Article 3 of the GDPR was written to address when GDPR applies. Fact is, it left more questions than answers and the EDPB has delievered the long awaited guidelines for public consultation, in order to clear up some of the confusion.
Does the EDPB answer frequently asked questions on territorial scope?
The European Data Protection Board (EDPB, the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation (GDPR); namely, Article 3 on territorial scope.
Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.
The Guidelines 3/2018 on the territorial scope of the GDPR adopted on 16 November 2018 (Guidelines) seek to answer some of those concerns.
The EDPB was somewhat delayed in issuing this much trumpeted document. It was supposedly agreed in principle (subject to legal checks) at its plenary meeting over three months ago. Perhaps those legal checks found some issues since it wasn't until the next plenary meeting (on 16 November) that the document was issued.
Thankfully, it was worth the wait – since there is some valuable guidance for those trying to navigate difficulties inherent in the drafting of Article 3.
Before turning to the Guidelines it is worth recapping Article 3. It is in two (main) parts:
Article 3(1) (the "establishment" criteria) provides that GDPR applies to processing "in the context of an establishment" of a controller or processor in the EU.
Article 3(2) (the "targeting" criteria) provides that GDPR applies to non-EU controllers or processors in two situations (i) those that offer goods or services to individuals in the EU ("targeting by selling") and (ii) those who monitor the behaviour of individuals in the EU ("targeting by monitoring").
We are an EU company, does GDPR apply to us?
Of course. Any entity incorporated or registered within the EU is of course "established" there.
My company is incorporated in, say, Mexico, but I have a branch or office in the EU - does GDPR apply?
Very likely, yes. Whilst "establishment" is not in fact defined, Recital 22 makes clear that
“[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect"
The Guidelines reiterate this. What is important is that there is some permanent ("stable") presence, and a branch office of a non-EU company will generally fulfil this requirement. Indeed, the Guidelines suggest that a mere one person or agent may be enough to indicate such presence.
My company is a processor and incorporated in the EU, but all customers are non-EU entities – does GDPR apply?
According to the Guidelines, GDPR applies to the processor (subject to the data being processed "in the context" of the establishment) since the processor is indeed established in the EU. It is irrelevant that the controller is not in the EU for the purposes of the processor's compliance. However, using a processor in the EU does not, automatically, make the non-EU controller subject to GDPR. See below!
We are a controller, but not in the EU. However, we do have an EU sales affiliate, but that entity does not actually process personal data itself – so presumably we are both outside of scope?
Not necessarily. The Guidelines support and restate the decisions of the Court of Justice of the European Union that it is possible even for non-EU entities to be "established" in the EU.
The processing need not be by the entity which has an establishment in the EU (in this example, the EU sales affiliate); GDPR will apply to any entity involved if the processing is "in the context" of the establishment in the EU.
This is the same outcome as in the Google Spain case. All that is required is an "inextricable link" between the non-EU entity and the EU establishment. If that exists, then in effect the EU affiliate is also an establishment of the non-EU entity – and GDPR applies to the non-EU entity even if the EU affiliate plays no actual role in processing. The EDPB makes clear that the language in Article 3(1) must be understood in the context of that decision (and other decisions such as Weltimmo).
My company is established in the EU, but we only sell to individuals out of the EU – does GDPR apply?
Yes. The processing of the data about individuals is in the "context of the establishment" of your company, the controller, in the EU. The Guidelines reiterate that it is irrelevant that the data subjects are not in the EU. GDPR is in this respect "nationality blind".
The Guidelines give an example of a French company selling to individuals in North Africa – GDPR applies.
We are an EU company but outsource all our processing activities to entities outside of the EU
GDPR still applies. The processing remains in the context of the EU establishment. The location of the actual processing is irrelevant.
We are a processor outside of the EU, but our customers are within the EU
GDPR does not directly apply to the processor. This is a situation where it had been possible to read Article 3(1) as extending GDPR to the non-EU entity only because it services EU controllers. The Guidelines helpfully end this line of interpretation.
Whilst GDPR does not directly apply to the processor, the Guidelines emphasise the indirect application through Article 28. The controller within the EU is obliged to ensure (under Article 28) that certain data protection obligations are accepted by the processor under contract.
We are a controller outside of the EU, but we are using an EU processor
GDPR does not apply to the controller simply because it chooses to use a processor in the Union.
This is also helpful from EDPB as, again, it is possible to read Article 3(1) more widely (that the processor being within the EU was sufficient to make the controller subject to GDPR).
The Guidelines clarify that such a controller is outside of scope of GDPR on the "establishment" criteria (but of course if EU citizens' data is processed then Article 3(2) might apply). The EU processor, however, will be subject to the GDPR (see above).
We are that EU processor (our customer is outside the EU), do we have to comply with all parts of GDPR?
There was a worry that if the customer was not subject to GDPR, that the processor might be responsible for such things as ensuring a legal basis and other controller responsibilities (since no other entity was within the EU).
The Guidelines (again) helpfully make clear that the processor only has to comply with processor obligations.
We are NOT an EU company, so GDPR does not apply to us
No. If you are established outside the EU, you may still be caught by the GDPR under article 3(2). Keep reading.
We are outside the EU and selling goods and services into the EU
Yes, clearly, under Article 3(2) it is enough for you to be targeting your goods or services in the EU (see further below on "targeting").
But our services are only targeted to non-EU nationals (the diaspora of our country)
Again, GDPR is nationality blind. The Guidelines make clear that presence in the EU is enough.
OK, but we are only providing our service to US tourists whilst on vacation in the EU
This depends on whether there is targeting towards those individuals whilst in the EU or if the fact that they are within the EU is only incidental. If the key feature is to provide the service to individuals because they are within the EU, then GDPR will apply and the fact that they are only there temporarily is irrelevant.
But if the tourists just happen, say, to read a US news website whilst in the EU, that will not make that site subject to GDPR. This is in fact an example given by the EDPB and perhaps inspired to prevent some well publicised US news companies from geo-blocking EU visitors because of GDPR (see a BBC news story here).
We provide our online services from outside the EU to individuals within the EU but do not charge for them
The Guidelines reiterate that the fact that a service is free is irrelevant. GDPR will still apply if services are targeted to them.
Now that six months have passed since the EU General Data Protection Regulation went into effect, gauging the potential for enforcement action is top of mind here in Brussels. Threaded throughout this opening day of the IAPP Europe Data Protection Congress has been insights from some of the EU's top data protection regulators — from European Data Protection Board Chairwoman Andrea Jelinek and newly renamed Data Protection Commissioner for Ireland Helen Dixon to representatives from French data protection authority, the CNIL, the EDPB and the data protection wing of the European Commission.
The big takeaway? Get ready for some enforcement action in 2019.
During her interview with IAPP Chief Knowledge Officer Omer Tene, Dixon said major GDPR-related fines will not come down the pike in 2018, but it's safe to expect some fines in 2019. This notion was foreshadowed earlier in the day by the EDPB's Jelinek during her keynote address. She said the board is already working on a number of cross-border enforcement cases — Dixon separately noted there are 14 — but those cases are complicated and resolutions will come in "a few months from now."
Notably, both Jelinek and Dixon said no cross-border cases have been escalated to the EDPB. Jelinek explained that national regulators thus far have been able to collaborate without triggering any EDPB resolutions or mediation.
But that doesn't mean enforcement is far away. During a panel session on GDPR enforcement, CNIL Director of Rights Protection and Sanctions Directorate Mathias Moulin did not mince words, warning that the time for the GDPR's transition "is coming to an end," and that it's "time for action" and there will be "teeth."
Romain Robert, legal advisor to the EDPB, fleshed out what the board has been up to in the last six months. He said the EDPB is currently communicating about 350 cases on the IMI system — a network built for the supervisory authorities to exchange information. Robert also said there are 280 mutual assistance requests under Article 61 and 22 local case requests under Article 56.
No doubt, DPAs across the EU have been busy. Complaints are up, as are breach notifications. Jelinek noted that complaints are more than doubled, and notifications tripled, at the Austrian DPA. It's clear, however, that the EDPB has been focused on building its one-stop shop mechanism and seeking to set groundwork for harmonization, consistency and proportionality. Karolina Mojzesowicz, the deputy head of data protection at the European Commission, said proportionate fines and sanctions is often discussed among the regulators and that harmonization is important so there is not a difference in fining levels among national authorities.
Jelinek said "the GDPR has substantially changed the way national DPAs" work together. She also pointed out that DPAs now wear two hats: one as their national regulators and the other as members of the EDPB. This "high frequency of meetings, which requires resources," helps to ensure a harmonized approach, which, in turn, she argued, will increase legal certainty for businesses.
Not everything, however, will be about enforcement in 2019. Jelinek said the EDPB knows there's a demand for more guidance. "We will continue to work with stakeholders in a more structured manner next year. ... We do not believe in an ivory-tower approach" to regulating.
"The rubber hasn't hit the road with one-stop shop, yet," Ireland's Dixon said. "We haven't had a case that requires the consensus of all 28 DPAs. It really is a case in progress ... and there are clear challenges that are involved and complex."
In addition to publishing more case studies and best practices, Ireland's Dixon said supervisory authorities need to start exploring certifications and seals under the GDPR. She also suggested that it will be helpful for DPAs to highlight good examples of GDPR compliance as well as bad ones to help the business community.
Dixon also praised some of the GDPR's near-term effects on industry: "We're seeing demonstrable efforts at accountability." And though the 72-hour breach notification requirement "has some issues," the fact there is now mandatory breach reporting "has opened our eyes to breach trends we wouldn't have been aware of" previously. For example, in the more than 3,000 data breaches it's been notified of, the DPCI has found that a large amount of breach notifications are related to coding errors.
In her keynote address, Jelinek reflected on where the EDPB might be a few years from now: "It will be a well-established body" that will be transparent and efficient, concluding, "I'm convinced, as data protection continues to go mainstream, the IAPP members will be the ambassadors."
This is an update to our previous blogs on Brexit.
EU leaders have signed off the withdrawal agreement between the UK and the EU, as well as the political declaration on the framework for the future relationship between the UK and the EU. The political declaration is an outline of what a future EU-UK trade agreement might look like. But the trade agreement has yet to be negotiated and that process won't start until the UK has left the EU on 29th March 2019. If negotiations are quick (and successful) then the intention is that the future trade agreement between the EU and the UK would come into force at the end of the transition period (31st December 2020, but the transition period could be extended).
Next month the withdrawal agreement and the framework for the future EU-UK relationship will be put to the UK Parliament (likely on the 12th December), which will vote on whether to approve them. At the moment, the Parliamentary arithmetic looks worrying for Theresa May. If Parliament votes the deal down then the UK looks to be heading for a constitutional crisis. But we're not there yet, and the Prime Minister is doing her utmost to convince MPs and the public to back the deal. She has also staved off a potential vote of no confidence by Brexit supporting MPs in her own party, unhappy with the withdrawal agreement and the political declaration.
At the same time, the Court of Justice of the European Union is to hear a case on 27th November on the question of whether under Article 50 of the Treaty on European Union, a Member State which has given notice of its intention to withdraw from the EU can unilaterally revoke that notice.
What do the withdrawal treaty and the framework for the future relationship mean for data protection?
If the deal is secured then data flows between the UK and the EU (as well as the rest of the world) continue as normal between the UK's departure from the EU (29th March 2019) and the end of the transition period (ie until 31st December 2020, unless this period is extended).
For the future relationship (i.e. after the transition period), the intention as set out in the political declaration is that data transfers should take place on the basis of an adequacy decision. An adequacy decision means that the European Commission has determined that a country offers an adequate level of data protection, taking into account its domestic legislation and international commitments. This enables personal data to flow freely from the EU to that country. Examples of countries which already benefit from an adequacy decision include Argentina, New Zealand, Canada, and the US (for transfers made to organisations that have certified compliance with the EU-US Privacy Shield).
This is an update to our earlier post on Brexit. It discusses the publication of the draft withdrawal agreement, following the UK government's announcement that it has reached a tentative deal with the EU.
As I write it is not at all clear what the next few hours, let alone weeks, will bring and whether Theresa May's withdrawal agreement will survive. However, it's worth setting out what the text does in relation to data protection.
In brief, the withdrawal agreement seeks to ensure that there will be no disruption to data flows between the UK and the EU post Brexit.
The transition period
During the period immediately after the UK leaves the EU on 29th March 2019, but before the treaty governing the future relationship between the EU and the UK comes into force, EU law (including data protection law) will continue to apply to the UK. This is the period which the withdrawal agreement terms the "transition period ", but which the UK calls the "implementation period" (they are in fact the same thing). It's not clear how long the transition period will last. The withdrawal agreement provides for it to be extended to a date which is as yet unknown. This is a helpful addition to the text compared to the version published in March, and removes the potential "cliff edge" the UK was facing at the end of 2020 if the future relationship had not yet been agreed.
During the transition period the UK loses its seat at the table in the European Data Protection Board ("EDPB"). But that doesn't necessarily mean that all the provisions which have a link to the EDPB fall away. So, for example, it's not clear how the one stop shop will work during the transition period. Just because the UK Information Commissioner loses her seat at the table doesn't necessarily mean that the entire one stop shop mechanism simply won't apply to the UK. If that were the case it would undermine the central policy of the transition period, which is to maintain consistency as between the regimes in the UK and the EU. The detail of how all this will work in practice is still very unclear. We may have a better sense once the EU (Withdrawal Agreement) Bill is published.
For the future relationship, the UK is seeking an adequacy decision as the basis for the transfer of data from the EU to the UK. The outline of the political declaration on the future relationship which has been published alongside the draft withdrawal agreement says that the EU will "endeavour" to adopt an adequacy decision in relation to the UK by the end of the transition period. The UK will also be seeking to put in place a mechanism which will ensure a free flow of data from the UK to the EU.
The political declaration on the future relationship also mentions (in vague terms) an intention to have "appropriate cooperation between regulators".