For many U.S. organizations, figuring out whether – and to what extent – Europe’s General Data Protection Regulation (“GDPR”) applies to your operations has caused a lot of headaches. Do you have an “establishment in the [European] Union”? Are you “offering…goods and services…to…data subjects in the Union”? Are you “monitoring” the behavior of data subjects in the Union? How will these terms be interpreted and enforced?
The European Board of Data Protection (“EDPB”) – the working group of EU data protection regulators – recently issued guidelines (subject to revision) in an effort to clarify the territorial scope of the GDPR and help businesses answer those questions.
Here are key takeaways from the Guidance concerning the jurisdictional “criteria” under GDPR Article 3:
Even a Minimal “Stable Arrangement” Will Trigger GDPR
GDPR Recital 22 tells us that “Establishment implies the effective and real exercise of activity through stable arrangements,” and that the legal form (e.g., branch, subsidiary, affiliate) is irrelevant to the inquiry. But, what is a sufficiently “stable arrangement”?
The Guidance makes clear that pre-GDPR case law from the CJEU (in the Google Spain v. Costeja and Weltimmo cases) will remain good law. The EDPB points out that “[t]he threshold for ‘stable arrangement’ can actually be quite low.” For instance, a U.S-based online retailer having a single employee or agent based in the EU likely would be sufficient to constitute “an establishment in the Union.” Any operations – even if minimal – carried out through that single agent will be sufficient to make GDPR applicable to all processing activity related to those operations. Further, again following Costeja, any processing “inextricably linked” to the operations of the EU establishment will be covered by the GDPR – no matter where the processing takes place. What is “inextricably linked” is a case by case, fact-specific analysis, but the Guidance also emphasizes the broad construction to be given to this inquiry.
Outsourcing Data Processing to the EU Will Not Trigger GDPR
The Guidance also makes clear that, simply because a U.S.-based data controller chooses to outsource certain processing to a processor based in the EU, does not mean that controller will become subject to GDPR. The processor is not an “establishment” of the controller in this scenario. However, be mindful – the EU data processor will be subject to the GDPR, and will likely seek to impose certain GDPR-related obligations on the controller through a data processing agreement.
GDPR’s Extraterritorial Reach Only Applies to “Targeting” of Subjects in the EU
The Guidance confirms that the extraterritorial reach of GDPR is limited. Merely because your website is accessible in the EU does not necessarily mean you are “offering goods and services” or “monitoring” data subjects in the EU. Also, merely because a data subject is present in the EU when you process their data, does not mean you have “targeted” EU data subjects with respect to that activity.
The key inquiry is whether you are “targeting” EU data subjects by your activities. Again following pre-GDPR case law, the Guidance offers several non-exhaustive factors to be considered, including:
- Specifically mentioning or referencing the EU or a Member State in relation to the offering, whether through
- targeted marketing campaign;
- use of EU-specific top-level domain names;
- providing EU-specific contact information (e.g., including applicable international codes);
- providing EU-specific travel instructions to consumers;
- use of EU languages;
- accepting EU currencies; or
- offering the delivery of goods in the EU; and
- Taking specific actions to facilitate EU data subjects’ access to your site;
The Guidance offers two contrasting examples. First, a U.S.-based tech company providing a smartphone application that offers targeted advertising and consumer suggestions based on location information, to consumers in markets worldwide including London, Paris and Rome, would trigger GDPR: the company is offering services to data subjects while they are located in the EU. Second, a U.S. news outlet that provides a smartphone app solely to the U.S. market, but that can be accessed by a U.S. citizen while on vacation in the EU (and which collects and processes that subject’s data while in the EU), does not trigger GDPR: the company has not “targeted” EU data subjects.
Whether a data subject is “in the Union” is determined at the time the relevant trigger activity takes place, i.e. the moment of offering goods and services, or the moment of monitoring behavior – regardless of the duration of the offer or the monitoring.
Using “Cookies” Does Not Necessarily Trigger GDPR
The EDPB confirms the view that “monitoring” triggers GDPR only where it is purposeful, rather than inadvertent and tangential. Thus, not all use of “cookies” or other passive browser data-collecting technologies will constitute “monitoring.” The EDPB emphasizes that what matters is the purpose for which that data is collected and perhaps most importantly what is actually done with it. Processing of such data that allows for what the EDPB labels “behavioral analysis” or “profiling” will be considered “monitoring” to trigger GDPR. The Guidance provides as an example of “monitoring” that will trigger extraterritorial GDPR application: a U.S.-based marketing firm that consults on the layout of a retail store in France based on WiFi tracking of customer movement through the store. Unfortunately, the Guidance does not provide an example of what type of cookies use will not trigger GDPR under the “monitoring” prong. Taking from the marketing consultant example, a cautious organization may fairly extrapolate that using browser analytics that constitute “tracking of natural persons on the internet” and that provide data which are not anonymized will carry a substantial risk of triggering GDPR.
The 3/2018 Guidance on the jurisdictional scope of GDPR is helpful in many respects, but leaves many important questions open – especially for organizations with websites accessible to EU-based data subjects and who are using cookies and other browser analytics.
Spencer Fane’s Privacy and Cybersecurity Solutions group advises organizations on GDPR compliance. This post was drafted by Tom Hayde, a partner in the St. Louis, MO office, and Ben Shantz, an associate in the Springfield, MO office. For more information visit spencerfane.com.