Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?

The GDPR expands the scope of application of EU data protection law requirements in two main respects: in addition to data "controllers" (i.e. persons who determine why and how personal data are

Originally posted on 20 October 2015 (updated on 2 March 2016).

 

The GDPR expands the scope of application of EU data protection law requirements in two main respects:

1. in addition to data “controllers” (i.e. persons who determine why and how personal data are processed), certain requirements will apply for the first time directly to data “processors” (i.e. persons who process personal data on behalf of a data controller); and
2. by expanding the territorial scope of application of EU data protection law to capture not only the processing of personal data by a controller or a processor established in the EU, but also any processing of personal data of data subjects residing in the EU, where the processing relates to the offering of goods or services to them, or the monitoring of their behaviour.

 

The practical effect is that many organisations that were to date outside the scope of application of EU data protection law will now be directly subject to its requirements, for instance because they are EU-based processors or non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR will introduce a cultural change and there will be more distance to cover to get to a compliance-ready status.

 

What does the law require today?

The Directive

At present, the Data Protection Directive 95/46/EC (“Directive“) generally sets out direct statutory obligations for controllers, but not for processors. Processors are generally only subject to the obligations that the controller imposes on them by contract. By way of example, in a service provision scenario, say a cloud hosting service, the customer will typically be a controller and the service provider will be a processor.

Furthermore, at present the national data protection law of one or more EU Member States applies if:

1. the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. When the same controller is established on the territory of several Member States, each of these establishments should comply with the obligations laid down by the applicable national law (Article 4(1)(a)); or
2. the controller is not established on EU territory and, for purposes of processing personal data makes use of equipment situated on the territory of a Member State (unless such equipment is used only for purposes of transit through the EU) (Article 4(1)(c)); or
3. the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law (Article 4(1)(b)). Article 4(1)(b) has little practical significance in the commercial and business contexts and is therefore not further examined here. The GDPR sets out a similar rule.

 

CJEU case law

Two recent judgments of the Court of Justice of the European Union (“CJEU“) have introduced expansive interpretations of the meaning of “in the context of the activities” and “establishment”:

1. In Google Spain, the CJEU held that “in the context of the activities” does not mean “carried out by”. The data processing activities by Google Inc are “inextricably linked” with Google Spain’s activities concerning the promotion, facilitation and sale of advertising space. Consequently, processing is carried out “in the context of the activities” of a controller’s branch or subsidiary when the latter is (i) intended to promote and sell ad space offered by the controller, and (ii) orientates its activity towards the inhabitants of that Member State.
2. In Weltimmo, the CJEU held that the definition of “establishment” is flexible and departs from a formalistic approach that an “establishment” exists solely where a company is registered. The specific nature of the economic activities and the provision of services concerned must be taken into account, particularly where services are offered exclusively over the internet. The presence of only one representative, who acts with a sufficient degree of stability (even if the activity is minimal), coupled withwebsites that are mainly or entirely directed at that EU Member State suffice to trigger the application of that Member State’s law.

 

Regulatory guidance

Accordingly, EU privacy regulators tend to take an expansive interpretation of the applicable law rules of the Directive. For instance, on 16 December 2015, the Article 29 Data Protection Working Party (“WP29“) updated its opinion on “applicable law” following the Google Spain case and adopted the “inextricable link” test. According to WP29:

1. EU law will apply to data processing activities conducted by a foreign controller established outside the EU which has a “relevant” establishment whose activities are “inextricably linked” to the processing of personal data.
2. For companies that have a designated “EU headquarters” (acting as a controller) but have other “relevant establishments” in other Member States and those activities are “inextricably linked” to the data processing activities (e.g. to promote and sell advertisement space, raise revenues or carry out other activities), the national laws of the Member States in which such establishments are established will also apply.

 

What will the GDPR require?

The GDPR will place obligations on data processors in addition to data controllers and will expand the territorial scope of EU data protection law. Specifically the GDPR will apply to the processing of personal data:

1. in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not; and
2. of data subjects residing in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU.

It is irrelevant whether the actual data processing takes place within the EU or not.

As far as the substantive requirements are concerned, compared to the Directive, the GDPR introduces:

1. new obligations and higher expectations of compliance for controllers, for instance around transparency, consent, accountability, privacy by design, privacy by default, data protection impact assessments, data breach notification, new rights of data subjects, engaging data processors and data processing agreements;
2. for the first time, direct statutory obligations for processors, for instance around accountability, engaging sub-processors, data security and data breach notification; and
3. severe sanctions for compliance failures.

 

What are the practical implications?

The practical effect is that many organisations that were to date outside the scope of application of EU data protection law will now be directly subject to its requirements, for instance because they are EU-based processors or non EU-based controllers or processors who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR will introduce a cultural change and there will be more distance to cover to get to a compliance-ready status.

Perhaps the biggest change is that controllers and processors who are not established in the EU but collect and process data on EU residents through websites, cookies and other remote activities are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.

So, what should businesses do now?

1. Businesses should audit their various uses and data in order to understand and assess the grounds on which they collect and use data.
2. If you are a controller established in the EU, prepare your plan for transitioning to compliance with the GDPR.
3. If you are a controller not established in the EU, assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents and if you use EU-based data processors. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR. You may need to appoint a representative in the EU.
4. Assess whether any of your EU-based group companies act as processors. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR.
5. If you are a data processor based in the EU, or a non-EU based data processor that processes personal data on behalf of EU-based data controllers, targets services to individuals in the EU or monitors the behaviour of individuals in the EU, assess whether the GDPR applies to your activities, assess the level awareness and compliance, and create a roadmap for transitioning to compliance with the GDPR.
6. If you are a multinational business with EU and non-EU affiliates which will or may be caught by the GDPR, you will also need to consider intra-group relationships, how you position your group companies and how you structure your intra-group data transfers.