The EDPB has at last released the final version of its guidance (available here) on the territorial scope of the GDPR ("Guidance") – almost a year to the day after the draft guidance was published. As this attempts to answer the key question for many organisations worldwide ("Does the GDPR apply to me or not, and if so, in its entirety?") we thought it prudent to update our blog from last year (available here). This blog will focus on the updates so should be read in conjunction with the previous one. (For those interested, an unofficial redline we have generated is available here).
We will not repeat ourselves here other than to remind readers of the two criteria for being caught by GDPR:
Article 3(1) (the "Establishment" criterion) provides that GDPR applies to processing "in the context of an establishment" of a controller or processor in the EU.
Article 3(2) (the "Targeting" criterion) provides that GDPR applies to non-EU controllers or processors in two situations (i) those that offer goods or services to individuals in the EU and (ii) those who monitor the behaviour of individuals in the EU.
Article 3(1) Establishment
We are a controller outside the EU and don't have any 'stable relationship' in the EU. However, we have one EU-based employee who processes our non-EU data – does that bring us within scope?
The Guidance helpfully confirms not. The mere presence of an employee within the EU who processes data that relates only to the activities of the controller outside the EU does not bring that controller within scope. However, remember if that employee (even a single one) is processing data in the context of activities of the establishment within the EU, it will likely be sufficient to meet the Establishment criterion.
Article 3(2) Targeting
My company is a processor based in the US with a controller customer also based in the US. The controller targets its services at individuals in the EU. Are we caught by Article 3(2) just because our customer is?
Unfortunately the answer is probably yes, which is the significant new change in the Guidance. The EDPB states there must be a connection between the targeting activity and the processing activity. If a connection exists, then the processor also falls within scope.
The Guidance provides three examples, all of which find a connection between targeting and processing. They are so widely drawn it is hard to imagine a scenario when such a connection would not be found. A US-based health app is aimed at the EU and uses a US-based cloud service provider for its data storage. The cloud provider is caught by GDPR due to the fact that it carries out processing on behalf of the controller which means its processing is related to the targeting of EU individuals.
The US processor can still however presumably rely on the EDPB's earlier statement that only those aspects of the GDPR which apply to processors will apply to the US-based processor.
My company is based outside the EU and only caught by the Targeting criterion: does GDPR apply to all of the non-EU data we process?
The EDPB helpfully confirms what we have long been advising clients: that Article 3 aims to determine whether a processing activity falls within the scope of GDPR, rather than whether a particular controller or processor does. It follows that some of a controller/processor's processing may be within GDPR, whereas the rest may not. This will be welcome to organisations established outside the EU with some customers inside the EU and who have split their data into an 'EU set' to which GDPR applies and a 'non-EU' set to which it does not.
What if we're outside the EU and caught by the Establishment criterion?
The Guidance updates an example to confirm this is also the case. A Chinese e-commerce site based in China (where all the processing takes place) has a sales office in Germany. The sales office is considered inextricably linked and so the Chinese company falls within Article 3(1). However, only the processing activities related to the EU sales are subject to GDPR.
We are a non-EU company that only targets our services at non-EU individuals. Some of them may temporarily enter the EU – does that mean GDPR applies to those individuals?
Almost certainly not. As we set out last time, it depends whether the targeting is intentional. The Guidance added additional clarification that GPDR should not apply where the services only "inadvertently or incidentally" target individuals in the EU. Australian users of an Australian news service who go on holiday to Germany will not bring the news service within scope as the service is not intentionally targeting individuals in the EU.
Any updates regarding us EU representatives? Are we still on the hook for the failures of our appointing controllers/processors?
Alas possibly still, but it is not completely clear. The updated Guidance takes a slightly softer tone. The draft version stated that a supervisory authority could "initiate enforcement against a representative in the same way as against controllers or processors" whilst now it uses the formulation of "initiate enforcement proceedings through the representative" (our emphasis). The change from "against" to "through" the representative suggests that the representative is almost some sort of agency for service of the proceedings, rather than potentially liable directly (which "against" suggested) but that is not certain. The role of the representative is to facilitate liaison with supervisory authorities and ensure effective enforcement of the GDPR.
The EDPB does then go on to say that there is direct liability for some obligations which are expressly imposed upon the representative: namely, the obligation to keep records (Article 30) and the obligation to respond to information requests from the supervisory authority (Article 58(1)(a)).
Finally the EDPB allude to future guidance to clarify the interplay between the territorial scope of the GDPR and rules on international data transfers. This opaque reference is likely due to a few points:
still no Model Clauses to cover the scenario of a non-EU controller transferring data to an EU processor (and back);
the ongoing European court cases about the validity of Standard Contractual Clauses and Privacy Shield; and/or
the ICO's opinion that an organisation based outside the EU but subject to GDPR should not require any transfer mechanism to validate its receipt of EU data (as it is already protecting it in line with GDPR standards).
The last reason seems unlikely as – thanks to the ongoing Brexit saga – all UK examples were sadly removed in the Guidance.