When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it will bring with it numerous changes to the data protection landscape in the EU.
One particular feature of the GDPR is that it has a tremendously broad extra-territorial applicability and will therefore apply to many organisations based outside of the EU as well as those in the EU. The territorial scope of the Regulation is expanded by Article 3(2) which contains a two-limb test:
Article 3: Territorial Scope
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- The monitoring of their behaviour as far as their behaviour takes place within the Union.
The GDPR therefore applies to anyone, regardless of where they are based who offers goods and services to people in the EU or monitors the behaviour of people in the EU.
In relation to the first limb, whether or not a non-EU organisation is deemed to be offering goods or services to data subjects in the EU will depend on a number of factors. However, it is important to note that a fee does not have to be charged for the goods or services in question for the extended scope to apply.
Recital 23 of the GDPR provides some helpful clarification as to what will be considered when assessing whether or not goods or services are being offered to people in the EU. Specifically, it states that merely having a website that is accessible in the EU would be insufficient.
However, “…factors such as the use of a language or currency generally used in one or more Member States with the possibility of ordering goods or services in that… language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
In relation to the second limb of the test, monitoring of behaviour, Recital 24 states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet…” it specifically refers to “…profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.
Businesses that are located outside the EU that fall within the scope of the Regulation will be obliged to appoint a representative established within the EU to act as a point of contact for the relevant supervisory authority, for example, the Information Commissioners Office in the UK, on behalf of the data controller or processor.
However, this is not the case in all circumstances. Where the processing is occasional, does not contain sensitive personal data and is unlikely to result in a risk to the rights and freedoms of the data subjects, a representative will not be required. Nevertheless, where a representative is necessary, they are to be established in the Member State in which the data subjects whose data is being processed are located.
The increased territorial scope of the Regulation probably comes as little surprise following the case of Google Spain SL, Google Inc. v Agencia Espanola de Protecction de Datos and Mario Costeja Gonzalez¹.
This case concerned an individual that was seeking the removal of links to an out-dated news article on the Google search engine. However, the main question in this case was whether the Data Protection Directive was applicable to Google Inc., the American parent company of Google Spain. The Court of Justice for the European Union (CJEU) found that, despite Google Inc.’s processing activities taking place outside of Europe, as Google Inc.’s predominant source of revenue is advertising and Google Spain sold advertising space within the country, there was an “inextricable link” between the two.
As a result, it was determined that Google Inc. was a data controller in relation to their search results and regardless of where the data is processed, if it relates to EU citizens, it will fall within the scope of the EU data protection regime.
The Google case was a case under the previous law. However the finding made by the CJEU will also extend post GDPR. It therefore follows that even where a non-European entity does not fall within one of the two limbs of Article 3 it may still be brought within the GDPR regime where its business can be said to be inextricably linked with an entity in the EU.
Of course regardless of whether the GDPR applies to a non EU entity, whether by virtue of Article 3 or because of an inextricable link as in Google, it is always necessary to review the safeguards in place where data is transferred between the EU and other non EU or “third countries”. If for example data is to be transferred to a US organisation that is not a member of the US Privacy Shield regime, this could mean carrying out a costly audit of the current provisions and subsequently imposing safeguards where necessary. It is also likely that data privacy will become an increasingly common area for consumer concern and, consequently, customers will expect a high level of protection around data privacy as the norm.
¹ Case 131/12,  ECR I-000, nyr.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.