The legal background.
The potential extra-territorial reach of the GDPR’s provisions has caused intense dispute among privacy experts and scholars as well as harsh confrontations in the Courts. The issue arises from Article 3, which - with respect to the territorial scope of the Regulation - sets that the GDPR applies to:
- “.. the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”,
- “.. the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.
From the provisions above it appears clear that companies – even though not based within the European Union – will become subject to the requirements of the GDPR, when certain premises occur.
Hence the problem to assess when such ‘extra-territorial’ reach of the GDPR may be given.
The Court of Justice of the European Union (CJEU) and its case-law.
Back in 2014, the (widely commented) Google Spain decision of the CJEU’s Grand Chamber[i] found – obviously in relation to the provisions of the General Data Protection Directive no. 95/46, in force at the time – that a service (such as Google Search) offered by a company (and its search engine) located outside the EU but involving the processing of data of EU residents and benefitting from promotional activities of an EU based undertaking of the foreign company resulted governed by the EU privacy regulations (specifically, when the mentioned promotional activities are inherently linked to the service provided by the foreign company). The decision clearly involved several worrying effects and implications for foreign companies extending their businesses into the EU and – especially – for search engines.
Recently, the CJEU’s Grand Chamber had to deal with a ‘territoriality issue’ of the GDPR’s provisions in a dispute[ii] around a search engine’s de-referencing obligations. In decision September 24, 2019 the Court concluded that neither the Directive (no. 95/46) nor the Regulation (no. 2016/679) contained provisions allowing EU laws to be applied “beyond the territory of Member States” (paragraph 62), hence “.. currently there is no obligation for a search engine operator, who grants a request for de-referencing made by a data subject… following an injunction from a supervisory or judicial authority of a Member State,to carry out such a de-referencing on all versions of its search engine” (so paragraph 64).
As the CJEU’s decisions are clearly ‘case-specific’, extrapolating from them an easily perceivable and consistent criterion on the potential extra-territorial reach of the GDPR’s provisions is not an easy task.
Addressing the problem.
The problem is all but new, as it was present already under the provisions of the General Data Protection Directive no. 95/46. At the time, the Article 29 Working Party tried to offer helpful guidelines on this aspect through its Opinion no. 8/2010, reviewed and updated on December 16th, 2015 (with reference to the judgement issued by the CJEU in the Google Spain case).
Further on, the European Data Protection Board (succeeding the Article 29 Working Party) felt that the problem had to be assessed with specific reference to the GDPR’s provisions. To the purpose, it released – on November 16th, 2018 – a draft version of guidelines, promoting a public consultation on such draft text and inviting interested stakeholders to submit their comments. After such process the EDPB has now adopted – on November 19th, 2019 – the “Guidelines 3/18 on the territorial scope of the GDPR (Art. 3)– Version 2.0”.[iii]
No doubt, that these guidelines are useful as they address the territoriality scope of the GDPR (with numerous practical examples) and touch upon a range of strictly connected issues. In the following I am going to high lighten those aspects, which I consider as ‘key-points’.
The new Guidelines.
According to the EDPB’s indications, in order to assess whether the GDPR will result relevant, foreign companies, offering goods or services on an international level and processing personal data in the context of their businesses, need to ask themselves where and howthey perform their activities as well as whether the activities of their EU partner/associate companies (or EU representatives) are‘instrumental’ (to a significant level) to their businesses.
When do foreign companies need to care about the GDPR’s provisions?
Regulation no. 2016/679 sets - in Article 3 - that to the purpose it is necessary to take two basic elements into account: (a) the ‘establishment’ criterion, and (b) the ‘targeting’ criterion.
What is to be understood under the‘establishment’ criterion?
Under the ‘establishment’ criterion the GDPR applies, when “the processing of personal data” occurs “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”(processing the personal data outside the territory of the EU offers no ‘free ride’).
Hence, the first problem to deal with is that of defining the concept of “establishment”. The Guidelines concede that the GDPR does not contain a definition for this term (there is one – in Article 4 - for ‘main establishment’) but according to Recital 225 an ‘establishment’ requires the “.. effective and real exercise of activities through stable arrangements ..”(where the “legal form” of such arrangements is irrelevant). Actually, the minimum requirements for such ‘stable arrangements’ in certain cases may be of a quite low level. Even having a single employee or agent within the EU can - but not necessarily will – be sufficient to the purpose (provided it is entitled to act with a ‘sufficient degree of stability’).
The Guidelines are clear in stating that the assessment whether an ‘establishment’– in the meaning of a stable arrangement – is given or not, will necessarily have to be performed on a case-by-case basis. This, because a too restrictive interpretation of the concept would deprive the GDPR’s of its ‘protective scope’, while a too broad reading (including any presence in the EU) would result in a serious obstacle to international business.
How relevant is the data processing’s location?
Vice-versa, data processing outside of the territory of the EU by a foreign company may trigger the applicability of the GDPR’s provisions any time such processing is ‘inextricably linked’ to the business activities of an establishment located in the EU, even though the latter does not process the data (with a – not too hidden – thought of the businesses of popular online platforms, the Guidelines remind – as a matter of example - that revenue-raising in the EU by a local establishment may fulfil the ‘inextricably linked’ requirement). Again, the location where the data processing takes place is not a factor for assessing whether the GDPR applies or not. On this point, the Guidelines expressly recall that “..geographical location is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question. The text of Article 3(1) does not restrict the application of the GDPR to the processing of personal data of individuals who are in the Union. The EDPB therefore considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed.”
Indications on the‘targeting’ criterion.
As per Article 3/2 of the GDPR “..the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.
First, it has to be stressed this criterion refers to all individuals who are within the territory of the EU, their nationality, residence or legal status otherwise being irrelevant, a conclusion which follows from the text of the GDPR’s Recital 14 stating that “the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. For those wondering about the legal background of such an ‘extended’ protection of personal data, I would like to recall that the Charter of Fundamental Rights includes such protection for everyone without any nationality or residence limitation (so article 8 of the Charter). Hence, what in the end counts, is the individual’s presence on EU territory. It goes without saying that such presence must occur at the moment when goods or services are offered or when the behavior monitoring takes place.
From the preceding paragraph it follows that the criterion – to become relevant for the applicability of the GDPR – considers two requirements, i.e. processing activities concerning individuals present in the EU and related to: (a) the offering of goods or services to such individuals, or (b) the monitoring of their behavior with the EU.
When‘offering of goods or services’ is capable of triggering the applicability of the GDPR?
To bring the GDPR’s provisions into play, the targeting of individuals in the EU must be performed ‘intentionally’. Hence, a service performed to – and achieved by – an individual outside the EU may be continued when such individual occasionally enters a Member State (e.g. on a business or vacation trip), without the data processing relating to such service becoming subject to the Regulations.
When should we consider goods or services (inclusive that of the information society) as ‘offered’ to an individual in the EU? The Regulation’s wording is clear about the fact that seeking for remuneration is not relevant for assessing whether an ‘offering’ took place. On the contrary, HOWthe service is offered (i.e. the conduct of the company offering) will constitute an important factor, as Recital 23 of the GDPR clarifies that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union,” specifying also that “whereas the mere accessibilityof the controller's, processor's or an intermediary's website in the Union,[the presence]of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a languageor a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
On this point the Guidelines indicate that the following factors should be considered in relation to the ‘offering’ performed with respect to individuals in the EU:
- whether in the context of the offer the Union (or one or more of its member states) is indicated by name,
- whether the data controller or processor retains “the services of a search engine operator for an internet referencing service .. to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience”,
- whether the ‘offering’ company performs activities of ‘international nature’ (as an example the guidelines refer to ‘certain tourist activities’),
- whether “dedicated addresses or phone numbers to be reached from an EU country” are mentioned in the offer,
- whether ‘a top-level domain name’ different from that of the offering company’s home country and typical for the EU or one of its member states is used,
- whether the offer contains ‘travel instructions’ on how to reach the place of the service’s performance from one or more EU Member States,
- whether the offer contains references to ‘an international clientele’, such as customers having their domicile in the EU Member States (presenting EU customer reviews of the services or goods offered will also result in a relevant indicator),
- whether in the context of the offer there is a use of language or a currency other than that typical for the trader’s country (especially, especially a language or currency of one or more EU Member states),
- whether the offer provides for delivery of the goods in EU Member States.
On the contrary, the Guidelines consider as ‘not relevant’ factors such as: the mere accessibility of the controller's, processor's or an intermediary's website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code.
On the other aspect of‘targeting’: behavior monitoring.
Irrespective of the performing company’s location (within or outside the EU), the GDPR will govern data processing when it relates to monitoring of individuals (present within the EU) if their scrutinized behavior takes places within the Union.
Under Recital 24 of the Regulation behavioral monitoring occurs when natural persons are ‘tracked’ on the Internet and ‘profiled’“in order to take decisions concerning her or him” [i.e. the tracked individual] “or for analysing or predicting her or his personal preferences, behaviours and attitudes.” The Guidelines add that – aside from Internet tracking – all identical or similar practices performed “.. through other types of network or technology involving personal data processing..” could result apt for performing behavioral monitoring (as a matter of example, they mention wearable and smart devices), therefore required to comply with the GDPR’s provisions.
No indication can be found – differently from what we have seen in relation to the ‘offering of goods and services’ criterion – that also an ‘intention to monitor’ is required to bring the Regulation into play. However, the Guidelines do not feel that “ANY online collection or analysis of personal data of individuals in the EU would automatically count as“monitoring”. Hence, the suggestion that “it will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data”.
To the purpose, the Guidelines consider that a range of specific monitoring activities may become relevant, such as: behavioral advertising, geo-localization (in particular, when performed for marketing purposes), online tracking (via cookies or fingerprinting), personalized diet and health analytics services online, CCTV, market surveys (as well as other behavioral studies based on individual profiles), monitoring or regular reporting on an individual’s health status.
Data processing performed by companies in Third Countries, i.e. not established within the EU.
A processor not established in the EU, will have to consider the GDPR’s provisions, if it its processing is ‘related’ to targeting falling within the territorial scope of the Regulation. In such case the problem is clearly that of assessing what means “related”. According to the EDPB’s Guidelines, processors acting - in their data handling - on behalf of (and on instructions from) a controller in the context of the offering of goods or services or of the behavior monitoring performed with respect to individuals in the Union, will be subject to the GDPR’s requirements.
Hence, the Guidelines indicates that “.. the focus should be on the connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller.”
While the Guidelines are clearly unable to eliminate doubt on all the territoriality issues linked to the GDPR’s applications, they however offer extremely useful indications to companies with international businesses where such aspect has a significant impact. Personally, I feel that the numerous practical examples contained in the guidelines provide companies with precious advice on how they should approach the territoriality issue and on what they need to properly evaluate in advance before addressing the EU with their businesses. Very commendably, these examples address not only ‘common’ cases but also several ‘peculiar’ situations. To offer a better idea, I would like to recall Example 23, where the following – hypothetical – case is dealt with: “A German cruise ship travelling in international waters is processing data of the guests on board for the purpose of tailoring the in-cruise entertainment offer. While the ship is located outside the Union, in international waters, the fact that it is German-registered cruise ship means that by virtue of public international law the GDPR shall be applicable to its processing of personal data, as per Article 3(3).”
[i] Reference is to case C-131/12 and the decision issued on May 13th, 2014.
[ii] Google vs. Commission nationale de l’informatique et des libertés and others – CNIL (case no. C-507/17).
[iii] The text of the guidelines is available on the EDPB’s website at the URL indicated in the following: