Not established in the European Union?
How the new EU data privacy regulation's long-arm jurisdictional scope reaches you nonetheless!
The EU has adopted its new data privacy regulation which will come into force on 25 May 2018 (General Data Protection Regulation, GDPR). Primarily, the GDPR will apply to data processing activities conducted by organizations established in the EU. However, pursuant to recent judgments of the Court of Justice of the European Union (CJEU), the phrase "establishment" has to be interpreted very broadly. The CJEU ruled that "any real and effective activity - even a minimal one - being exercised through stable arrangements" may suffice to qualify as an establishment in European data privacy law. This understanding has now been explicitly incorporated in the GDPR. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. In fact, the CJEU considered as sufficient that a data controller operated a website "mainly or entirely directed" at a specific Member State and that it had appointed a representative in this Member State who was responsible for recovering the debts resulting from that activity and for representing the data controller in administrative and judicial proceedings relating to the processing of the data concerned. Thus, the GDPR (and current EU data privacy law) might apply directly to your business, even if you have no formal establishment within the EU.
Under the upcoming GDPR, even if your organization does not fall under the broad interpretation of a "data privacy establishment" in the EU, the GDPR might apply nevertheless. In particular, the GDPR extends its territorial reach with two types of business activities, i.e. data processing activities relating to (i) offering of goods or services (even if for free) to data subjects situated in the EU (not restricted to EU citizens), and (ii) monitoring of the behaviour of such data subjects. Thus, data controllers and data processors outside of the EU whose data processing activities relate to such business activities are now also subject to the rules set out in the GDPR.
"Offering goods or services" is more than mere access to a website, an email address or other contact details or using a language that is also generally used in the country in which the data controller (or data processor) is established. However, the use of an EU language or currency (other than the language / currency in the data controller's country of establishment) with the possibility of ordering goods and services in that other language, or references to EU customers or users, may make it apparent that the data controller envisages offering goods or services to data subjects in the EU.
"Monitoring behaviour" specifically includes internet tracking of data subjects (e.g. via cookies), especially if the gathered data is subsequently used for profiling activities, e.g. to enable decisions to analyse or predict personal preferences, behaviours and attitudes.
As both criteria are broad and sketchy on the edges, it remains to be seen how these will be interpreted and applied by national data privacy authorities and the CJEU. However, keeping in mind that the CJEU is keen on a broad application of European data privacy law and the intention behind the GDPR's long-arm jurisdictional reach, businesses should prepare for broad application of these.
What actions do businesses have to take?
If your business activities conducted via a non-EU establishment fall under the scope of the GDPR and for whatever reason cannot be conducted via an organization based in the EU, all rules as set out in the GDPR will apply fully to such data privacy activities and have to be complied with by the non-EU organization, especially to avoid potential sanctions that have been increased substantially compared to current EU data privacy regulation. Non-compliance with the principles for data processing activities as set out in the GDPR is subject to fines of up to the higher of EUR 20 million and 4% of the annual worldwide turnover. Therefore, it is of utmost importance for non-EU based organizations to assess if (and if so which of) their business activities fall under the GDPR's long-arm of jurisdiction, and, if this is the case, make all the necessary preparations to fully comply with the rules set out in the GDPR.
Further, non-EU data controllers and/or data processors that fall under the scope of the GDPR are obliged to appoint a representative in the EU, who will serve as point of contact for inquiries by national data privacy authorities (responsibility and liability remains with the non-EU organization). Failure to appoint a representative is subject to fines of up to the higher of EUR 10 million and 2% of the annual worldwide turnover.
Aligning your business activities for compliance with the GDPR can be a lengthy process and definitely will take time. The time to start is now.