Territorial scope of the GDPR - Where does the boundary lie?

In November 2019, the European Data Protection Board ("EDPB") adopted finalised guidelines on the territorial scope of the GDPR (the "EDPB Guidelines"). 

The territorial scope of the General Data Protection Regulation (2016/679) (EU) ("GDPR") is set out in Article 3 of the legislation. The breadth of the provisions in Article 3 are intended to ensure comprehensive protection of data subjects' rights, but mean that companies operating internationally must conduct careful assessments of whether the GDPR applies to their processing activities.

In this article we review some of the key criteria and considerations for organisations seeking to understand where the boundary lies with regards to the reach and application of the GDPR.

Article 3 of the GDPR

Article 3 of the GDPR sets out the two limbs of the territorial scope. The first being where data processing activities are conducted by organisations (controller or processor) established in the EU - a principle established under European case law when it looked at the scope of the now repealed Directive 95/46. The second limb is new and extends the territorial reach with two types of business activities, i.e. data processing activities relating to:

• offering of goods or services (even if for free) to data subjects situated in the EU (not restricted to EU citizens); and
• monitoring of the behaviour of such data subjects. 

Article 3(1) of the GDPR 

Article 3(1) of the GDPR applies to:

"the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether processing takes place in the Union or not".

The EDPB Guidelines recommend taking the following three limb approach in assessing whether the processing of personal data falls within Article 3(1):

• consideration of whether there is an establishment in the European Economic Area ("EEA");
• consideration of whether the processing is carried out "in the context of the activities of" an establishment (i.e. is the processing inextricably linked to activities of a controller or processor); and
• application of the GDPR to the establishment of a controller or processor in the EEA, regardless of whether the processing takes place in the EEA or not.

Establishment 

The concept of "establishment" was considered by the Court of Justice of the European Union¹  (CJEU) which confirmed that the phrase should be interpreted very broadly. It rules that "any real and effective activity – even a minimal one" – through "stable arrangements" in the EEA may be sufficient to qualify as an establishment under European data protection law. 

This concept has not changed significantly from the previous regime. The EDPB Guidelines confirm that for online services the threshold for ‘stable arrangement’ can be quite low, and that in some cases a single employee or agent with a sufficient degree of stability would satisfy the test. 

Context of activities 

The second limb requires assessment of whether the processing activities "are carried out in the context of the activities of an establishment". The courts have generally taken a broad view when linking processing by a controller or processor outside the EEA to the activities of an establishment inside the EEA – this is known as the "inextricable link". Examples provided by the CJEU include organisations which have sales offices in the EEA, or which promote or sell advertising or marketing targeting residents in the EEA². 

The EDPB Guidance provides further clarity on the meaning of "inextricable link". It states that the test is satisfied where there are revenue-raising activities in the EEA by a local establishment which relate to the processing of personal data taking place outside the EEA which may indicate that the processing is carried out "in the context of the activities of" the EEA establishment. 

This is an assessment which organisations need to carry out on a case by case basis. 

Processing location

The third limb involves considering geographical location with regard to the establishment of:

• the controller or processor itself (i.e. is it established inside or outside the EEA); and
• any business presence of a non-EEA controller or processor (i.e. does it have an establishment in the EEA).

The EDPB Guidelines clarify that the trigger for the application of the GDPR is dependent on a controller or processor being established in the EU and processing being carried out in the context of that establishment. It follows that whether the actual processing activity takes place in the EU is not relevant to the assessment of applicability of the GDPR obligations.

Article 3(2) of the GDPR

Under Article 3(2) the GDPR applies to:

"the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union".

The EDPB Guidelines recommend taking a twofold approach in assessing the conditions for the application of the criteria, as follows:

• that the processing relates to personal data of data subjects who are in the EEA; and
• whether it relates to the offering of goods or services or to the monitoring of data subjects' behaviour in the EEA.

"Offering goods and services" is more than providing mere access to a website, email address or using the language that is generally used in the country in which the controller is established.

EDPB Guidelines highlight the importance of "targeting" individuals in the EEA, and provide that the provision of services must be intentionally targeting individuals in the EEA: inadvertent or incidental provision of services to an individual who happens to be in the EEA is not enough. Notably, however, payment by the data subject is not required to trigger the targeting criterion. 

Examples of factors to be taken into account to evidence "targeting" include: 

• the EU or at least one Member State is designated by name with reference to the good or service offered;

• the data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience
• the international nature of the activity at issue, such as certain tourist activities; and
• the mention of dedicated addresses or phone numbers to be reached from an EU country.

The EPDB Guidelines note that a factor in isolation may not be sufficient to trigger the intention of the controller to offer goods, however, a combination of factors relating to the controllers activities can together be assessed as offering goods or services. 

In order for GDPR to apply to monitoring, the EDPB Guidelines clarify that the monitored behaviour must first relate to a data subject in the EEA and the monitored behaviour must take place within the EEA. 

Whilst the EDPB Guidelines provide some useful examples for organisations interpreting Article 3 of the GDPR, the boundaries of Article 3 are still somewhat blurred. Keeping in mind the intention behind the GDPR's long-arm jurisdictional reach, and that the CJEU is keen on a wide application of European data privacy law, organisations should prepare for broad application of this article.

Byte-sized news

• ICO publishes code for protecting children’s privacy online: The Information Commissioner's Office ("ICO") has published its Age Appropriate Design Code (the "Code") which sets out 15 standards expected of those responsible for developing or providing online services such as apps, connected toys and streaming services which are likely to be accessed by children. The Code will require that privacy settings should be set to high by default and nudge techniques should not be used to encourage children to weaken their settings. The Secretary of State now needs to lay the Code before Parliament for its approval. After that, organisations will have 12 months to update their practices before the Code comes into full effect.
• Cypriot SA issues fine for use of automated tool for employee profiling: The Commissioner for Personal Data Protection ("Cypriot SA") has fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (the "Louis Group") EUR 82,000 for use of an automated tool which processed special category personal data about employees' absences from work. The Cypriot SA found that the Louis Group had no lawful basis under Article 6 of the GDPR and no condition under Article 9 of the GDPR to process the special category personal data using the tool which scored employees based on their unplanned absences from work.
• Italian SA issues three multi-million euro fines for unlawful marketing activities: The Garante ("Italian SA") has imposed in the past two months three multi-million euro fines relating to unlawful marketing activities. The first two fines were imposed on Eni Gas and Luce ("Egl") and totalled EUR 11.5 million. The fines related to unlawful telemarketing activities and entering into unsolicited contracts with individuals for the supply of electricity and gas which included inaccurate personal data. The third fine, which totalled EUR 27.8 million, was imposed on TIM SpA for making unsolicited marketing calls to individuals whose names were included on public opt-out registers. TIM was also found to have failed to adequately supervise the activities of the call centres it had engaged to contact individuals on its behalf. 

With thanks to Tom Brookes, Renée Green and Clive Wong  for their contributions.

1. Weltimmo v NAIH (C-230/14)

2. Paragraph 60, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12)