GDPR – Extra-Territoriality Revisited

Privacy & Cybersecurity Newsletter
August 2019

Although seemingly simple on its face, the test for determining whether an organization is subject to the European Union’s stringent data protection laws, the GDPR, continues to confound.

In this article, we examine the situation of insurance companies and universities based in the United States with no European presence that wish to communicate with their customers and alumni now residing in Europe. Is this communication enough to subject them to the rigorous standards of GDPR?

The GDPR’s Territorial Test
Article 3 of the GDPR sets out a deceptively simple-sounding territorial test. Broadly, it applies to organizations by one of two criteria:

the “establishment criterion” - where the organization is “established” in the EU and processes personal data in relation to that establishment, regardless of where the individuals are located and where the processing takes place; or

the “targeting criterion” - where the organization is not established in the EU, but processes personal data of individuals physically located in the EU in relation to intentionally offering them goods or services or monitoring their behavior in the EU.

Where an insurance company has an “establishment” in the EU, such as a subsidiary, branch or office, or where a university has a campus other physical presence in the EU, one can see the clear logic of GDPR applying to the personal data processing activities of that establishment. This, the establishment criterion, is not the subject of this article, although it is worth noting that where GDPR applies, this criterion is not limited to the processing carried out by the EU establishment - the GDPR is also likely to extend to at least some the processing activities of the U.S. parent.1

Under the targeting criterion, there is a sound rationale for the GDPR to apply to cases where a U.S. company proactively offers its goods or services to EU residents to grow an international market or where the U.S. company monitors the behavior of EU residents to monetize advertising to be targeted at them.

However, what of the case of an insurance company based solely in the U.S. that markets solely within the U.S. for customers? There is a chance that some percentage of its insureds may later move to the EU. There is also the chance that the insurer may not be aware of such moves, and may continue to retain only an electronic address to contact customers about renewals and offers of new products. Likewise, offers to customers may also available on the insurer’s website, hosted in the U.S. but accessible globally.

Similarly, consider a U.S.-based university with no European campus or office, which does not actively solicit applications for students from outside North America. Universities may also keep in touch with its many thousands of alumni, primarily by email and its website, offering them overseas trips, branded leisure-ware and other merchandise. Some of the alumni may move to the EU where they continue to receive these offers.

The question, in both cases, is whether GDPR applies to the organisations processing of the personal data of these EU based individuals.

These Individuals Are Not EU Citizens Or Residents, So How Can GDPR Apply?
One of the first myths to dispel is that GDPR only protects EU citizens and residents. As the European Data Protection Board (EDPB), which is comprised of representatives of the national data protection authorities, points out in its recent guidelines on territorial scope,2 the targeting criterion refers to “data subjects who are in the EU”. Therefore, the application of GDPR “is not limited by the citizenship, residence or other type of legal status of the data subject”.

The determining factor under the targeting criterion is the data subject’s actual physical location. This is assessed at the moment the trigger activity takes place, being the moment the goods or services are offered.

This seems to apply GDPR to the examples above: the relevant customers and alumni are located in the EU when the offers are made. In fact, on this basis it will even apply to customers and alumni who just happen to be in Europe on vacation or a short business trip when an email or text containing an offer is sent to them.

Website Offers
In the examples above, various customer and alumni offers are available on the insurer’s or the university’s U.S.-based websites, which are readily accessible from the EU.

Here, the position is relatively clear, the mere accessibility of a U.S.-based website from the EU does not trigger GDPR. GDPR is only triggered where the U.S.-based website’s features or content show that there is an intent to offer goods or services to EU individuals, such as by quoting prices in an EU currency, making it possible for users to order in an EU language other than English, providing a dedicated address or phone number to be reached from an EU country, offering delivery to an EU country or mentioning customers in the EU. This is specifically stated in Recital 23 of GDPR.

Therefore, so long as there is no content on the websites clearly aimed at the EU, U.S.-based insurers and universities can operate their websites without being subject to GDPR, even though EU-located customers and alumni may access and place orders on the site.

Individual Offers
The test for websites, referred to above, is the only example the GDPR gives of whether “it is apparent that the controller … envisages offering services to data subjects …in the Union.” The GDPR says nothing on this point about offers made other than via websites.

So the position is less clear for offers targeted to individuals. In our examples, the customers and alumni are physically located in the EU when they receive an offer by email, mail or other means. This offer has been intentionally and actively sent to the individuals concerned, unlike a website which is mainly passive, only receiving orders. Is this not targeting of individuals in the EU where they are so located?

Recent guidelines of the EDPB, which carry much weight, have attempted to provide clarity. The guidelines underscore that mere data processing of EU individuals is not enough to trigger GDPR, there must also be “targeting. But this was already stated in the GDPR. So the question remains as to what this means in practice. The guidelines give one relevant example:

A U.S. citizen travels through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist’s personal data via the app by the U.S. company is not subject to the GDPR.

In this example, the news app is “exclusively directed at the U.S market”. Presumably this mean that it was only sent to people the U.S. company believed were located in the US or it only intended to send it to such persons. The question therefore comes back to intention: did the conduct of the data controller demonstrate an intention to offer goods or services to individuals in the EU?

In answering this question for U.S.-based insurers and universities, it must be strongly arguable that, where an offer of products or services is sent to all or whole categories of customers or alumni, then the fact that a minority of them may be located in the EU does not invoke the application of GDPR, because there was no intention to send the offer to people in the EU – a subset of the recipients merely happened to be there. The argument is strongest when there is no actual knowledge that the individuals are in the EU, for example where the only record is an email address without an EU-specific Top Level Doman (TLD) such as “”.

The argument is weaker where the offer is sent to an EU-specific TLD or to a physical EU mailing address. Nevertheless, a U.S.-based insurer or university might still succeed to avoid triggering GDPR on the basis that the mailing is on an automated mass basis with no intention to direct the offer to those located in the EU, but that sending the communication to the EU-located recipient was simply an oversight. The question then becomes how much due diligence was or should have been done to identify individuals in the EU.

It seems that the greater the knowledge of the U.S.-based entity that particular customers or alumni are located in the EU, the more likely it is to trigger GDPR if it sends them offers. Where the U.S.-based insurer or university knows or reasonably believes it likely that is has some customers or alumni in the EU – other than those who might merely pass through on vacation – it has a number of options, such as:

  • undertaking a GDPR compliance exercise;
  • removing from its mailing list for offers any customers or alumni which have EU email or mailing addresses or which it otherwise knows are living in the EU;
  • inviting customers and alumni to notify it whether they are in the EU and, if so, to remove them from the relevant mailing list as above; or
  • taking the view that while there will always be some recipients of its communications in the EU, it is not targeting the EU deliberately so GDPR does not apply - and then wait to see if any enforcement action is taken.

The last option carries the most risk. If a complaint is made and GDPR found to apply, the sanctions could include heavy fines. If taking that approach, it is therefore highly advisable to take advice on and respect the key principles of GDPR when dealing with EU individuals’ data in order to reduce exposure. This will include keeping the data secure, not transferring it to third parties or using it for any purpose which could harm the individual.

  1. If the activities of the local EU establishment are “inextricably linked” to the U.S. parent’s data processing, that processing ‎will be covered by GDPR.‎
  2. Draft guidelines 3/2018 on the territorial scope of GDPR (article 3) adopted 16 November 2018‎