The European Data Protection Board (the “EDPB”) has issued draft guidelines on the territorial scope of the GDPR under Article 3 (the “Guidelines”), providing a long-awaited view from the EU Supervisory Authorities on how the legislation applies to organisations and activities outside of the EU. While noting that the GDPR should not be interpreted so broadly as to capture “far removed” processing activities of entities outside of the EU, the draft Guidelines suggest that EU data protection authorities intend to continue and build upon the “anti-avoidance” theme which started with earlier case law.
There are two possible mechanisms of application: establishment or targeting. Notably in relation to “establishment”, the Guidelines recommend that non-EU organisations assess their personal data processing activities, to identify potential “inextricable links” with the activities of any presence of the organisation in the EU, e.g. branch, office or subsidiary.
The Guidelines are not in final form and have been released for public consultation, which closes on 18 January 2019.
Why are the Guidelines needed?
One of the most significant changes brought in by the GDPR is that it explicitly extends EU data protection rules and rights beyond the territory of the EU in some circumstances. This is to ensure comprehensive protection of EU individuals’ rights and to create a level playing field for companies active in the EU market. Despite compliance with the GDPR having been mandatory since May 2018, this is the first official guidance released on what the “long arm” application of this Regulation will look like in practice.
The Guidelines consider two grounds on which the GDPR can apply to personal data handling activities outside of the EU: establishment and targeting. This applies equally to organisations acting as controller or processor.
Organisations with an “establishment” in the EU
The GDPR can apply where there is an “establishment” in the region, provided that the organisation processes personal data “in the context of the activities” of that EU establishment. These criteria have been considered by the European courts in a number of high-profile cases, including Google Spain.
What is an “establishment”?
The Guidelines note that previous case law remains relevant to the interpretation of the GDPR, and that an entity does not need to be incorporated in the EU in order to have an “establishment” there. An organisation must have “stable arrangements” in the EU in order to be considered established, but the legal form of such arrangement is not decisive. Maintaining a branch office or subsidiary company within the EU would clearly indicate the existence of stable arrangements; however, the Guidelines (reflecting existing case law, such as Weltimmo) confirm that the bar is set much lower than this, and that having even one employee or agent within the region may be sufficient. The Guidelines explicitly note that a processor in the EU should not be considered an establishment of a controller simply because of its role as a processor. Once there is an EU establishment of some kind, then the next consideration becomes relevant.
Are personal data being processed “in the context of the activities” of an establishment?
At present, this is the most challenging of the “extra-territorial” considerations, as its potential scope is very wide. The Guidelines state that the GDPR will extend to processing being conducted outside of the EU, if “there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller” (emphasis added), which was also a key consideration in the Google Spain case before the CJEU. It should also be noted that under the GDPR, the EU establishment need not be carrying out the processing itself, nor does the processing have to take place in the EU.
The EDPB recommends that non-EU organisations undertake an assessment of their processing activities, paying regard to identifying potential links between the activity for which the personal data are being processed and the activities of any presence of the organisation in the EU. The Guidelines state that “if such a link is identified, the nature of this link will be key in determining whether the GDPR applies to the processing in question”. The Guidelines emphasise that, while each situation must be considered on a case-by-case basis, the law cannot be interpreted restrictively, and the following factors may tend to indicate that this condition is fulfilled:
- Where there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller, EU law will apply to the processing of personal data by the non-EU organisation even if the EU establishment does not play a role in that processing.
- The EU establishment raises revenue from activities that are inextricably linked to the processing of personal data taking place outside of the EU.
“Targeting” individuals in the EU
Organisations that do not have an “establishment” within the EU may still be subject to the GDPR if they offer goods or services to individuals in the jurisdiction, or monitor their behaviour (Article 3(2) GDPR). These bases explicitly provide for extra-territorial effect of the GDPR. The Guidelines emphasise that an individual’s nationality or legal status is not relevant to this analysis; what is necessary for either ground to apply is that there is some element of “targeting” of individuals in the region. This can take two main forms: (a) offering of goods or services or (b) monitoring behaviour. If either situation applies, so will the GDPR and there may also be an obligation to designate a representative in the EU under Article 27. (The Guidelines also offer clarification on the designation of representatives and their responsibilities).
Offering goods and services to data subjects located in the EU
To determine whether there is an offer of goods and services to individuals in the EU, the Guidelines note that the conduct of an organisation will be relevant, particularly if that conduct demonstrates an intention to offer goods and services. The Guidelines reference case law of the European courts brought under the Brussels I Regulation and note that the following factors may be relevant to determining whether there has been an offer:
- paying a search engine operator to facilitate access to its site by individuals in the EU;
- the nature of the activity at issue, such as if it relates to tourist activities;
- the mention of dedicated addresses or phone numbers to be reached from an EU Member State;
- the use of top-level domains relating to an EU Member State;
- offering delivery of goods to EU Member States.
Monitoring the behaviour of individuals in the EU
The Guidelines note that in order for the monitoring ground to apply, the GDPR does not require that there is an intention to target individuals in the EU. Even so, the Guidelines state, the collection and analysis of personal data of individuals in the EU will not automatically amount to monitoring; it will be necessary to determine whether the processing involves monitoring of a data subject and in particular any subsequent analysis or profiling that will take place. A wide range of activities could therefore fall within the monitoring ground, including:
- behavioural advertising;
- geo-location activities, particularly where related to marketing;
- market surveys based on individual profiles.
The draft Guidelines contain a mixture of good and bad news for organisations. Further clarity would be welcome in a number of areas, including the implications for intra-group arrangements, when the deployment of cookies amounts to “monitoring” and what the practical consequences could be for processors. The Guidelines are likely to be of most interest to organisations with some form of establishment in the EU, which may wish to consider more closely (and in combination with other factors, such as revenues) the full extent to which the GDPR may apply to elements of the business that were previously considered out of scope. It is to be hoped that – once finalised – the Guidelines will provide greater certainty for businesses. We have seen some significant revisions made to draft EDPB guidance on its final release, so it will be interesting to see the extent of changes in the final text.
 - Google Spain SL, Google Inc. v AEPD, Mario Costeja Gonzalez (C-131/12)
 - Weltimmo v NAIH (C-230/14)