When does the GDPR apply to North American organisations?
By now, North American organisations will be well aware that they can be subject to the European Union’s (EU) new data pro-tection law, the General Data Protection Regulation (GDPR), without having a physical presence in the EU. Over the past cou-ple of years, in the lead-up to GDPR coming into force on 25 May 2018, many of those organisations will have taken advice on compliance and put new procedures, policies and contracts in place. This is not surprising since fines issued by EU authorities can be €20 million or 4% of worldwide group turnover, if higher.
That was the theory, but one could only speculate as to whether EU authorities would in practice take enforcement action against North American organisations with no EU presence for breach of GDPR, and what form that would take.
Over six months after the GDPR took effect, we have two examples from the UK’s Information Commissioner’s Office (ICO), which shed some light on attitudes toward enforcement. Before looking at these, it is worth briefly recapping on when GDPR will apply to a North American organisation:
- if it has an “establishment” in the EU, such as a subsidiary, branch, office, agent or other presence implying an effective and real exercise of activity through stable arrangements;
- it has no EU establishment but intentionally offers goods or services to individuals located in the EU; or
- it has no EU establishment but monitors the behaviour in the EU of individuals located there.
These criteria are not always straightforward to apply, although some assistance can be drawn from the European Data Protec-tion Board’s recently published guidelines. With respect to questions over enforcement, we are particularly concerned with the second and third criteria. Here, there is neither a legal entity and probably no physical assets in the EU, against which lo-cal legal or enforcement action can be taken by an EU data protection authority. Although such entities are supposed to ap-point a data protection representative in the EU who can be held liable, one suspects that most have not done so.
The first case – The Washington Post
The first case, reported in November 2018, concerns the Washington Post. The Post is subject to GDPR because it processes the personal data of individual subscribers located in the EU while intentionally offering them subscription services.
A complaint was made by a UK reader that the Post breached GDPR because it only allowed potential readers to turn off cookies and tracking by taking the most expensive subscription option, costing $9 a month.
The ICO upheld the complaint on the grounds that users were not given a genuine choice and control over how their data was used. Effectively, their consent to having their personal data processed via the use of tracking and cookies was not freely given as they had to pay for the “premium ad-free” subscription to avoid it. The forced “consent” to accept cookies and tracking under the free or basic subscription was therefore invalid under GDPR and there was no lawful basis of processing.
Although there is no information about this complaint on its website, the ICO is reported to have said,
”We have written to the Washington Post about their information rights practices . . .. We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without hav-ing to accept cookies.”
But, in a concluding statement that casts doubt on its enforcement powers, the ICO reportedly added ”We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.” As of the date of writing this article in late December, the Washington Post had not altered its practices.
This raises the question as to whether the ICO and other European data protection authorities are unwilling – or see them-selves as powerless – to take enforcement action outside the jurisdiction.
However, it may be dangerous to rely on this as a precedent. First, the ICO may at the time have been struggling to cope with the number of complaints it was receiving in the first few months of GDPR and, second, it may have regarded this as a rela-tively minor breach, preferring to focus on complaints which were more serious and closer to home.
Assuming it had the will and resources to enforce this breach of GDPR, the ICO may still have had a practical problem in en-forcing this complaint, since it is unclear how it would have jurisdiction against the Post. Although the ICO has a memorandum of understanding with the Federal Trade Commission promising mutual assistance in enforcing and/or securing compliance with “covered privacy violations,” these are limited to practices which are substantially similar to those prohibited in the as-sisting country. Since US law does not have the same rules on consent and does not prevent charging in order to opt out of cookies, the FTC would have no obligation under the memorandum to assist an ICO enforcement action. In any event, the memorandum is not binding.
So does this mean that North American organisations without EU presence have wasted their time and money in complying with GDPR? Or, to put it more positively, can such organisations breathe more easily in the knowledge that they will not face action or large fines for breach? Not necessarily, as we will see from the next case.
The second case - Aggregate IQ Data Services
In this case, the ICO considered the activities of Aggregate IQ Data Services (AIQ), based in Vancouver. AIQ was subject to GDPR because under a contract with various UK political organisations, it obtained personal data about UK individuals which it used to target them with political advertising messages on social media. This brought it within the third of the above catego-ries, in that it was monitoring the behaviour of data subjects in the EU.
This came to the ICO’s attention from its investigation into data analytics in politics, arising from the allegations surrounding Facebook and Cambridge Analytica in relation to the Brexit campaign. Although most of this activity took place in 2016, be-fore GDPR came into force, the ICO was concerned that AIQ continued to retain and otherwise process the data.
The ICO served an enforcement notice on AIQ in July 2018 requiring AIQ to cease processing any personal data of EU citi-zens for the purposes of data analytics, political campaigning or other advertising purposes.
AIQ appealed and ultimately discontinued that appeal when the enforcement notice was issued in a revised, much narrower form in October.
The October enforcement notice gave AIQ 30 days to erase personal data of specific individuals in the UK which it had pre-viously monitored. The period begins after AIQ’s local regulator (the Office of the Information and Privacy Commissioner of British Columbia) completes its separate investigation of AIQ’s privacy practices. Failure to comply with the enforcement no-tice is on pain of a penalty notice, i.e., a fine, of up to €20 million or 4% of turnover. Presumably, AIQ will comply with the no-tice, thus preventing a fine. If not, it will be interesting to see the amount of the fine and what steps the ICO takes to enforce it, if AIQ refuses to pay.
Why the difference in approach?
The ICO has not commented on why it has taken stronger action against AIQ than the Post. While one can only speculate as to the reasons, it seems that this arises from a number of factors:
- First, politics – the ICO had previously “observed with concern” the application of behavioural advertising to political cam-paigning, in which AIQ participated.
- Second, the nature and seriousness of the breach – non-observance of the rules on cookies by the Post is not as serious as AIQ’s breach of three of the GDPR’s data protection principles, namely, lawful, fair and transparent processing, purpose limitation and data minimisation.
- Third, the country of origin of the data controller may make a difference – Canada may be seen as a more friendly jurisdiction to enforce GDPR rules than the US. On the other hand, the ICO may have been emboldened by the fact that AIQ was under investigation from its own data privacy regulator and AIQ’s actions may have been closer to a violation of local law than those of the Post, whose approach on cookies complies with US law.
Even where the ICO or other EU data protection authorities have the will to take strong action, they may still find it difficult to enforce penalties against North American companies with no physical presence and no local representative in the EU. To do so, they would have to have the penalties converted into a Court judgment and seek to have a U.S. or Canadian Court to give the judgment extraterritorial effect on principles of comity. In the U.S., this will involve the US Court being satisfied that the foreign Court properly had jurisdiction over the matter and that the judgment was not contrary to public policy.
In conclusion, international enforcement of GDPR remains a legal “hot potato,” but it is potentially easier and cheaper to take compliance steps than to risk becoming a test case.