One of the most expected changes likely to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU law - quite
One of the most expected changes likely to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU law - quite an important issue. To recap briefly, under the current Data Protection Directive, the rules are essentially as follows:
* If the controller is based in an EU Member State (e.g. Acme (UK) Limited based in the UK), that controller will be subject to the law of that Member State (e.g. the UK Data Protection Act) and to the scrutiny of the regulator of that country (e.g. the UK Information Commissioner).
* If the controller is based outside the EU (e.g. Acme Inc.) but uses equipment (e.g. servers or people's computers) to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator.
However, the rule that determines the applicability of the law to non-EU controllers produces bizarre situations like the potential application of EU law to organisations that have no presence, employees or customers in the EU but happen to engage an EU-based service provider (with equipment in Europe), or like the non-application of EU law to organisations who may be dealing with millions of Europeans over the Internet but have no real processing equipment in the EU.
Therefore, under the proposed Data Protection Regulation, the rules would be as follows:
* If the controller is based in an EU Member State and it has one main establishment (e.g. Acme (UK) Limited based in the UK), then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator (e.g. the UK Information Commissioner).
* If the controller is based outside the EU (e.g. Acme Inc.) and offers products or services to EU residents or monitors the behaviour of EU residents, it will be subject to the Regulation and to the scrutiny of each and every regulator.
For non-EU organisations, the million dollar question is what does the Regulation mean by "offering products or services" or, more intriguingly, "monitoring the behaviour"? The answer to this question will undoubtedly become clear as the legislative process progresses, but in the meantime it is helpful to consider the explanations given in the recitals to the Regulation.
First of all, the whole point of the extra-territorial reach of the law (both under the Directive and even more under the Regulation) is to protect people who live in Europe where their data is used elsewhere. The "offering products or services" side of the equation is also clearly aimed at capturing visible commercial relationships where, typically via the Internet, an organisation is making its goods or services available to EU residents.
The meaning of "monitoring the behaviour" is slightly trickier because the recitals only refer to one very specific form of monitoring: Internet tracking and profiling. So the commonplace practice of building an Internet user's picture through the use of cookies with a view to targeting that individual with tailored advertising will definitely be caught - not a very "technologically neutral" provision, it must be said. The question that we will need to address over the coming months is what is the intended scope of the phrase "monitoring the behaviour" beyond Internet tracking and more precisely, how granular or detailed that monitoring must be to trigger the application of the law. The debate is wide open.
* If the controller is based in an EU Member State (e.g. Acme (UK) Limited based in the UK), that controller will be subject to the law of that Member State (e.g. the UK Data Protection Act) and to the scrutiny of the regulator of that country (e.g. the UK Information Commissioner).
* If the controller is based outside the EU (e.g. Acme Inc.) but uses equipment (e.g. servers or people's computers) to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator.
However, the rule that determines the applicability of the law to non-EU controllers produces bizarre situations like the potential application of EU law to organisations that have no presence, employees or customers in the EU but happen to engage an EU-based service provider (with equipment in Europe), or like the non-application of EU law to organisations who may be dealing with millions of Europeans over the Internet but have no real processing equipment in the EU.
Therefore, under the proposed Data Protection Regulation, the rules would be as follows:
* If the controller is based in an EU Member State and it has one main establishment (e.g. Acme (UK) Limited based in the UK), then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator (e.g. the UK Information Commissioner).
* If the controller is based outside the EU (e.g. Acme Inc.) and offers products or services to EU residents or monitors the behaviour of EU residents, it will be subject to the Regulation and to the scrutiny of each and every regulator.
For non-EU organisations, the million dollar question is what does the Regulation mean by "offering products or services" or, more intriguingly, "monitoring the behaviour"? The answer to this question will undoubtedly become clear as the legislative process progresses, but in the meantime it is helpful to consider the explanations given in the recitals to the Regulation.
First of all, the whole point of the extra-territorial reach of the law (both under the Directive and even more under the Regulation) is to protect people who live in Europe where their data is used elsewhere. The "offering products or services" side of the equation is also clearly aimed at capturing visible commercial relationships where, typically via the Internet, an organisation is making its goods or services available to EU residents.
The meaning of "monitoring the behaviour" is slightly trickier because the recitals only refer to one very specific form of monitoring: Internet tracking and profiling. So the commonplace practice of building an Internet user's picture through the use of cookies with a view to targeting that individual with tailored advertising will definitely be caught - not a very "technologically neutral" provision, it must be said. The question that we will need to address over the coming months is what is the intended scope of the phrase "monitoring the behaviour" beyond Internet tracking and more precisely, how granular or detailed that monitoring must be to trigger the application of the law. The debate is wide open.