In July, 2018 and then subsequently on 24th October, 2018 the Information Commissioner’s Office, United Kingdom (“ICO”) took its first General Data Protection Regulation (“GDPR”) enforcement action against a data controller located outside the European Union (EU) against Aggregate IQ Data Services Ltd. (“AIQ”) located in Canada. The above incident is the first example of extraterritorial applicability of GDPR, where a data controller was located in Canada but the data processing activities were targeted towards the data subjects present in EU. AIQ was monitoring the behaviour of each data subject for the purposes of targeting individuals with political advertising messages on social media and therefore the provisions of GDPR were held to be applicable. Non-European Internet-based service providers across the globe have been concerned about the applicability of GDPR. The European Data Protection Board (“Board”) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Board in November, 2018 issued draft guidelines (“Guidelines”) on the territorial scope of the GDPR under Article 3. Whereas the Guidelines were released for the purpose of public consultation, nonetheless the Guidelines do provide explanations on important concepts introduced under Article 3 of the GDPR which defines the territorial scope for direct application of the GDPR.
- Application of the ‘Establishment’ criteria under Article 3(1)
The Guidelines specify that Article 3(1) ensures that GDPR is applicable to controllers and processors individually if any one of them or both of them have an establishment in EU, and the processing of the personal data of a data subject is in the context of the activities of such establishment, regardless of the actual place of the data processing. In order to determine the applicability of Article 3 the Board recommends few norms detailed below. ‘Establishment’ in EU It is provided that the notion of ‘establishment’ is broad and does not necessarily imply a legal personality such as a branch or subsidiary; rather it simply implies effective and real exercise of activities through stable arrangements in EU. This interpretation is in line with the interpretation of the Court of Justice of the European Union (“CJEU”) in several of its rulings. Further, it is also provided that both these factors, i.e. (i) effective and real exercise of activities and (ii) stability of arrangements should be considered in the light of the nature of economic activities and provision of the services concerned. This means that a single employee’s or agent’s presence in EU, with sufficient degree of stability maybe sufficient to consider it as an ‘establishment’. However, the accessibility of a website in EU of a non-European entity would not be sufficient to conclude that such an entity has an establishment in the European Union. Processing of data ‘in the context of the activities of’ the establishment The Guidelines provide that if the controller or the processor is outside EU but there exists a local establishment in EU and if the processing of the data is in the context of the activities of an establishment then the GDPR would be applicable. The Guidelines state that the activities of the local establishment in EU should be ‘inextricably linked’ to the data processing activities of the non-EU controller or non-EU processor, regardless of whether the local establishment in EU plays any role in the actual processing of the data. The Board recommends that non-EU organisations should undertake an assessment of their processing activities in the following manner:
- First, by determining whether personal data is being processed
- Secondly by identifying potential links between the activity for which the data is being processed and the activities undertaken by the organisation having any presence in EU.
Example: A website based in X country, having a local establishment dealing with marketing campaigns towards EU markets. Since the activity of the local establishment is inextricably linked to the processing of the personal data carried out by the website, Article 3(1) is applicable where the controller or the processor is present in EU. Application of the GDPR to the establishment of a controller/processor in the Union, regardless of whether the processing takes place in the Union. As per Article 3(1), the processing of personal data in the context of the activities of an establishment of a controller or a processor in EU triggers the application of GDPR and the related obligations for the data controller or processor concerned. Application of the establishment criteria to controller and processor The establishment of a controller and that of a processor must be considered separate as there are distinct obligations for controllers and for processor listed under the GDPR. The existence of a relationship between a controller and a processor does not necessarily trigger application of GDPR to both, if only one of the entities is established in EU. The two scenarios detailed below should explain the position.
- Where processor is located outside EU and not subject to the GDPR, but the controller is present in EU: It is provided that the controller should comply with Article 28 (3) of the GDPR and ensure that the GDPR obligations are extended to the processor by the means of a contract.
- Where the processor is present in EU and the Controller is not: Assuming that the controller is not processing data in the context of its establishment in EU, the processor alone is subject to GDPR obligations. Therefore, unless other factors are present Article 3(1) will not apply to the controller but would apply to the processor.
Further, the Guidelines provide that the EU territory cannot be used as a ‘data haven’ and the legal obligations beyond the EU data protection law, including rules with regard to public order will have to be respected by the data processor established in EU, regardless of the location of the data controllers.
- Application of the Targeting criterion under Article 3(2)
Article 3(2) sets out the circumstances in which the GDPR applies to a controller or processor not established in EU, depending on their processing activities. This criterion becomes applicable in absence of an establishment of the entity in EU, if the activities of a controller or processor of the entity are related to processing of personal data of the data subjects who are present in EU. The applicability of GDPR is triggered when the processing activity is related to (i) offering goods or services to the subject or (ii) monitoring the behaviour of the subject for profiling, etc. In order to assess the applicability the criterion, the Board recommends a two-fold approach under the Guidelines. Data subjects in EU It is provided that protection under Article 3(2) extends to every natural person present in EU, irrespective of their nationality or place of residence. The requirement of the location of natural persons in EU, must be assessed when the processing activity takes place, i.e. when the offer is made or when the monitoring in undertaken as per Article 3(2) of GDPR. It is also provided that the element of ‘targeting’ the data subjects in EU either by offering goods or services or by monitoring them is crucial and should be present for applicability GDPR under Article 3(2). Which effectively means that, if a tourist travelling through EU makes use of an online mapping service which is available in her country and not marketed in EU and is collecting certain personal data, this act of data processing will not fall under the ambit of Article 3(2) as the services are not primarily offered to people who are using the mobile application in EU.
- ‘Offering goods or services’
It is provided that the trigger activity, of offering goods or services to a data subject applies irrespective of whether a payment is required to be made by the data subject for that particular good or service. Further, there should be an ‘intention’ to offer goods or services to the data subjects who are in EU. The factors that can be considered in ascertaining the intention to offer goods or service can be the language used on the website, the currency available to use while ordering from the websites, apparent mention of the offer, etc.
- Monitoring of data subjects behaviour
The second activity identified under Article 3(2) is monitoring of behaviour of the subject for profiling, etc. For Article 3(2) (b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in EU and, as a cumulative criterion, the monitored behaviour must take place within the territory of EU. The Guidelines state that even though recital 24 relates to monitoring of behaviour through the tracking of a person on the internet, the Board considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices. The Board clearly mentions that ‘monitoring’ implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The Board opined that any online collection or analysis of personal data of individuals in the EU would not necessarily be considered as “monitoring” and that it would be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.
- Processing in a place where the law of the Member state applies, by the virtue of public international law - Article 3(3)
This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.” The Guidelines provide the following example to illustrate the applicability of Article 3(3). The Dutch consulate in Kingston, Jamaica, opens an online application process for the recruitment of local staff in order to support its administration. While the Dutch consulate in Kingston, Jamaica, is not established in the Union, the fact that it is a consular post of an EU country where Member State law applies by virtue of public international law renders the GDPR applicable to its processing of personal data, as per Article 3(3). Designation of Representatives in EU Article 27 provides that whenever a controller or processor becomes subject to GDPR as per Article 3(2), it has to designate a representative in EU. The Guidelines provide guidance with respect to the designation, establishment and obligations of the representative, as mentioned below.
- Designation of the Representative
It is provided that there should be a written mandate to the representative of the controller or processor of the GDPR obligations. A representative can be legal or a natural person, who can be appointed as a representative on the basis of a contractual relationship. One person can act as a representative for multiple entities. In case of a company or any organisation – one person is to be assigned as the lead person in charge of an entity. However, the designated representative cannot be deemed to be the external data protection officer (DPO) nor does such designation qualify as an ‘establishment’ under the ambit of Article 3(1)
- Location of the Representative
It is provided that the criterion of establishment of the representative is the location of the data subjects whose personal data is being processed and the place of processing is not relevant. It is also provided that if significant portion of the data processed is from one member state, then the establishment of representative should be in that state, as a matter of good practice.
- Obligations of the Representative
The obligations of the controller or the processor are distinct from the obligation of the representative. The representative acts on behalf of the controller or processor. The representative shall maintain a record of the processing activities on behalf of the controller or processor. Maintenance of such record is a joint obligation, as the controller or processor should provide accurate and updated information. The representative should perform its tasks in accordance to the mandate of the controller or processor, including cooperation with the competent supervisory authorities with regards to ensuring compliance with the GDPR.
Source:  Google Inc. v AEPD, Mario Costeja González (C-131/12), Weltimmo v NAIH (C- 230/14), Verein für Konsumenteninformation v Amazon EU (C-191/15) and Wirtschaftsakademie Schleswig- Holstein (C-210/16)