On November 23, the European Data Protection Board released guidelines for public comment (the “Guidelines”) on the territorial scope of the General Data Protection Regulation (“GDPR”). Specifically, the Guidelines address the applicability of GDPR Articles 3 and 27.
Article 3(1) – Establishment Criteria
GDPR Article 3(1) states that the GDPR “applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the [European Union], regardless of whether the processing takes place in the Union or not.” The meaning of the term “establishment” is addressed in GDPR Recital 22, and the Court of Justice of the European Union (CJEU) interpreted the meaning of this term in the context of the GDPR’s predecessor, the Data Protection Directive in cases such as Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12) and Weltimmo v NAIH (C- 230/14). The Guidelines reaffirm the application of these interpretations to the GDPR.
The Guidelines further state that entities concerned with whether they need to comply with the GDPR should also consider whether the processing of personal data is carried out “in the context of the activities” of an establishment. According to the Guidelines, it is possible that some “commercial activity led by a non-EU entity within a Member State may indeed be so far removed from the processing of personal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring that data within the scope of EU data protection law.” This interpretation is helpful to many companies that have struggled to determine GDPR applicability in view of certain limited activities conducted in the EU.
Article 3(2) – Targeting Criteria
GDPR Article 3(2) states that the GDPR applies to entities without an establishment “where the processing activities are related to: (a) the offering of goods or services, irrespective of whether payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Offering Goods or Services
Criteria for determining when an entity is “offering goods or services” are addressed in GDPR Recital 23. Further, the CJEU in Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases C-585/08 and C-144/09) addressed a similar phrase in the context of a separate regulation. The Guidelines reaffirm that the CJEU’s analysis in Pammer is helpful in interpreting the GDPR.
Circumstances under which an entity can be said to be monitoring the behavior of data subjects have been a far greater mystery and have not been the subject of interpretation by the CJEU. However, the EDPB states that, while not clear from the face of the text of Article 3(2) or the GDPR’s recitals, it reads into the GDPR an element of intent with respect to behavior monitoring. The Guidelines state that “the use of the word ‘monitoring’ implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU.” Offering useful guidance on this potentially difficult issue, the EDPB goes on to state that the “EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as ‘monitoring.’ It will be necessary to consider the controller’s purpose for the processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.”
The Guidelines also provide some discussion of instances in which an entity may be subject to the GDPR under Article 3(3) by virtue of the application of public international law (such as a consulate or embassy) and information on the appointment of EU representatives for entities subject to the GDPR under Article 3(2).
While the Guidelines’ analysis of the GDPR’s territorial scope under Article 3(1) (establishments in the EU) and 3(2)(a) (entities offering goods or services), provides little new information, primarily reaffirming the applicability of CJEU caselaw, its input on the application of Article 3(2)(b) (behavior monitoring) is significant. Understanding that monitoring requires an intent element is likely to assist businesses who operate websites and may engage in passive monitoring of visitors to determine whether the GDPR applies to them.