Is your business violating the General Data Protection Regulation?
THIS ARTICLE DOES NOT CONSTITUTE LEGAL ADVICE. YOU AGREE THAT IN MAKING ANY DECISION REGARDING THE GDPR, YOU WILL SEEK AND RELY ONLY ON THE ADVICE OF YOUR OWN ATTORNEY.
The European Union General Data Protection Regulation (the “GDPR”) was approved as amended by the Council of the European Union on April 8, 2016, and was adopted, as modified by the Council, by the European Parliament on April 14, 2016. The Regulation became effective on May 25, 2018. The Regulation replaces the previous European Union Privacy Directive (the “EUPD”). Unlike the EUPD, the GPDR can apply to companies that have no office or other physical presence in any nation that is a member of the European Union. Companies that are subject to the GPDR are subject to requirements regarding the collection, use, and disclosure of personal data, the reporting of data breaches, providing access by individuals to their own personal data and other requirements. The GPDR provides for fines of up to the greater of 4% of a company’s annual revenue or EUR 20 million for violations. [1]
The GDPR applies (as more fully explained below) to individuals who are “in” and Controllers and Processors which have “establishments” in the European Union (the “EU”) and, likely will, in the near future, include the three (3) countries that are members of the European Economic Area (the “EEA”), but not the European Union. The nations that are members of the EU are:
The United Kingdom is in the process of withdrawing from the EU. That will take at least 6 months and maybe years. It is not possible at this time to know how the exit from the EU will affect the UK’s status under the GDPR. However, the GDPR does currently apply to the UK. The nations included in the EEA, which are not also in the EU, are Iceland, Lichtenstein, and Norway.[2] The EEA Joint Committee, which had the power to approve the GDPR for the EEA, granted such approval at a meeting on July 6, 2018. Implementation in the EEA still requires the approval of the parliaments of each of the 3 countries, but if that approval has not occurred by the time you read this article, it is likely to occur shortly thereafter. Therefore, for purposes of this analysis, any reference to the European Union or the Union includes the UK and the EEA.[3] It should be noted that the GDPR is not enforceable in Switzerland except to the extent it will be enforceable in the United States, Russia or any other country that is not a member of the European Union or the European Union Area.
The GDPR consists of 99 “Articles,” which set forth the rules in the Regulation, and 173 “Recitals,” which provide background and explanations for the Regulation. Each of the Articles has a title. Each of the Recitals does not have a title and can be correlated with each Article only by the text.
“Data Subjects” are identifiable individuals.[4] “Personal Data” means information related to Data Subjects.[5]
Entities cannot be Data Subjects, but, unlike other privacy laws, including those in the United States, which apply only in connection with consumer transactions, individuals who are directors, officers, employees, independent contractors or otherwise associated with entities can be Data Subjects protected by the GDPR under the first and third provision of Article 3 of the GDPR , as explained more fully below. “Controllers” are individuals or entities that “Process,” or on whose behalf, Personal Data is “Processed.”[6] “Processors” are individuals or entities that “Process” Personal Data for Controllers.[7] “Processing” is very broadly defined as “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [8]
Article 3, which is entitled “Territorial Scope,” states that the GDPR applies to Controllers and Processors which fall into one (1) of three (3) categories:
1. Controllers or Processors that Process Personal Data “in the context of the activities of an establishment of a Controller or a Processor in the Union.” Recital 22 states that “establishment implies the effective and real exercise of activity through stable arrangements.” As included in the Regulation, the term “establishment” is clearly ambiguous. But before any of us point fingers at the EU, what is necessary for “personal jurisdiction,” what constitutes “transaction of business” requiring an entity organized in one state to have a Certificate of Authority to legally take actions in a different state and what constitutes “presence” which can require a seller organized and operating in one state to collect and pay over sales taxes in another state, in the United States are at least as unclear from a reading of only the applicable statutes. Recital 22 further states that whether a Controller, or other entity, directly, or indirectly through a subsidiary, has an establishment in a particular nation makes no difference to interpretation and application of the Regulation. In other words, subsidiaries are treated the same as divisions of an entity.
2. Controllers or Processors that process Personal Data of Data Subjects who are in the Union, where the processing activities are related to the “offering of goods or services” to such Data Subjects. If this was all there was to consider in determining whether a Controller or Processor outside the European Union, was subject to the GPDR, determining the answer would be fairly straightforward. However, Recital 23 states that in determining whether goods or services are being offered, “it should be ascertained whether the Controller or Processor “envisages offering, goods or services to Data Subjects who are in the EU.” Recital 23 further states that mere accessibility of a website or of an email address or other contact details or use of a language, which language is generally used in the country where the Controller is established, are not meaningful in making this determination. On the other hand, “factors such as the use of language or currency generally used in one or more member states [and presumably not generally used in the nation where the Controller or Processor is established], the possibility of ordering goods and services in that other language or the mentioning of customers or users who are in the Union, may make it apparent that the Controller “envisages offering goods or services to Data Subjects in the Union.” “Envisage” is a somewhat formal term more popular in the UK than in the U.S. that has a variety of similar meanings relating to forming a mental picture. In some definitions “forming a mental image” is the entire definition. In other instances, the definition is forming a mental image of something desired. The interpretation in the GDPR appears to be a combination of the two. In other words, this provision applies when the Controller intends, expects or is trying to obtain sales in the EU. It should be noted that the envisaged offers mu be to the Data Subjects themselves for the Controller to be subject to the GDPR under this provision.
3. Controllers or Processors that process personal data of Data Subjects who are in the Union, where the processing of activities are “related to the monitoring of [their] … behavior… within the Union.” Under Recital 24, to “monitor” means to track “on the internet,” especially for potential use consisting of profiling “in order to take decisions concerning [the Data Subject] “for analyzing or predicting personal preferences, behaviors, and attitudes.” Understandably, considering the size and complexity of the GPDR, “monitoring” has been incorrectly construed by at least one commentator to mean “video surveillance.”
EXAMPLES:
1. X Corp. is a videogame developer based in Atlanta that has some of its software coding provided by individuals who provide their services in Russia. In that connection, such individuals provide their Personal Data to X Corp. while in Russia.
Neither Russia nor the United States is in the EU. Therefore, the GDPR would not apply.
2. What if, in Scenario 1, the coders were based in Croatia instead of Russia?
The GDPR would still not apply because, although Croatia is in the EU, X Corp. would not be envisaging offering goods or services to individuals in the EU.
3. What if, in Scenario 2, X Corp., sets up a subsidiary in Croatia with rental space where the coders can work?
In this situation, the subsidiary of X Corp. would be deemed to constitute an “establishment” of X Corp. in the EU. Therefore, all Personal Data acquired or otherwise Processed for customers of X Corp. in the EU or anywhere else in the world, including customers in the United States, would be protected by the GDPR.
4. X Corp. is an Atlanta-based company that has developed an action based videogame and offers it over the Internet by means of download. The only language used on its website or in the videogame is English, its top level domain is .com, it does not mention or accept any form of payment other than by credit card with prices denominated in US dollars, 50% of its sales are in the US, 20% of which are in California, 20% of its sales are in Canada, 20 % are in Asia, 5% are in Africa and 5% are in the EU. Sales total USD100 million.
A very strong case can be made here that X Corp. is not envisaging offering goods or services to individuals in the EU. However, the situation here is borderline. It would be very risky not to assume that the GDPR applies. Note that here the California Online Privacy Protection Act would apply and Canadian privacy laws may also apply.
5. What if in Scenario 4, X Corp.’s software is for business purposes only, but it does track the online activity of the individuals who represent the companies that make purchases and it is evident that some of these individuals are in the EU.
Because of the monitoring activity, the GDPR would definitely apply. Because it would not be involving sales to consumers, the California law would not apply.
6. X Corp. is a commercial real estate brokerage firm based in Atlanta that focuses on selling condominiums located near the Beltline to Russian oligarchs. It has a website with the .com top level domain that is in English with a Russian version. The Russian version has the top level domain .ru. It has no other offices or websites.
X Corp. has no “establishment” in the European Union, is not envisioning offering goods or services to individuals located in the EU and is not monitoring individuals located in the EU for analysis or prediction purposes. X Corp. is therefore not required to comply with the GDPR.
7. What if, in the above scenario (“Scenario 6”), X Corp. had an office in Paris for the sole purpose of selling to Russian oligarchs in France?
In that situation, X Corp. would be considered to have an establishment in the Union and would therefore be governed by the GDPR with respect to all Personal Data derived from any place in the world, including, but not limited to, any customers it may have in the United States.
8. What if, in Scenario 6, X Corp. had sold condominiums to two (2) residents of Germany who happened to stumble upon the English version of the website?
I do not believe that would be enough to trigger the application of the GDPR.
9. What if in Scenario 6, X Corp. sold over 100 condominiums to more than 100 German residents, none of whom found out about the possibility of purchasing condominiums from X Corp., except when on trips to the United States and X Corp. collected Personal Data from them only when they were in the United States, but uses the information after the residents of Germany returned home.
This scenario brings up the question, what does the phrase “where the processing activities are related to the [envisaging of the] offering [of], goods or services to Data Subjects who are in the EU” mean? More specifically, what does “in the EU” mean? I interpret the phrase to not require residency or citizenship in the EU since those are common terms that could have been used if that was what was intended. Also, I interpret the phrase to apply when information is collected or otherwise processed. Therefore, under this scenario, if X Corp. collected the information when the individuals were in New York and does not use it for marketing or to track the individuals with cookies or similar code when they are back in Germany, then the GDPR would not apply. However, here we are stipulating that X Corp is using the Personal Dataa to market to such individuals when they are back in Germany. Therefore, the Company is processing data of individuals who are in the Union and are therefore subject to the terms of the GDPR.
10. What if in Scenario 6, X Corp. sells over 100 condominiums to more than 100 German individuals who access the website directly and provide their contact information.
The question here is whether sales to individuals in Germany would be considered “envisaged” even if individuals located in Germany were at no time a target for sales. I believe that such sales to individuals in the EU would be “envisaged” and that, accordingly, the GDPR would apply.
11. X Corp. is based in Atlanta, but sells condominiums located in Belgium to individuals who are in the United States. X Corp. has a website which is in English and does its transactions in dollars. X Corp. owns a subsidiary based in Belgium that manages the condominiums. Is X Corp. subject to the requirements of the GDPR?
The answer is yes. It is true that X Corp. is not envisaging offering goods and services to individuals in the EU nor is it monitoring individuals in the EU. However X Corp. would be subject to the GDPR because the management company would be an “establishment.” Since X Corp. would have an establishment located in the EU, it would be required to comply with the GDPR, not just with respect to data obtained from individuals in the European Economic Area, but from individuals anywhere in the world.
12. X Corp. is based in Atlanta, GA. In 2015, the company sponsored seminars in the UK, where it offered timeshares in the US. It collected and organized data from individuals in the UK who attended the seminar. Other then continuing to email materials to individuals who provided their data at the seminar, the company does not market to, or collect data from individuals in the Union. The company has no establishment in the EU. Under this scenario is the Company subject to the restrictions of the GDPR?
The answer again is yes. Sending emails to individuals using contact information collected constitutes processing of Personal Data.
The GDPR will likely apply to your business if you are receiving data concerning individuals located in the EU, irrespective of whether or not you have any representatives operating in the EU.
If you feel like your business may be impacted, you can reach out to an attorney or technology service provider with the right expertise to ensure your compliance.
Endnotes:
[1] See http://www.europarl.europa.eu/legislative-train/theme-area-of-justice-and-fundamental-rights/file-general-data-protection-regulation and https://gdpr-info.eu/
[2] See https://www.gov.uk/eu-eea
[3] See http://www.efta.int/EEA/news/Incorporation-GDPR-EEA-Agreement-508041
[4] See GDPR Article 4, Definitions under “personal data.”
[5] See GDPR Article 4, Definitions (1).
[6] See GDPR Article 4, Definitions (7).
[7] See GDPR Article 4, Definitions (8)
[8] See GDPR Article 4, Definitions (4)