are EU residents
• Whether EU financial institutions are used to execute business needs
• Whether marketing materials, including websites, are written in the language of the EU member state where the entity is located
• The location of registered offices within the EU, the number of staff therein, and the level of business activities for each registered office as compared to offices outside of the EU

The extraterritorial reach of the GDPR is also codified in Article 3(2) of the regulation, which specifically focuses on business activities that originate outside the EU but “target” EU data subjects.[6] The regulation applies to controllers or processors that are located outside the EU, if the entities are processing information of EU data subjects, and where the processing activities are linked to

• ·offering goods or services to data subjects in the EU, regardless of whether the goods or services require payment; or
• tracking or profiling EU data subjects regarding their personal preferences, behaviors, or attitudes or intending to use gathered information to predict their personal preferences, behaviors, or attitudes.[7]

Article 3(2)(a) requires a fact-specific analysis to determine if a controller or processor is directing its goods and service offerings to data subjects in the EU.[8] Recital 23 focuses on determining whether the “controller or processor envisages offering service to the data subject.” Accessibility to a “controller, processor or intermediary’s” website or a website’s use of a language used in a member state, alone, is not enough to apply enforcement to a controller or processor.[9] However, these factors could subject a controller or processor to GDPR jurisdiction:

• Use of a language or currency generally used in one or more member states with the possibility for consumers to order goods and services in that other language
• Mention of customers or users who are in the EU
• The international nature of the activity, good, or service
• Use of an internet top-level domain name of a member state (such as .fr or .eu)[10]

Regarding the tracking and profiling component of the GDPR, Recital 24 provides clear examples of the type of behavior the regulation is seeking to target and control. The GDPR applies when an entity “tracks” a data subject using “personal data processing techniques” with the intent of profiling the data subject regarding “personal preference, behaviours, attitudes or predicting behaviours.”[11] This provision as written encompasses many entities outside the EU that engage in broad internet marketing and use automated settings for internet or web cookie identifiers for websites.[12] EU governing bodies and case law will likely shape the scope of Article 3’s monitoring component, especially as profiling capabilities improve with technological advances.

The European Commission has provided useful examples to aid companies that are located outside the EU in determining whether their activities are subject to the GDPR. The Commission first notes that the regulation would apply if, for example:

[a] company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access [the] online material. [The] company provides the said username and password once the students fill out an enrolment form.

In contrast, the Commission notes that the regulation would not apply if, for example:

[a] company is [a] service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided [the] company does not specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

Additionally, in July 2018, the CJEU found that even a religious group that collected and processed personal data obtained from individuals in door-to-door encounters was bound by data protection rules as the religious group was considered a controller under EU law.[13] While the GDPR more obviously applies to controllers and processors of electronic data, the regulation also applies to “any operation . . . performed on personal data or on sets of personal data, whether or not by automated means.[14]

The provisions of the GDPR clearly reach beyond the borders of the EU to anyone that “processes” personal data belonging to an EU data subject. Companies outside the EU should carefully review the key components of the GDPR regarding scope to assess whether their digital footprints and workflows defensibly support their compliance efforts.

[1] Directive 95/46, Arts. 3 & 4, 1995 O.J. (L 281) (EC).

[2] GDPR Art. 3.

[3] GDPR Recital 22. Recitals are used by the Court of Justice of the European Union (CJEU), data protection authorities, and the newly established European Data Protection Board in order to establish the intent or meaning of a provision within a directive or regulation and to promote consistent outcomes. Directive 95/46, Art. 94; GDPR Recital 139 (Article 29 Working Party).

[4] GDPR Recital 22.

[5] Case C-230/14, Weltimmo v. NAIH (2015).

[6] GDPR Art. 3.

[7] GDPR Art. 3.

[8] GDPR Recital 23.

[9] GDPR Recital 23.

[10] GDPR Recital 23; Case C-585/08, Peter Pammer v. Reederei Karl Schlüter GmbH & Co. KG (2010); Case C-144/09, Hotel Alpenhof GesmbH v. Oliver Heller (2010).

[11] GDPR Recital 23.

[12] GDPR Recital 30. Additionally, “cookie(s)” are just one or more pieces of information stored as text strings on a computer. A web server sends a cookie to a computer and the browser stores it. The browser then returns the cookie to the server the next time the page is referenced.

[13] Case C-25/17, Tietosuojavaltuutettu v. Jehovah’s Witnesses (2017).

[14] This includes paper records and information collected through verbal interviews, as codified in GDPR Article 4 and established in case law that predates the GDPR enforcement period. As such, the GDPR is not limited to electronic forms of personal data.