On May 25, 2018 the existing European Union Data Protection Directive (95/46/EC) will be replaced by the General Data Protection Regulation (“GDPR”). The new GDPR will apply not only to businesses established within the European Union but also to businesses outside the EU that process the personal data of persons within the EU. The latter application significantly extends the potential ambit of EU data protection law.
How will it apply? The territorial jurisdiction of the GDPR is set out in Article 3.
Article 3(1) – Establishments within the EU
This applies to the activities of establishments located within the EU and as such effectively continues where the earlier Directive left off.
Article 3(1) states:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
It might be noted in passing that the words “…in the Union” could (at least in English) be read as applying to the location of the activities as well as to the location of the establishment itself.
Unlike the earlier Directive, this Article applies to establishments that are data controllers or data processors.
Any presence within the EU risks being treated as an establishment for the purposes of this Article. In an earlier case1, the presence of a single representative has been considered as an establishment.
It should also be noted that the application of Article 3(1) is not affected if the actual processing of data takes place outside the EU.
Article 3(2) – Establishments outside the EU
This Article potentially applies the GDPR to establishments outside the EU that process personal data of persons within the EU.
Article 3(2) states:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.”
This Article applies to the processing of the personal data of data subjects who are within the EU. Note that in the absence of qualification (e.g. by reference to citizenship or residence) this could extend to any data subjects within the EU including tourists or temporary visitors.
What is offering goods and services?
The GDPR offers some guidance in its Recital (i.e. preamble paragraph) 23 which states that whilst the mere accessibility of website or of other contact details is insufficient to ascertain such intention to offer goods or services to data subjects in the EU:
“… factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
A non-EU party with a website with content apparently directed at consumers within the EU may thus be considered as being within the scope of the GDPR.
What is the monitoring of the behaviour of data subjects?
The GDPR offers some guidance in its Recital 24 which states that in order to determine whether a processing activity can be considered as monitoring the behaviour of data subjects, it should be ascertained:
“… whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
Potentially the GDPR could have a very wide application outside the EU. Any non-EU establishment that processes the personal data of persons who are in the EU – even persons present on a temporary basis – may be subject to the GDPR. Establishments in this situation should be alert to this risk and are recommended to give consideration as to whether their activities could be considered offering goods or services or monitoring behaviour as detailed in the GDPR.
1Weltimmo Case C-230/14