After much publicity, the European Union’s General Data Protection Regulation, commonly known as the GDPR, came into effect on May 25 this year.
As most people now know, the GDPR does not just apply to organizations incorporated or located in the EU. The GDPR will apply to a non-EU organization under any one of three criteria:
- it has an “establishment” in the EU;
- it offers goods or services to individuals in the EU; or
- it monitors the behavior of individuals in the EU.
But these criteria can be difficult to apply in practice and the exact effect is not always clear.
Another issue which has caused great confusion is the link between sending marketing materials and consent. You are almost certain to have received multiple communications in the lead-up to May 25th saying that unless you “opt in,” a company you have previously dealt with can no longer contact you or keep you on its database. In many cases, this is a misconception.
We explore the first difficulty below. In our next issue, we’ll discuss the database question.
Processing by an Establishment in the EU
If an organization has an “establishment” in the EU, the GDPR applies to the processing of personal data in the context of its activities, regardless of where the processing takes place.
The only light that the GDPR shines on the meaning of an establishment is that it “implies the effective and real exercise of activity through stable arrangements” and that “the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality is not the determining factor.”
Examples typically given of an establishment which does not involve a separate legal personality include an office, however small, or the appointment of an agent. It is also arguable that having a contract with a third party based in the EU might, depending on its nature, give rise to an establishment – for example, an outsourcing or distribution arrangement.
So the first difficulty may be in deciding whether you have an establishment.
The second difficulty with this test is how far it extends into an organization which has an establishment in the EU but also outside the EU. If the organization is a group of companies or limited partnerships, some inside and some outside the EU, or has offices both inside and outside the EU, is it only the processing by those within the EU that is subject to GDPR or the whole organization? Or does it depend on the organization’s structure? Alternatively, it may depend, at least in part, where the data subject is located, inside or outside the EU. The possibilities here are multiple; consider the following example:
A U.S. company with London and Paris offices, but no separate legal entity, processes personal data of individuals. Is it only the data processing carried out by its London and Paris offices which is subject to GDPR? Or are these offices part of one larger establishment, thus subjecting all data processing activity throughout the company to GDPR – bearing in mind that for this criterion of GDPR applicability, it does not matter where the processing actually takes place. If the establishment is the whole company, does this mean that, where the Chicago office processes personal data on U.S. resident citizen employees, such employees can claim powerful GDPR rights?
Would the above conclusion be different if the London and Paris operations were conducted through subsidiaries?
Unfortunately the answers to these questions remain unclear and different organizations have taken different approaches.
Offering Goods and Services
The GDPR applies to businesses without an EU establishment if they process the personal data of individuals who are in the EU when offering them goods or services, regardless of whether any payment is charged. This applies to the processing of personal data of any data subjects who are “in” the EU, regardless of their nationality or residency. It therefore covers the personal data of EU citizens, residents and temporary visitors.
What constitutes “offering” goods or services depends on intention rather than mere availability of its goods or services. Simply having a website in local language and currency with products or services available for purchase is not enough, but if the website is in an EU language which is not native, or quotes prices in an EU currency such as euros or GBP, or mentions customers or users in the EU, then GDPR will likely apply.
However, it is important to note here that the application of GDPR here does not seem so wide as where there is an EU “establishment,” as described above. GDPR only applies in this case where the processing activities are related to offering goods or services to data subjects in the EU. It is fairly clear that if a U.S. company had a U.S.-based website targeted at the EU as well as the U.S., it would only have to worry about GDPR compliance in relation to its users based in the EU. But there is a danger here that in carrying out such compliance and providing data subjects with information provided by GDPR, the U.S. company might by contract inadvertently offer U.S. resident citizens’ rights they would not otherwise have.
Finally, the GDPR applies where an organization processes personal data of data subjects who are in the EU where it relates to monitoring their behavior which takes place within the EU.
“Monitoring” is not defined in the GDPR, but the Recitals state: “to determine whether processing can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling ....”
So the meaning seems to be following someone’s internet activity, such as their browsing or purchasing activities, but it is not clear if it could be wider than that to include monitoring of other activities, or whether it is necessary for there to be subsequent profiling, although it seems not.
As with the offering of goods and services, the GDPR will only apply here to internet activity which takes place in the EU by individuals located there and not to the monitoring of U.S. resident citizens. However, since the test is not of citizenship or residency, but rather where the data subject is located at the time, GDPR will apply if the internet activity is of U.S. citizens while on a business trip or vacation in the EU.