The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?
There are five key takeaways from the Guidelines:
Processing in the context of an EU establishment. Data processing “inextricably linked” to an EU establishment is covered by the GDPR no matter where it takes place, and even if the EU establishment is not directly involved in the data processing. (An “establishment” for these purposes means any type of consistent physical presence in the EU, including an affiliated company, office branch, etc.) For example, the EDPB suggests that if an EU-headquartered pharmaceutical company processes clinical trial-related personal data at its branch outside the EU, that data will be protected by the GDPR because the processing is inextricably linked to the parent company’s activities.
Use of an EU-based data processor. Non-EU companies do not become subject to the GDPR solely because they outsource data processing to an EU-based service provider. EU-based processors, however, will be subject to the GDPR when processing that data. This may cause difficulties for EU-based processors; for example, if the non-EU controller, not itself subject to the GDPR, collected the personal data in a non-GDPR-compliant manner. EU-based processors may consider seeking contractual assurances from data controllers to cover this risk.
Working with an EU-based data controller. A non-EU-based service provider does not become subject to the GDPR solely because it processes personal data for a GDPR-covered data controller. That said, the Guidelines suggest that the GDPR-covered data controller may still need to contractually obligate the data processor to comply with the GDPR in connection with processing personal data transferred to it by the GDPR-covered controller. Consequently, non-EU-based data processors may find themselves contractually obliged to comply with the GDPR when working for a GDPR-covered business even if the GDPR would not apply to them directly.
Targeting individuals in the EU. A non-EU-based business does not become subject to the GDPR solely because it provides goods or services to an individual who happens to be located in the EU. Some intentional directing or targeting of goods or services towards EU-based individuals is required. For example, a US resident downloading and using a US news app marketed exclusively in the US whilst she is traveling in the EU does not bring the app provider within GDPR’s scope.
Monitoring individuals in the EU. The Guidelines suggest that non-EU-based companies that monitor behaviour of individuals in the EU are subject to the GDPR only where such monitoring is purposeful rather than inadvertent. The EDPB emphasises the importance of the purpose for which the monitoring is done; for example, where monitoring enables behavioural analysis or profiling. Based on the EDPB’s guidance and emphasis, it could be argued that the GDPR would not apply to non-EU-based companies that “inadvertently” track EU-based individuals through website cookies, provided that the information is not used for purposes that the EDPB considers suspect, such as profiling and behavioural monitoring. The Guidelines also say that “monitoring” is not limited to “track[ing] on the internet” as some had read the GDPR’s Recitals to suggest.
***
Debevoise advises EU and non-EU businesses on all areas of GDPR compliance. We would be pleased to discuss these issues with you as well as opportunities to provide comments to the EDPB.