Why Europe’s Privacy Laws Apply To Your US Business: The Territorial Reach Of The GDPR
Your business, like many others, may have customers or employees outside of the United States. If those customers or employees are European, or if you target Europeans for advertising purposes, you may be obligated to follow the EU's data privacy law (the General Data Protection Regulation, or "GDPR").
Whether, and to what extent, the GDPR applies to American businesses can be a difficult question to resolve.
In late November 2019, the European Data Protection Board (the "EDPB," the EU body in charge of the application of the GDPR) issued and adopted the third and final iteration of its "Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)" after extensive public consultation (the "Guidelines"). The Guidelines focus on interpreting GDPR's Article 3, the legal text concerning the GDPR's territorial scope and are intended to offer "clarity" and to "to ensure a consistent application of the GDPR when assessing whether particular processing by a controller or a processor falls within the scope of the new EU legal framework." The Guidelines acknowledge that "a common interpretation is also essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity."
The territorial scope of the Regulation is defined on the basis of two independent criteria: the "establishment" criterion (GDPR Article 3(1)), and the "targeting" criterion (Article 3(2)). The Guidelines assert as a general principle "that where the processing of personal data falls within the territorial scope of the GDPR, all provisions of the Regulation apply to such processing." They further advise that "[i]t is therefore essential that controllers and processors, especially those offering goods and services at international level, undertake a careful and in concreto assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of the GDPR."
One significant development in the final version of the Guidelines compared to their earlier iterations is the emphasis that "the application of Article 3 aims at determining whether a particular processing activity, rather than a person (legal or natural), falls within the scope of the GDPR. Consequently, certain processing of personal data by a controller or processor might fall within the scope of the Regulation, while other processing of personal data by that same controller or processor might not, depending on the processing activity." In other words, just because US Co. is doing a certain amount of business in the EU, not all of the company's processing is subject to EU rules: only that which directly falls under the GDPR's scope.
What then are the two methods of determining the GDPR's territorial scope?
Criterion One: "Establishment" in the EU
You may assume that if you do not have offices or employees working in the EU then there is no way your company is "established" in the EU or otherwise subject to the GDPR's rules. Make this assumption at your peril, as the GDPR is – for better or worse – much more complicated than that.
Article 3(1) of the GDPR provides that the "Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not." The Guidelines assert that "Article 3(1) ensures that the GDPR applies to the processing by a controller or processor carried out in the context of the activities of an establishment of that controller or processor in the Union, regardless of the actual place of the processing."
Before considering what is meant by "an establishment in the Union" it is first necessary to identify who is the controller or processor for a given processing activity. The determination of whether an entity is a controller a processor in connection with these data processing activities is fact intensive and has separate legal benefits and obligations. See, e.g., Example 3 from the UK ICO's guidance: "How do you determine whether you are a controller or processor?"
GDPR Recital 225 states that an "[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect." See also Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12) (stating that lack of office or subsidiary is not determinative of "establishment"), Weltimmo v NAIH (C- 230/14), Verein für Konsumenteninformation v Amazon EU (C-191/15) and Wirtschaftsakademie Schleswig- Holstein (C-210/16).
The Guidelines advise that "revenue-raising" activities within the EU can give rise to "establishment" under the GDPR under appropriate conditions.
Criterion Two: "Targeting" in the EU
The Guidelines note that "[t]he absence of an establishment in the Union does not necessarily mean that processing activities by a data controller or processor established in a third country will be excluded from the scope of the GDPR." GDPR Article 3(2) sets out the circumstances in which the GDPR applies to a controller or processor not established in the Union, depending on their processing activities.
Specifically, Article 3(2) of the GDPR provides that:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
In determining whether the targeting criterion applies, the Guidelines recommend a twofold approach to first determine that the processing applies to personal data of EU residents and second whether the processing relates to the offering of goods or services or to monitoring of EU residents' behavior.
The Guidelines offer examples, which suggest that, e.g., an Australian news application is not "targeting" when Australian users vacation in Europe, despite the availability of the application in Europe. On the other hand, a US mobile application that offers city-mapping services for tourists limited to US cities may be considered to be sufficiently "targeting" tourists from Europe to trigger the GDPR's requirements, noting that advertising to, and location tracking, are sufficient processing activities to qualify.
The Guidelines make clear that when US companies target EU residents in Europe, they may well be subject to the GDPR.
Any American company that is raising revenues in the EU, soliciting customers to engage in "stable" contracts, and/or its services directly or indirectly rely upon users in the EU providing personal data should carefully consider whether the GDPR applies.
If you determine that your company is "established" as defined by the GDPR, it will have additional responsibilities under the law (for example, appointing a personal representative in the EU).
The Guidelines note that "Where a controller subject to GDPR chooses to use a processor located outside the Union and not subject to the GDPR, it will be necessary for the controller to ensure by contract or other legal act that the processor processes the data in accordance with the GDPR. GDPR Article 28(3) provides that the processing by a processor shall be governed by a contract or other legal act. The controller will therefore need to ensure that it puts in place a contract with the processor addressing all the requirements set out in Article 28(3)."
* * *
David S.S. Hamilton is Of Counsel to ZEK and a member of the Firm’s Privacy and Cybersecurity practices. David advises companies across industries, including banking, FinTech, technology and advertising with an array of privacy law and data protection issues.