Blog

A Brief Overview of the EDPB’s Provisional Guidelines on Art. 3 of the GDPR

On November 16, 2018, the European Data Protection Board (“EDPB”) adopted Guidelines 3/2018 on the territorial scope of the GDPR, soliciting public consultation through January 18, 2019. These are not final, but are providing some key guidance on the jurisdictional reach of the GDPR, a critical aspect for many entities.

Article 3 of the GDPR outlines the criteria to be used to determine who is impacted by and required to comply with the GDPR. Article 3 has garnered a lot of consideration, especially for entities not established within the European Union, as it significantly shifts from Article 4 of the Directive 95/46/EC (the GDPR’s precursor), and provides a more encompassing jurisdictional reach, impacting more international entities, regardless of any physical presence within the EU. (Click here for a nice timeline of EU data protection).

The Guidelines break Article 3 into two main criteria for determining whether the GDPR applies: “the ‘establishment’ criterion, as per Article 3(1), and the ‘targeting’ criterion as per Article 3(2).” See Guidelines, at 3.

Under the “establishment” criterion, the EDPB provides a three-consideration approach to determining if an entity falls under Article 3(1):

1. Determining whether an entity is “established” within the Union. The first step is to identify who is the controller or processor for a given processing activity, as this will directly influence whether the entity will be considered “established” in the EU for the purposes of the GDPR. Further, the EDPB drew guidance from prior Court of Justice of the European Union (“CJEU”) case law to provide guidance as to whether an entity is “established,” stating that “both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned.” See Guidelines, at 5. Whether a non-EU entity has an actual physical presence within the EU is not determinant of whether it would be considered “established” for the purposes of the GDPR.

2.Determining whether the processing is carried out in the context of the activities of the establishment. The second step is to assess whether personal data is processed and identify “any potential links between the activity for which the data is being processed and the activities of any presence of the organisation in the Union” (i.e., the establishment). See Guidelines, at 7. The EDPB acknowledged that there may be some activities “so far removed from the processing of personal data” that they would not be sufficient to bring that processing under the purview of the GDPR. Id., at 6.

3.Determining whether the processing takes place within the Union or not. The EDPB makes clear that whether the processing occurs in the EU or outside of it is irrelevant for the application of Article 3(1). The trigger is processing that “takes place in the context of the activities of” an establishment within the Union. See Guidelines, at 8.

Further, the EDPB makes clear that Article 3(1) can apply to both controllers or processors. As such, even if a controller not impacted by Article 3(1) engages a processor who is impacted by Article 3(1), the processor would still need to comply with the GDPR in the processing of that personal data, even if the controller would not need to comply. “The existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the Union.” See Guidelines, at 9.

As such, the analysis of whether an entity is impacted by the GDPR is not solely drawn from the actual personal data being processed: it could apply even if the personal data was not originally GDPR-impacted by virtue of a processor “established” within the EU. However, the GDPR obligations will not necessarily “flow upstream” back to the controller: the processor may be liable under the GDPR when a controller may never be obligated to follow its requirements. See Guidelines, at 10, 11.

Further, as its relates to Article 3(1), the EDPB makes it abundantly clear that the nationality of the data subject is irrelevant:

any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed.

See Guidelines, at 9. While Recital 14 alluded to this position, this clarification will be helpful for companies attempting to categorize data as either GDPR-impacted or not.

Turning to the second criterion, the “targeting” criterion, the EDPB states that the focus is on “what the ‘processing activities’ are ‘related to’”. See Guidelines, at 11. This is further broken into a two-part approach:

1. Data Subjects in the Union. Again, the EDPB reiterates that the GDPR is meant to be all encompassing and not limited by citizenship, residence or any other legal status of the data subject. The trigger is a data subject’s location within the EU at the time the activity takes place. Further, there must be some element of “targeting” data subjects within the EU. This targeting requirement may be significant for many non-EU entities, and should be carefully assessed, as the EDPB makes it clear that the processing of EU citizen or resident personal data alone is not sufficient to trigger GDPR requirements:

it should be noted that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union.

See Guidelines, at 14.

2. Offering of Goods or Services, irrespective of payment. The key determination is “whether the conduct on the part of the controller or processor demonstrates its intention to offer goods or a services to a data subject located in the Union.” See Guidelines, at 15. Some connection, either directly or indirectly, needs to exist between the processing activity and the offering of a good or service, in order to trigger Article 3(2). The EDPB goes on to list a number of factors to be taken into consideration when making this determination.

When turning to the Article 3(2) monitoring of the behaviour of a data subject, the EDPB outlines the trigger as follows:

the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.

See Guidelines, at 17. The Guidelines clarify that online collection of personal data and any subsequent analysis does not, by itself, necessarily trigger the “monitoring” jurisdictional requirement. Instead, it is a fact-based analysis, with the EDPB listing a number of activities that could be considered “monitoring behavior.”

Finally, the EDPB provides guidance on the designation of a representative for controllers or processors not established in the Union under Article 27. The Guidelines make it clear that a DPO (Data Protection Officer) should not be designated as a representative because of the “possible conflict of obligation and interests” inherent in the two separate and distinct roles. See Guidelines, at 21.

Overall, while these Guidelines are not in final form, they do provide great insight into the approach the EDPB is taking and the jurisdictional impact of the GDPR. The Guidelines also reiterate the expansive and all encompassing nature of this Regulation. Companies need to reassess the impact of the GDPR on their organisations with this new guidance on the jurisdictional reach of this Regulation, and determine whether these Guidelines foreshadow risk of non-compliance under the GDPR. For in privacy and security, luck favors the prepared!

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.