Published originally by the Journal of Commerce in December 2018
When the General Data Protection Regulations (“GDPR”) took effect on May 25, 2018, American companies found themselves in a quandary. The language of the regulations was sufficiently broad to initially conclude that even if a company had no presence or operation in Europe, it would be required to comply. As a reminder, the EU member countries are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom. Iceland, Lichtenstein, and Norway are also impacted by way of their domestic laws which adopted the GDPR principles. These countries are together referred to as the European Economic Area or EEA.
GDPR Article 3.2(1) addresses processing personal data by those operating with the EEA. Article 3.2(2) added the processing was to be related to the offering of goods or services, irrespective of whether a payment is required, or the monitoring of the behaviour of those within the EEA. This language led to questions such as was a company subject to the GDPR if it published a website which could be accessed by residents in an EEA country? What kind of activity was needed to constitute the offering of goods or services? What constituted monitoring?
The Information Commissioner’s Office (“ICO”) directly addressed the website question when it admonished The Washington Post about its cookie policies in response to a complaint. The ICO is: “[t]he UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” The Register, a UK publication, broke the story on November 19, 2018. The Washington Post offers articles on its website. The options are to receive a limited number of them for free, pay $6 per month for unlimited articles or pay $9 per month and turn off tracking and cookies. The ICO found the website did not comply with the GDPR because there was no free of charge option to refuse to accept cookies or tracking. At the same time, the ICO acknowledged the difficulty of doing anything more. It is quoted by The Register as saying “[w]e hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”
Additional clarification now comes from the European Data Protection Board (“EDPB”) through its “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (the “Guidelines”), see https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf for the full publication. There are a number of fact patterns presented as a way to illustrate the conclusions of the EDPB: “an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.”
There is little doubt about GDPR’s application if a company operates in the EEA and processes personal data within the territory. If the company is in the EEA and the processing occurs outside the EEA, the company continues to be required to comply and is expected to take steps to make sure its data processor meets the GDPR requirements. Similarly, if the company which controls the data is outside the EEA, but the data is processed within the EEA, the data processor must comply with the GDPR, even if the company is not subject to its requirements. It was also clear from the outset the GDPR applies to anyone who is within the EEA, even if a resident elsewhere, and does not apply if an EEA resident is outside the territory. What the guidance did was reinforce those points and clarify a few others.
The EEA’s broad definition of personal data is found at Article 4(1) and defines personal data as “any information relating to an identified or identifiable natural person” and includes name, identification number, location data, online identifier or to one or more “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Again by way of a reminder, a data controller is the party which determines the purposes and means of the processing of the personal data. The data processor is the party that actually conducts the processing on behalf of the data controller. Where things get more complicated is when goods and services are offered by a company outside the EEA. The EDPB makes clear that offering a website alone does not equate to having a presence in the EEA. On the other hand, having one agent or employee in an EEA country may be sufficient to make the company subject to the GDPR. At the same time, just because a company has a presence in an EEA country does not mean the GDPR applies to its activities. In short, as is often the case, this all comes down to the facts and circumstances. The recommended thought process is first determine whether personal data is being processed. Then identify links between the activity for which the data is being processed and the activities of the organization. If such a link exists, then look even further. One example provided reads as follows: “A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have [a presence] in the [EEA]. In this case, in the absence of any [presence] within the territory… , it appears that no entity linked to this data controller in South Africa can qualify as an [operation] in the [EEA] within the meaning of the GDPR. Therefore the processing at stake cannot be subject to the provisions of the GDPR…”
Coming out the other way: “A start-up established in the USA, without any business presence … in the [EEA], provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app… once they start using [it] in the city they visit, in order to offer targeted advertisement for places to visit, restaurants, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The US start-up, via its city mapping application, is offering services to individuals in the [EEA] .. The processing of the [EEA]-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR …”
Another relevant illustration: “A U.S. citizen is travelling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist’s personal data via the app by the U.S. company is not subject to the GDPR.”
These seemingly contradictory outcomes are easily reconciled by the Guidelines. First, one needs to figure out if the company is offering any goods or services directed to EEA residents, whether or not a payment is made for those services. If not, the GDPR does not apply. If yes, then the relevant criteria to making the determination (which should be considered together) include
- The [EEA] or at least one State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the [EEA]; or the controller or processor has launched marketing and advertisement campaigns directed at an [EEA] country audience.
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an [EEA] country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
- The description of travel instructions from one or more other [EEA] States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various [EEA] States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more [EEA] States;
- The data controller offers the delivery of goods in [EEA] States.
Illustrating two more possible outcomes are additional examples. In the first, the GDPR applies: “[a] website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of [EEA] law. The fact that the website is available in four languages of the [EEA] and that photo albums can be delivered by post in six [EEA] States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the [EEA]. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the [EEA] and is therefore subject to the obligations and provisions of the GDPR …”
The opposite result derives from these facts: “A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company, cannot be considered as an offer of service … The processing at stake does not relate to the offer of goods or services to data subjects in the [EEA] (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR …”