GDPR’s global scope: the long story
--
The EU General Data Protection Regulation (GDPR) is not explicitly a global law, but it might be on the way to becoming a de facto law beyond the boundaries of Europe, at least for a number of businesses.
Does it apply to you? If you are interested in this article, the answer is: “Probably, Yes”. Its effective scope is broad. However, the reasons it could apply to you may not be what you expect.
Nothing about this issue is black and white. It is not as simple as saying that the GDPR applies to “all processing of personal data of EU citizens”, as often incorrectly stated. There are ‘direct’ reasons why the GDPR will apply on other territories — because the law says so — and there are ‘indirect’ effects of the law that will cause its application in any case. Even the direct statements of the law leave plenty of scope for interpretation and debate.
That article goes into a lot of detail, so that makes it a long read. If you haven’t the patience for that and if you want a quick and simple answer to the question of whether the GDPR applies to you, outside Europe, take a look at this chart:
I have used the word “operators” to cover those who decide how personal data is processed (‘data controllers’, in GDPR-speak) and those who act as sub-contractors to data controllers (the ‘data processors’). Data controllers can do processing themselves and don’t have to farm it out to other operators.
The ‘data subject’ is the person whose personal data is being processed. The GDPR applies equally, whatever the nationality or residence of the data subject — this statement has to be repeated often, because many people find it surprising.
If the operator is based in the EU (used as shorthand here for any country in the EEA), the GDPR always applies, even if the actual processing takes place outside the EU — due to the “tightly linked” condition. This condition can also bring some non-EU operators directly within scope, if they pass the “tightly linked” test — this is a more complex point that is explained in the body of the article.
If you are deliberately providing goods or services to people in the EU (even if they only happen to be in the EU for a short period and they live elsewhere) then the GDPR applies. If you are monitoring the behaviour of people in the EU who connect via the internet — such as recording their activity on your website — then the GDPR applies.
If you haven’t met any of these conditions, you come in the “maybe” category. If you don’t do business with anyone (B2B or B2C) in the EU and if your activities do not include doing data processing for other businesses, then the GDPR probably does not apply, and you don’t need to read anyfurther in this article…
If you want to explore the “maybe”, understand the reasoning and then decide for yourself if the GDPR applies to your business, be ready to dedicate a little time! The issues are complex and depend on interpretation. This article cannot provide certainty, because regulators and law courts have not provided their interpretation, but it can help you understand the possibilities.
Alternatively, if you are in the maybe category and you find it too difficult to come to a conclusion, you can just comply with the GDPR and save yourself the risk. The uncertainty about when it applies is one reason that it is on the way to becoming a global law!
If you simply want to explore specific issues, or a particular case, please contact me at: robmadge@xifrat.com.
THE LONG READ…
What is the EU trying to do?
People make laws to apply to themselves — or, at least, they expect the governments that represent and rule them to do so. They don’t like it very much when they have to follow laws made by someone else.
However, even this leads to different interpretations. The US, for example, tends to make laws that apply to its citizens — wherever they are. If you are a US citizen, you cannot escape your responsibilities for US tax by going to live somewhere else. US laws may also extend to cover ‘legal citizens’ (such as US-registered companies) operating internationally.
The European Union, on the other hand, is not mainly concerned about citizenship. It thinks it has a responsibility to protect fundamental rights of all humans, to the degree that it can. This has been codified in the Charter of Fundamental Rights of the European Union, published in 2000. Most of the rights described in the Charter are described as applying to “everyone”, with only some — such as voting rights and rights to work in the Union — being described in terms of citizen rights.
The statutes that describe fundamental rights are, along with the treaties between the member states, “primary law” in the EU. “Secondary laws”, such as the GDPR, are more specific rules to make sure that primary law is applied.
The GDPR states in its second paragraph: “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.” No mention here of citizenship and an explicit rejection of different rules depending on nationality or residence.
The idealistic intention of the GDPR legislators is clear: they would like to protect everyone in the world. Don’t be surprised that they try to apply the law to you.
However, all lawmakers are constrained in how far they can go.
Interference in other countries through laws that are “extra-territorial” are not likely to be respected, unless they fit within common notions of international law. Furthermore, laws need to be accompanied by means to enforce them, so there are practical issues.
International legal conventions allow a certain amount of jurisdictional overlap — in other words, it is possible to stretch the boundaries a bit, without creating a tit-for-tat of other countries responding to an intrusive law of another country by adopting one of their own. Most of these conventions depend upon a strong link to the territory of the law-making country.
DIRECT EXTRA-TERRITORIALITY
The GDPR legislators were conscious of the need to stay within international conventions and have tried to phrase the explicit provisions of extra-territoriality in a way that would be accepted by other countries. For this, there is an Article of the GDPR that is titled “territorial scope”. It is based on the territory of the EU, plus the other European Economic Area (EEA) countries — Iceland, Liechtenstein and Norway — that have agreed to be bound by EU law.
The territorial scope definition in the GDPR essentially sets out to stop anything ‘bad’ happening in its territory that relates to personal data. This has two parts: to cover any processing of personal data that has a cause in the EU and to cover any processing that has a result in the EU.
The provisions laid down are a somewhat creative interpretation of international law concepts of “subjective territoriality” and “objective territoriality”.
“Subjective territoriality” is when an act is started in the territory, but the result is felt either inside or outside the territory — the usual example given is when someone fires a bullet from one country and it kills a person on the other side of the frontier. (I won’t use a concrete example of the countries involved, so as not to offend anyone!)
The GDPR’s version of this is to apply its scope to any establishment in the EU tightly linked to the processing of specific personal data, regardless of the location (or residence, or nationality) of the person whose data is being processed and regardless of where the processing takes place. This is quite a complex definition and so I shall explain it further later, particularly the notion of “tightly linked” (that in strict case law terms is called “inextricably linked”).
Since the establishment is in the EU, it is taken to be the cause of the data processing, even though it may not physically initiate this processing — stretching somewhat the usual concept of subjective territoriality.
“Objective territoriality” is when the act terminates or has a result in the territory. The GDPR’s version of this is to apply its scope to the processing of personal data of someone in the EU (regardless of residence or nationality), when the entity doing the processing is not in the EU, although with some limitations.
The limitations on the second case are that the personal data processing must be linked to the offering of goods or services to someone in the EU or to the monitoring of someone in the EU. This is a step back from the objective announced by the EU Commission, when it started the drafting of the GDPR, that was simply to “provide for the same degree of protection of EU data subjects, regardless of the geographic location of the data controller”[1].
The way in which the GDPR “objective territoriality” provision is drafted leads to all sorts of possible interpretations. I have written about some of the issues arising from the wording in my article Five Loopholes in the GDPR, and I shall come back to the discussion below.
GDPR’s subjective territoriality
This assertion of territorial scope is Article 3.1 of the GDPR:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
At first glance, this looks quite straightforward. It is very similar in concept and wording to the EU 1995 Data Protection Directive, that has been the EU-level law on personal data protection until the ‘update’ to the GDPR. The EU is saying that there will be no ‘bad actors’ in the territory, since the law covers all operators based there.
However, the underlying meaning has advanced from covering physical processing by physical operations in the Union, as it was probably understood in 1995. In particular, the official EU interpretation of the words has been clarified by a landmark judgment in 2014 by the European Court of Justice (CJEU), when ruling on whether Google had to respect an individual’s request to have their name removed from search engine results (Google Spain, Case C-131/12)[2]. The judgment was in the context of the 1995 Directive, but the key words are the same as in the GDPR: “in the context of the activities”.
The CJEU ruled that an operator that is outside the EU could be linked to an establishment (business operation) inside the EU, and therefore be described as operating “in the context of the activities” of the EU establishment. Specifically, it determined that the search engine operations of Google in California were in the context of the activities of the Google Spain subsidiary — that sold advertising and did not do any personal data processing.
The Court said that “the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”
The same logic would link together other operations that depend on each other economically or organisationally.
The drafters of Article 3.1 of the GDPR added the words “regardless of whether the processing takes place in the Union or not”, that were not in the 1995 Directive, just to make it crystal clear that the scope of the law extends to cover data processing outside the EU, although the CJEU judgment had already determined this.
If you have an organisation, or group of companies, that has operations both inside and outside the EU, you may want to stop and think about the implications of this.
The Court ruling does not automatically cover all parts of the business, there has to be an inextricable linkage in the activities. For example, a publisher in the US may have a subsidiary in Europe that operates completely independently, in terms of personal data processing and business dynamics (such as advertising), although subject to overall management and financial supervision from the States. In this case, the US operation would not come within the scope of the GDPR (at least not for this reason), because the two operations do not have an interdependence that relies on personal data.
The ‘chain of context’
In the Google Spain case, the linkage was particularly evident since the establishment in Spain was in the same group of undertakings — effectively part of the same business, under the same ownership. The judgment therefore did not explore what would take place if the operations were independent, but ‘inextricably linked’.
Personal data is often handled in a chain of operators. In a clearly-managed case, this could be a data controller (the operator that decides what to do with personal data) that passes personal data to one or more data processors (operators that act as subcontractors to the controller, processing personal data under instructions). There would be a clear linkage here, with the controller paying the processor, and both parties relying on each other. The controller depends on the processor for the data processing to take place and the payments of the controller are the means to render its operations “economically profitable”.
There is no case law to establish whether the operations of the data processor should be considered “in the context of the activities” of the data controller, for the purposes of interpreting EU data protection law — however, prima facie this appears to be so.
Assuming this interpretation, if you are a non-EU data processor doing work for an EU-based data controller, you would come within the scope of the GDPR under Article 3.1. Logically, this would also apply if you are a ‘sub-processor’, working for a processor who is working for an EU-controller. This is the condition described as “related to an establishment in the EU” in the summary chart at the beginning of this article.
Some people would push back against this argument on the basis that the data processor in any case has to be subject to a contract with the data controller (see Article 28), and this implies compliance with many aspects of the GDPR, so it is already sufficiently covered. Yet, the GDPR contains a number of provisions that directly apply to processors, suggesting that the contract is not sufficient. I cover this subject below.
There could also be arguments that the degree of linkage would depend on individual circumstances. For example, a US data processor might do some personal data processing for an EU controller, but this could be an insignificant amount of its total business and so there would not be a measurable amount of economic dependence on the controller. However, the extension of the scope of the GDPR to operators later in the chain does not mean that the GDPR applies to all the operations of the processor, only to those related to the activities of the EU controller. Therefore, the significance of the economic dependence as a proportion of the processor’s total business would not be the relevant measure, but whether that particular personal data processing is in the context of the controller’s activities.
The chain of context might also apply to less well-managed cases. One would be when a controller in the EU passes on data to a controller outside the EU. In this case, it would be subject to the GDPR rules on international data transfers (another subject that is addressed later on in this article), if the personal data were not already outside the EU. Therefore, there would be restrictions and rules on later handling of this data, but not the same ones as if the second controller were to come within the direct scope of the GDPR.
However, it might be possible to assert that the recipient controller is acting in the context of the activities of the original controller. For example, we could imagine European publishers who are capturing personal data that is passed on to a US advertising operation that is then targeting adverts back at Europeans. It would seem obvious that there is a tight link between the activities of the publishers and the advertising business, therefore bringing it into scope of the GDPR.
Taking an example that is perhaps not so obvious, there could be an Australian research operation that is partnered with an EU health sector organisation. The EU organisation sends personal data to the Australian research outfit, that is studying the comparative health records of Europeans and Australians with similar genetic backgrounds. The research depends on the European data. Would we say that the personal data processing in Australia is in the context of the activities of the EU health sector operation?
Clearly judgments would need to be made based on individual circumstances, but the criterion of “context” gives the GDPR a long arm.
Rules applied to data processors
One of the substantial changes between the previous EU data protection law and the GDPR is the specific focus given to data processor responsibilities. The earlier 1995 Data Protection Directive mentions the word “processor” 11 times, the GDPR mentions it more than 260 times. Some of this change took place during the legislative process, from the original EU Commission proposal for a law up to the final approved version, when the number of references to “processor” was doubled.
The essential role of the data processor defined by the 1995 law is the same as in the GDPR. It is an entity that acts as a sub-contractor to the data controller, following instructions given by the controller. Most of its legal responsibilities relate to data security and it does not have any responsibility for determining why personal data is being processed or for communicating with data subjects (the individuals whose data is being processed). Sometimes it may carry out such communications, but it would be doing so as an agent of the controller and acting in the controller’s name. Indeed, if a processor starts choosing the purpose for personal data processing, it automatically gets re-classified as a controller, with much greater legal responsibilities.
Under the earlier law, the assurance that the processor would fulfil its obligations and provide effective data protection came from the contract between the controller and the processor. A legal contract was required (and this has been carried forward to the GDPR, but now with the stipulation that it must be an EU or member state legal act). All responsibilities passed through the processor to the controller and only the controller could be fined. There were no specific provisions to allow individuals to achieve compensation from processors.
One problem, up to now, is that businesses (and this has often been non-EU businesses) have claimed that they were only processors, so with limited data protection responsibility and liability, when objective analysis would say otherwise.
A further problem is that in many cases it is the data processor, rather than the ‘controller’, that is in the stronger position in the controller-processor relationship. For example, the large cloud and SaaS providers — considered processors if they do not take any decisions on what personal data is processed, and why — may have tens of thousands of clients who are in a very weak position when it comes to demanding that they follow data protection rules.
To avoid these problems, the GDPR has brought processors directly into the net. On very many occasions in the regulation, the phrase “controller or processor” is used, when in similar 1995 Directive clauses there was simply a reference to “controller”. Administrative fines (the famous “up to 4% of the total worldwide annual turnover” amounts) can be levied directly on processors as well as controllers, and individual data subjects can seek compensation directly from processors. Indeed, controllers and processors are jointly liable for the full sum of damages — although mitigating factors can be applied, such as proving lack of responsibility for the damage.
Subjective territoriality and data processors
The CJEU Google Spain judgment mentioned earlier did not explicitly consider the question of who directed whom, when deciding that Google’s Californian operations were inextricably linked to its Google Spain establishment. The judgment referred to their mutual dependence. Therefore, the same ‘chain of context’ logic, discussed earlier, that says a non-EU processor is handling personal data in the context of the activities of the EU controller that contracts it, would say that a non-EU controller is processing personal data in the context of an EU processor that it contracts.
In fact, Article 3.1, defining the ‘subjective territoriality’ scope of the GDPR, explicitly refers to “controllers or processors” in the Union. A processor in the Union would be in scope and so would any other operation in the context of its activities — including a controller.
Stepping back, to consider underlying principles: the GDPR aims to stop ‘bad’ personal data handling wherever it can — although most particularly, when it touches the EU. As stated by the Article 29 Working Party (the joint committee of EU regulators, often known as WP29), in its 2010 opinion on applicable law[3], legal rules have to be written to prevent the EU becoming an unethical data ‘haven’.
EU legislators and regulators would certainly not welcome any processors of personal data on EU territory that are breaking the principles of protecting natural persons from abuse of their personal data. If a non-EU controller, installed in a country with a very lax approach towards personal data, and abusing personal rights, were to use EU territory for some part of the processing, this should definitely come under the control of the law.
To take a parallel from a different area of data handling, imagine that there is a child pornography site operating outside the EU, it would be considered totally unacceptable — and illegal — for an EU operator to be processing or storing this data.
However, data processors have no responsibility for the lawfulness of content of personal data that they process. They do not determine the lawfulness of collection or capture of data, nor do they assure that the rights of data subjects (Articles 12–22 of the GDPR) are respected — these are the responsibility of the controller. Processors might not even be able to see the contents of persona data (that could be encrypted before they receive it) and they probably do not know what interactions take place with individual data subjects.
So, the only way to ensure that the EU is not an unethical data haven is to bring non-EU controllers, that use EU processors, into scope. This was already done in the 1995 Directive, that included in its scope the processing of personal data using equipment or means in the EU. To achieve the principles and objectives of the GDPR, Art 3.1 has to be interpreted to cover non-EU controllers that use EU processors.
Summarising subjective territoriality scope
To summarise the ‘subjective territoriality’ of the GDPR, it covers:
1. Controllers and processors in the EU
2. Controllers and processors outside the EU tightly linked to controllers in the EU
3. Controllers and processors outside the EU tightly linked to processors in the EU
The ‘tightly linked’ connection may include operations that are two steps or more removed in the chain of processing — for example, a network of controllers handling personal data for advertising, or a processor outside the EU who sub-contracts some work to another processor.
In all the cases based on a tight linkage, EU regulators and courts should have a ready route to enforcement, since they will be able to act on the operator that is in the EU. This, by definition (mutual dependence), will have an impact on any tightly-linked controller or processor outside the EU and so should have good chances of effectiveness.
Objective territoriality
Even with strong subjective territoriality rules, these will not prevent all abuse of personal data of people in the EU.
In the physical world, it’s unlikely that you will be harmed by someone from another territory, since you would need to be very close to a frontier to be touched by a bullet. In the age of global internet, someone who means to harm you, or take advantage of you, can do so from the other side of the world — and can reach everyone in your territory.
The GDPR therefore complements subjective territoriality with objective territoriality — bringing into scope actors from outside the EU who process data of those inside.
Article 3.2 of the GDPR states:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
There are multiple ways to interpret this Article, and I have already discussed in my post Five Loopholes in the GDPR how it could possibly be interpreted if you are trying to escape the reach of the regulation. Here I shall discuss the interpretation that is probably most aligned with the objectives and principles of the law.
The goal is the protection of people who are in the EU at the time that their data is processed, subject to further limits on jurisdiction that would make the law acceptable to non-EU authorities and hopefully enforceable with their help. There is the specific sub-goal to ensure that the GDPR applies to people tracking and profiling.
Unlike the provisions under Article 3.1, there is no clear mechanism for enforcement, since the parties doing the processing are not established in the territory. Therefore, the threshold necessary for ‘international acceptability’ is higher.
Note: The provisions of this Article appear on the surface not to overlap with Article 3.2, because they specifically apply only to the processing by operators not established in the Union. However, since Article 3.1 is in the context of the activities of an establishment in the Union — that can, as we have seen, sometimes apply to processing that takes place outside the EU — there could be cases when both Articles 3.1 and 3.2 apply. Most commentators suggest that the test should first be made with Article 3.1, before testing with 3.2 if the matter does not come in scope of 3.1, but the law is not specifically worded to be applied that way.
The starting point of Article 3.2 is that it applies to processing by operators not established in the Union, but there is one further overriding condition: it applies to processing when the data subject is in the Union. Therefore, its effect is temporal, depending on the location at the time of the data subject. For example, if someone is in the EU and has their behaviour monitored by a non-EU controller, this is subject to the GDPR. If the person goes for a few days to China, while they are in China this behavioural information can be processed without following the rules of the GDPR. (Note: the data will not have been transferred out of the EU, since the controller was always outside the EU; see comments in the international data transfer discussion below.)
I doubt that this was the intention of the legislators, since this appears be a big gap in protection for EU data subjects who travel (if malicious controllers can monitor their movements and take advantage of the time they are outside the territory).
The data processing has to meet at least one of two additional conditions. Furthermore, the relationship to these conditions is defined narrowly, because the connection has to be “processing activities”. This is significantly narrower than “in the context of activities of an establishment”, as used in Article 3.1 — for example, it cannot cover an economic or organisational connection, unless the personal data processing activities are related to this.
“Offering” goods or services
The first condition that comes within scope is the “offering” of goods or services to the data subject whose data is being processed. Personal data processing does not come within scope if it arises from the offering of goods or services to another person. For example, if a social media application is offered to people in the EU who enter data about their friends, the data about the friends is not covered. If the provider of a service, such as the operator of an app that collects data from electronic wearables, shares the data with other parties for unrelated purposes, this further personal data processing is not covered. (The impact of this on EU research activities — that would be covered, unlike research conducted from outside the EU — is described by Els J. Kindt in “Why research may no longer be the same”[4].)
The concept of offering goods or service is open to a lot of debate. The wording “irrespective of whether a payment of the data subject is required” has been added, so potentially that brings into scope services that are provided free (such as those supported by advertising) and marketing activities that collect and use personal data. However, there are alternative ways to interpret the word “offering”, such as:
1. An “offering” could mean the same as its use in EU competition law, where it relates to the economic activity of an undertaking (that does not require payment), covering sales, supply and even purchasing. This would therefore only require an ‘effect’ test: if personal data processing was related to a transaction with someone in the EU it would come into scope, without having to prove the intent of the operator;
2. An “offering” could be interpreted, as suggested by the latter part of Recital 23 of the GDPR, to only apply in cases where the controller or processor had ‘targeted’ people in the EU. This is an ‘intent’ rather than an ‘effect’ test — so in certain cases, processing of personal data arising from the provision of goods and services to people in the EU would not be covered.
Due to the wording in Recital 23, most commentators are simply asserting that this provision only applies to targeted offerings. However, a Court might decide differently, since (under EU law) recitals are designed to help in understanding and interpreting the law, but they cannot increase or restrict the legal effect of the articles.
This second interpretation of “offering”, restricting it to situations of targeting, is certainly more attractive to those who want to minimise the extra-territorial effects of the GDPR, but it will deprive certain EU data subjects of the protection of the law.
Monitoring of behaviour
The second condition of Article 3.2, which adds to the scope, is the monitoring of behaviour of data subjects in the Union. This has been limited by the words “as far as their behaviour takes place within the Union”. These words were apparently included so as to demonstrate that the provision is not extra-territorial and that it excludes cases related to a time when the data subject was not in the Union. For example, someone from Paris could visit New York, and their behaviour could be observed and recorded as they shop on 5th Avenue. When they return to Paris, the US controller could still keep processing the data of what they did in New York, even though they are now a “data subject in the Union”. Similarly, it would not be necessary to apply the GDPR to the processing of data about an American during the time they are on a business trip to Europe — so long as behaviour in Europe is not recorded.
In general, this Article 3.2 is less restrictive than 3.1, since it includes no wording to suggest the need for ‘intent’ to monitor, it simply covers monitoring. No test is required of the surrounding circumstances and even ‘accidental’ monitoring would be covered.
Since the full condition covers processing activities related to the monitoring of behaviour, it brings into scope any subsequent processing of data after the monitoring takes place (including profiling, according to Recital 24) and any processing of data that is combined with the original data. A clear case in point is the use of cookies, when they monitor behaviour, as well as any associated back-end processing (extending to the selection of adverts related to the monitored data), if Recital 24 is accepted to be a correct interpretation of the wording of the Article. Details in this recital, and the use of the “behaviour” wording, suggests that this clause was aimed particularly at cookies and equivalent data collection, along with subsequent profiling, rather than other kinds of monitoring.
Use of the word “behaviour” can leave certain monitoring out of scope. For example, it might be possible to pick up a range of personal data about an individual, without it being considered monitoring of behaviour — since “behaviour” suggests following a pattern of activity rather than collecting characteristics. Even Recital 24, in giving more detail, effectively implies a limitation of scope:
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
This wording does not say “as an example”, or “inter alia”. It seems to say that only the kinds of activities listed would be considered “monitoring of behaviour”. The question arises, for example, of whether data that measures an individual’s physical condition, such as a fitness wearable or a medical measuring device, would be monitoring “behaviour”? Would an IoT refrigerator contents sensor be monitoring “behaviour” by keeping records of food purchases or consumption?
There is another indication in the GDPR that the concept of “behaviour” is quite limited: the definition of ‘profiling’ given in Article 4.4. In this, behaviour is only one element that is mentioned as possibly predicted or analysed by profiling, listing “person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. The definition of ‘biometric data’ in Article 4.14 also refers to “physical, physiological or behavioural characteristics of a natural person”, therefore apparently excluding physical or physiological factors from “behaviour”.
Since the recital seems to focus on profiling a specific individual, this also implies that the monitoring of groups of people would not be included. For example, an IoT device in an airport that is monitoring the movements of people to take future decisions on terminal layout. It would even appear to exclude the recording by CCTV in the streets or in a shop, if this is not monitoring the behaviour of specific individuals (and the CCTV system is operated remotely by a controller or processor not in the EU). Furthermore, any public data of people in the EU could be collected by a controller outside the EU without having to comply with the GDPR.
It is not to be forgotten that once personal data is out of scope of the GDPR and out of the EU, it stays out of scope. Any further processing, if not in the context of the activities of an EU establishment or related to an offering to someone in the EU, will escape any requirements to comply with GDPR provisions.
Recital 24, if taken to be the definition of the law, might well limit the scope of the GDPR more than was intended by the legislators. As noted, a recital is not directly the law — the law is described in the articles — but recitals generally have a significant effect on the implementation of the law until there is a specific contrary determination by an authoritative Court.
Enforcement
It’s one thing to create extra-territorial legislation and another thing to make it effective. In fact, capacity to enforce is considered a factor when judging the validity of extra-territorial laws (in a kind of ‘might is right’ justification).
Technically “enforcement” can be split down into different factors, such as investigative powers, adjudicative jurisdiction and ability to sanction. In the case of “subjective territoriality”, where the relevant establishments are on EU soil, it is relatively easy to apply all stages of enforcement — and the GDPR has extensive provisions in this regard, with powers given to regulatory bodies (supervisory authorities) and rights for claimants to seek remedy in EU courts. The scope of Article 3.1 might include operators that are outside the EU, but there will always be an EU nexus through at least one establishment in the territory.
When it comes to “objective territoriality”, and the scope of Article 3.2, it becomes more complicated because there may not be any relevant operator in the EU.
One response to this point is provided by Article 27 of the GDPR, that establishes the obligation of non-EU controllers and processors to appoint representatives within the EU, if they are subject to Article 3.2. These representatives (that can be individuals or legal entities) act as the liaison between the operator (controller or processor) and the supervisory authorities and data subjects.
Operators only need to appoint one representative, to cover the whole EU, but this representative will have to interface with all regulators (and potentially data subjects) in the countries where there are relevant data subjects. In theory, the representative stands in the stead of the controller or processor for all local responsibilities — including the exercise of data subject rights, accountability…and facing the music when there is an infringement of the law.
This last point, concerning sanctions executed against the representative, is controversial. Recital 80 states that “the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”, but there is no similar wording in Article 27. Regulators across Europe seem to have different opinions about this and no guidance has yet been issued from WP29, but in the meantime some member states have been including the liability of representatives in their own national laws that complement the GDPR.
In principle, the law will be more effective if sanctions can be imposed against a local entity. In practice, a representative may not have the substance to deal with sanctions and may not have much leverage over the actions of the non-EU operator. Furthermore, the potential liabilities might scare off entities that would otherwise do a good job as representatives — Facebook, in a legal case in the Netherlands, has already argued that it could not appoint a representative because no one was willing to take on the responsibility.[5]
There is also a ‘Catch-22’. The purpose of having an EU-based representative is to ensure that a non-EU operator with GDPR responsibilities does in fact comply with these. Even the non-appointment of a representative could, according to the GDPR, lead to a fine of 10 million Euros (or 2% of global revenue, if that is greater). However, if the non-EU entity decides to stay outside the law, it would simply not appoint a representative and not respond to any sanctions.
The role of representative must therefore be seen as only one of the building blocks of achieving effective enforcement against controllers and processors subject to Article 3.2.
The role of supervisory authorities (sometimes called ‘data protection authorities’ — the statutory regulators) in enforcement seems to have extra-territorial limitations. GDPR Article 55.1 states: “Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.” [My italics.] There is no provision that extends the powers of supervisory authorities beyond its own member state, except in the case of being a ‘lead supervisory authority’ or to participate in joint operations with other supervisory authorities — but these are only described in terms of member states (ie, within the EU).
There is therefore no clear mechanism for a European authority to directly enforce the provisions of the GDPR on a non-EU entity.
Indirect ‘enforcement’
Due to the lack of clear enforcement powers, authorities in Europe (or individuals wishing to pursue a judicial claim) would need to get ‘creative’ when acting against non-EU entities.
International cooperation agreements might be in place between EU authorities and administrative or judicial authorities in other countries to allow, for example, the collection of administrative fines or court awards, but for the time being this is the exception rather than the rule.
The best options are likely to be based on actions taken against individuals with a responsibility related to an infringing entity — if these individuals are in the EU — or by having an impact on the entity’s business activities in Europe.
The actions that could be taken against natural persons who represent entities depend on member state law in the EU, since there is no such action envisaged in the GDPR (unless the natural person is a representative of a non-EU entity, as defined by Article 27, which is a very specific condition). Member state laws can include such provisions. For example, the draft UK Data Protection Act (that will work alongside the GDPR) defines a number of offences related to personal data handling, and in these cases an individual director, manager or company secretary could become personally liable and be prosecuted. Theoretically, a director of a company accused of committing an offence could be arrested when landing at an airport to visit a country. However, these offences would seldom apply in the case of a controller or processor who is simply not complying with the GDPR.
Acting against a company’s business interests seems like a much more practical option. Apart from administrative fines, supervisory authorities have a number of other sanctions that they can apply.
For example, a supervisory authority can impose a temporary or permanent ban on personal data processing by an infringing party and can engage in judicial proceedings in order to enforce the regulation. Therefore, at least in theory, a supervisory authority could obtain a court injunction that would allow them to stop any local data processing from the non-EU entity — for example, by addressing any local business partners (that are indirectly using the processed personal data) and blocking the websites of the offending companies and partners.
Non-EU controllers and processors that process the personal data of people in the EU have to obtain this data by some method. Therefore, another possible route to the imposition of sanctions is to address the data collection methodology and the partners involved in this. Websites might be involved in this data collection, but it could be that devices are being directly interrogated by non-EU players. In both cases, it would theoretically be possible to block the associated internet connections via injunctions applied to internet service providers.
In practice, ‘enforcement’ is most likely to take place through the contractual relationship of business entities (perhaps stimulated by the impact of regulator action against partner business interests). This is discussed further below.
INDIRECT EXTRA-TERRITORIALITY
The GDPR is explicit, in its Article 3, about its extra-territorial intentions. Less obviously, its territorial reach is deliberately extended by other mechanisms in the regulation as well as extended in practice (intentionally or not) as a natural side-effect of the global processing of personal data.
International transfer controls
As with previous data protection legislation, the GDPR extends its territorial reach through the rules applied to transfers of personal data out of the EU.
The GDPR devotes a whole “chapter” to this subject (2,500 words, not including recitals), which indicates the complexity of the subject matter and the level of detail to be considered. In essence, if personal data is transferred out of the territory, it has to thereafter be treated under rules very similar to the GDPR.
Note: These international data transfer rules could also be interpreted to apply to the transfer of personal data that takes place under Article 3.2, when data is first collected by a non-EU controller and, presumably, leaves EU territory. However, this is unlikely to be the correct interpretation, if one follows similar logic to the Lindqvist case at the CJEU[6] — that the special regime of Chapter V of the GDPR, on international data transfers, would thus necessarily become a regime of general application, to all non-EU controllers and processors subject to Art 3.2. Also, by extension, any processing by non-EU operators collected from data subjects in the EU would then be covered, having a much broader impact than Art 3.2, which is limited to the conditions of “offering” and “monitoring”.
Furthermore, once the personal data is outside the EU, the GDPR still claims legal authority over it. The “general principle” of international transfers (Article 44) says that the rules on transfers also apply to “onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.”
This is taking extra-territoriality to a somewhat extreme position, based on “follow the data”. Several provisions have been worded to ensure their effectiveness even when the personal data are being processed outside EU territory.
Furthermore, the law is enforced based on fundamental principles, if there is any doubt. European courts have struck down international transfer arrangements that do not meet the goal of protecting the fundamental freedoms of data subjects — such as the decision that ended the Safe Harbor arrangement for transfers to the US. The ‘standard contractual clauses’ (see below) that are being used by Facebook for transfers out of Europe are also under legal challenge, due to be ruled on soon by the European Court of Justice.
Adequacy decisions
There are several permitted mechanisms to support international transfers. The first one listed in the GDPR is an “adequacy decision” — this applies when a ‘third country’ or territory, or sector within a third country, is judged by the EU Commission to provide an adequate level of protection. To reach the adequacy decision, the Commission has to take account of a number of factors — including the rules for the onward transfer of personal data to another country, so preserving the chain of data protection rules.
At present, ten (mainly small) countries are covered by unconditional adequacy decisions — although these are going through a review process in the light of the GDPR. Commercial organisations in Canada are also covered and the US is covered by a restricted version called the Privacy Shield.
Evidently, this does not ensure the replication to the letter of the GDPR in third countries that have received adequacy approval, but to most intents and purposes the effect is the same. Furthermore, the performance of these countries is under continuous review and, since the value for a country of permitting trouble-free transfers of personal data can be high, the countries are under a strong incentive to align with the GDPR.
Appropriate safeguards
The other permitted mechanisms for international transfers are described as “appropriate safeguards”. Even without these safeguards, certain exceptions are allowed: such as non-repetitive cases, when transfers are necessary for the performance of a contract, for important reasons of public interest or related to legal claims. The explicit consent of the data subject is also an allowable exception.
“Appropriate safeguards” take various forms. Without specific authorisation from a supervisory authority, it is allowable to use ‘standard data protection clauses’ that are adopted or approved by the EU Commission, approved codes of conduct or approved certification mechanisms. Specific bilateral contracts are also possible, but these have to be authorised by a supervisory authority. Within enterprise groups (eg, branches of the same company), ‘binding corporate rules’ can be established, but these have to be approved by the competent supervisory authority.
The net effect of these appropriate safeguards, in most cases, is to extend the application of the GDPR beyond EU boundaries via contract.
At the time of writing, GDPR-defined standard data protection clauses have not yet been published, but these will be an evolution of the ‘standard contractual clauses’ (or SCCs) that were established by the previous data protection law. These SCCs exist in two categories: one is for controller transfers to non-EU controllers and the other is for controller transfers to non-EU processors. The controller to controller transfer SCCs specifically bind the importing controller to follow the data protection law of the source EU country (if it is not going to a country that has received an adequacy decision). The controller to processor SCCs make the controller responsible for ensuring that the processor follows the source country law, but they include provisions to take action against the processor if the controller ceases to exist. The rules also apply to sub-processors.
The SCCs also give supervisory authorities, by contract, the power to conduct audits of importers and to order the suspension of all further data transfers in the absence of effective cooperation by the importer. Therefore, even though supervisory authorities do not have extra-territoriality powers under law, they obtain some powers through these contracts.
Binding corporate rules
‘Binding corporate rules’ are for business groups engaged in a joint economic activity (such as a parent company and its subsidiaries, or other business entities that are spread out internationally). These rules have to approved by a supervisory authority and need to be legally binding, making a controller or processor on EU territory liable for breaches by any member of the business group that is outside the EU.
The format of binding corporate rules can vary, but due to the number of elements that have to be included in order to meet approval, these can amount to almost a copy of the requirements specified in EU data protection law — that will now be the GDPR. Also, the WP29’s guidance on the subject suggests that any onward transfer from the business group to a non-EU processor would have to be dealt with as an international transfer.
Effectively, binding corporate rules make the GDPR applicable inside the group for processing of any personal data that was “processed at some point in the EU”.[7]
Controller-processor contracts
Under the 1995 Data Protection Directive, data processors (who work under the instructions of data controllers) had very few direct legal liabilities, as discussed earlier. The liability was held by the controller and adherence of the processor to the rules was meant to be assured via the contract between the controller and the processor.
The legal requirement to establish a contract between the controller and the processor exists also in the GDPR — in fact, the requirements have become much more specific. The controller is obliged to use only processors that can provide “sufficient guarantees” that their processing with meet the requirements of the regulation (which is more broadly drafted than the 1995 Directive). However, the stipulations that have to be in the contract do not commit the processor to follow the GDPR in general.
These contracts do not themselves make a non-EU processor subject to the GDPR. However, there is one clear extra-territorial aspect, new to the GDPR: the contract has to be a legal act under Union or Member State law. Also, it the processor is outside the EU, then the rules regarding international transfers would apply — that cover both the transfers between an EU operator and a non-EU processor, and between any processor outside the EU and a sub-processor.
Commercial contracts not specified by the GDPR
Going beyond the instruments that have been created by the GDPR to extend the reach of the law, commercial transactions will naturally extend the de facto extra-territoriality of the new regulation.
Any business that is subject to the GDPR will want to ensure that it is acting lawfully, including that its supply chain of personal data is lawful. It cannot afford to receive ‘tainted’ personal data — or even products and services that may have resulted from a GDPR-prohibited use of personal data for their creation. It also cannot afford to pass on personal data to a third party who then misuses this data.
Therefore, many businesses will put terms into their contracts with suppliers and customers that cover these risks — or at least their liability for them. For example, a business receiving personal data will seek contractual terms that guarantee all personal data has been obtained and processed lawfully (which, for a GDPR-compliant business will mean “lawfully” in terms of the GDPR). When passing on personal data to others, often this will be done on commercial terms that include a restriction to only process the data in compliance with the GDPR.
For example, Google has unilaterally put into place new terms of businesses with publishers, applying from 25th May 2018, that say:
If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.[8]
Effectively Google is enforcing compliance with the GDPR (while shifting the responsibility onto publishers to get permission for cookies and the use of personal data for advert personalisation).
As is usual, it is the more powerful party that imposes its rules on the smaller parties. Large European operations are likely to put GDPR rules in place that apply to, for example, their smaller US business partners, since they will become liable for any personal data use “in the context of” their own operations.
Multinational businesses
It is extremely difficult for any business that operates multi-nationally to separate its processing of personal data, trying to apply different rules and maintaining different databases depending on the jurisdictions that, apparently, should be considered. If the business has to do part of its processing subject to the GDPR, in practice it can be impossible to keep this within a separate operation.
The implementation of GDPR-compliance is complex and can fundamentally affect system design and operations. For example:
· The need to have full accountability of consent records, or other decisions related to lawful basis, implies version control and a new set of metadata on individual records, as well as a detailed log process with associated retrieval
· Provisioning for data portability and other information access rights can imply a restructure of storage and recall mechanisms
· Compliance with right to erasure requests, and data minimisation, requires full chain of information control, including of backups and archives
· Meeting 72-hour personal data breach reporting obligations demands streamlined internal reporting and analysis, possibly to be followed by public communications
Designing and operating separate GDPR and non-GDPR systems is likely to be too complicated to be cost-effective.
The problem is made worse due to the difficulty of defining what personal data is in scope of the GDPR and what is not. The legal determination of scope is not so simple — as highlighted by this article — and the GDPR definitions do not have a static relationship with data subjects. The data of someone in New York are not in scope but the next day, when the person is in London, they are. Data from one source may need to be dealt with under GDPR rules, but data from another source may not be under these obligations.
The reputational impact of NOT applying the GDPR
Customers might also not be happy to hear that they are being treated to a lower standard of personal data protection, with reduced rights, because they are not classified as being in the EU. Facebook already hit this issue, with its communications in April 2018. On April 3rd, Zuckerberg was reported as saying that GDPR privacy controls would be applied “in spirit” to the rest of the world, without guaranteeing equivalence. The next day, following negative publicity, the company corrected and said that GDPR privacy controls and settings would be available to all users, worldwide. However, the negative pressure mounted when it became clear that “privacy controls and settings” did not mean a GDPR-level of data protection worldwide, as Facebook created new terms of service for users from Africa and Asia and started to move their data out of Europe.
The Transatlantic Consumer Dialogue has already publicly written to Facebook[9]: “We write to you on behalf of leading consumer and privacy organizations, members of the Transatlantic Consumer Dialogue in the United States and Europe, to urge you to adopt the General Data Protection Regulation as a baseline standard for all Facebook services. There is simply no reason for your company to provide less than the best legal standards currently available to protect the privacy of Facebook users.”
Most multinational companies have kept their head down on this debate, while embarking on the work to make their operations and systems compatible with the GDPR.
As stated by Consumer Action[10], “U.S. consumers have no comprehensive data privacy protection. We rely on state and federal laws that offer limited protection.” There is talk, following the Facebook revelations, to put into place new federal laws on personal data, but meanwhile the GDPR is already here, and being applied.
Final words
The specific rules for the application of the GDPR to non-EU businesses are not very clear. However, the de facto application of the GDPR can happen for a number of reasons that are not so obvious: rules on the international transfer of data, inter-business contractional arrangements and the natural adoption by multinational businesses of the toughest regulations.
There is a further ‘sting in the tail’, almost within striking distance. The EU ePrivacy Regulation, that covers the transmission of data, is going through legislative processes and may be concluded by the end of 2018 (followed by a 12-month period to full implementation). The drafts of this regulation, that include application to any website that places a cookie, are very straightforward on the question of scope: it applies for any user in the EU, without any conditions or requirement of targeting. Territorial issues are easy to handle, since you can’t reach anyone in the EU via electronic communications without entering European territory.
If the GDPR doesn’t catch you, the ePrivacy Regulation probably will.
— — —
Footnote: Comments on Convention 108 at https://medium.com/@robert.madge/charlie-convention-108-is-of-course-the-father-of-european-data-protection-legislation-and-many-of-60b4229b4264
REFERENCES
[1] EU Commission: “A comprehensive approach on personal data protection in the European Union”, 4th November 2010, page 11. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010DC0609&from=EN
[2] Case C-131/12, Google Spain, 13th May 2014. http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0131&lang1=en&type=TXT&ancre=
[3] WP29 Opinion 8/2010 on applicable law (WP 179), 16th December 2010, page 32: http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp179_en.pdf
[4] “Why Research May No Longer Be the Same: About the Territorial Scope of the New Data Protection Regulation”, Els Kindt, 1st April 2016. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2768669
[5] Administrative Court of the Hague, 22nd November 2016. https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBDHA:2016:14088&
[6] Case C-101/01, Bodil Lindqvist, 6th November 2003. http://curia.europa.eu/juris/celex.jsf?celex=62001CJ0101&lang1=en&type=TXT&ancre=
[7] Article 29 Working Part, Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules, WP 155 rev.04, as last revised and adopted 8th April 2009, page 2. http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2008/wp155_rev04_en.pdf
[8] Google EU user consent policy. https://www.google.com/about/company/consentstaging.html
[9] http://tacd.org/tacd-calls-on-facebook-to-adopt-same-privacy-standards-for-all-consumers-and-give-details-on-how-to-congress/
[10] https://www.consumer-action.org/press/articles/data_insecurity_and_data_protection