Data law in the EU
The extra-territorial scope of the EU's GDPR
How the EU's general data privacy regulation's (GDPRs') long-arm jurisdictional scope reaches you nonetheless.
The GDPR applies to data processing activities conducted by organisations established in the EU.
However, pursuant to judgments of the Court of Justice of the European Union (CJEU), the phrase 'establishment' has to be interpreted very broadly. The CJEU ruled that 'any real and effective activity - even a minimal one - being exercised through stable arrangements' may suffice to qualify as an establishment in European data privacy law.
This understanding has now been explicitly incorporated in the GDPR. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
In fact, the CJEU considered as sufficient that a data controller:
- operated a website 'mainly or entirely directed' at a specific member state; and
- had appointed a representative in this member state who was responsible for recovering the debts resulting from that activity and for representing the data controller in administrative and judicial proceedings relating to the processing of the data concerned.
Thus, the GDPR (and current EU data privacy law) might apply directly to your business, even if you have no formal establishment within the EU.
Under the GDPR, even if your organisation does not fall under the broad interpretation of a 'data privacy establishment' in the EU, the GDPR might still apply.
In particular, the GDPR extends its territorial reach with two types of business activities, ie data processing activities relating to:
- offering of goods or services (even if for free) to data subjects situated in the EU (not restricted to EU citizens); and
- monitoring of the behaviour of such data subjects.
Thus, data controllers and data processors outside of the EU whose data processing activities relate to such business activities are now also subject to the rules set out in the GDPR.
'Offering goods or services' is more than mere access to a website, an email address or other contact details or using a language that is also generally used in the country in which the data controller (or data processor) is established.
However, the use of an EU language or currency (other than the language/currency in the data controller's country of establishment) with the possibility of ordering goods and services in that other language, or references to EU customers or users, may make it apparent that the data controller envisages offering goods or services to data subjects in the EU.
'Monitoring behaviour' specifically includes internet tracking of data subjects (eg via cookies), especially if the gathered data is subsequently used for profiling activities, eg to enable decisions to analyse or predict personal preferences, behaviours and attitudes.
As both criteria are broad and sketchy on the edges, it remains to be seen how these will be interpreted and applied by national data privacy authorities and the CJEU.
However, keeping in mind that the CJEU is keen on a broad application of European data privacy law and the intention behind the GDPR's long-arm jurisdictional reach, businesses should prepare for broad application of these.
What actions do businesses have to take?
If your business activities conducted via a non-EU establishment are caught by the GDPR and you cannot conduct them via an organisation based in the EU, the GDPR will apply fully to your data privacy activities and have to be complied with by the non-EU organisation to avoid potential sanctions.
Non-compliance with the principles for data processing activities as set out in the GDPR is subject to fines of up to the higher of €20m and 4 per cent of the annual worldwide turnover. Therefore, it is of utmost importance for non-EU based organisations to assess if (and if so which of) their business activities fall under the GDPR's long-arm of jurisdiction, and, if this is the case, make all the necessary steps to fully comply with the rules set out in the GDPR.
Further, non-EU data controllers and/or data processors that fall under the scope of the GDPR are obliged to appoint a representative in the EU, who will serve as point of contact for inquiries by national data privacy authorities (responsibility and liability remains with the non-EU organisation). Failure to appoint a representative is subject to fines of up to the higher of €10m and 2 per cent of the annual worldwide turnover.