Territorial scope and application
Extraterritorial Scope of EU Regulation
The current EU Data Protection Directive (95/46/EC) only applies to organisations located within the EU (either established in the EU or using equipment in the EU to process data), meaning that organisations operating outside the EU generally need not worry about complying with EU data protection laws (although many choose, or are contractually obliged by EU customers, to adopt equivalent data protection safeguards as a benchmark of best international data privacy practice). However, the EU Data Protection Regulation will have extraterritorial effect. This means that some organisations established outside the EU will have to comply with the Regulation or face enforcement action from data protection authorities in the EU.
There are various situations in which an organisation will have to comply with the Regulation (under Article 3):
(A) Non-EU headquartered organisations “established” within the EU (for example, a company with a branch office or agent operating in London or Madrid), regardless of whether the organisation chooses to process data about EU individuals inside or outside the EU.
(B) Non-EU established organisations which are:
(1) offering goods or services to individuals who are in the EU, even if provided free of charge, or
(2) monitoring the behaviour of individuals who are in the EU where their behaviour takes place in the EU.
(C) Organisations established in a place where the national law of an EU Member State applies by virtue of public international law, such as a diplomatic mission or consular post.
Note that the territorial application of the Regulation is expressed as applying both controllers and processors.
Understanding the Application to Non-EU Established Businesses
Offering goods or services to individuals in the EU
Guidance is available under Recital 20 of the Regulation, which provides that the Regulation will apply if it is apparent that the organisation is envisaging offering goods or services to individuals residing in one or more EU Member States. This suggests that a provider of goods or services online could become subject to the EU Regulation to the extent that it actively markets to the particular geographic area, not if it merely provides a website that is available to individuals in a particular geographic area. However, factors such as the use of any language or currency generally used in EU Member States which would facilitate the provisions of goods and services to customers in the EU or mentioning of customers or users residing in the EU will also be taken into account. For example, if an e-commerce business based in the US does not ship its goods to consumers in the EU and does not provide currency conversion or language options to cater to an EU market, then it is likely that it will not be bound to comply with the Regulation. However, the situation will not be so clear cut for many organisations.
In practice, this means that many non-EU established providers of Internet services, such as websites, social networking and application providers that do not have an establishment in the EU, could be expected to comply with the EU Regulation’s prescriptive framework as soon as individuals within the EU interact with them, for example, a Middle Eastern or Chinese website that is accessed by Arabic-speaking or Chinese-speaking individuals living in the EU, or US-based cloud providers hosting personal data of EU residents.
Where businesses outside the EU are processing personal data in relation to the monitoring of an individual’s behaviour which occurs within the EU, and the individual is in the EU, this will be caught under the Regulation. The Regulation equates “monitoring” with a form of “profiling”: that is, the tracking of an individual on the Internet with data processing techniques that consist of “profiling” to that individual, particularly in order to make decisions concerning him or her or for analysing or predicting his or her personal preferences, behaviours or attitudes (Recital 21). “Profiling” refers to the use of automated processing of personal data to evaluate personal aspects relating to an individual, in particular to analyse and predict aspects concerning their performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements and it is subject to certain formalities such as notification requirements and impact assessment (Article 4 (12a)).
For example, a US-based recruitment company that attempts to track an individual in the EU for e-recruiting practices using automated means, or a PRC-based bank who similarly tracks the activity of an EU resident within the EU to assess a credit card application using automated means, is likely to have “profiled” that individual, and thus will be subject to the Regulation.
Non-EU established data processors, such as outsourced service providers based in India providing BPO services to European customers, will be directly caught by the EU data Regulation when processing that data. The scope of the Regulation also extends to other recipients who carry out subsequent processing or onward transfer of personal data within or outside India. This is a substantial change from the current EU data protection regime. This could have a significant impact on the operations and contracting practices of outsourcing and shared service providers based outside the EU.
Appointing Representatives in the EU
Non-EU established organisations caught by the Regulation because they are offering goods or services to, or monitoring, individuals in the EU must also appoint and designate in writing a representative who is located within the EU (under Article 25). This is unless the organisation falls within one of the following exempted categories:
(A) processing of personal data which is “occasional” and unlikely to result in any risk for the rights and freedoms of individuals, and
(B) overseas public authorities or public bodies.
The representative must be established in one of the Member States where the individuals are located that are being targeted for the sale of goods or services or who are being monitored. So if, say, a Vietnamese company based in Hanoi operates a French language website promoting sales of furniture to European customers predominantly in France and Belgium, that company will have to appoint a representative in France or Belgium.
The representative takes on a substantial and not purely administrative role. Article 25(4) of the Regulation provides that the designation of a representative shall be without prejudice to legal actions which could be initiated against the appointing data controller. Although the responsibilities and liabilities of the organisation (as a controller) under the Regulation are not affected, enforcement action may be taken, and fines levied, against the representative rather than merely the organisation itself if the organisation breaches the Regulation (Recital 63). According to Recital 63, the role of the representative should be explicitly set out in a written mandate of the controller to act on its behalf under the Regulation.
There are questions over the practicalities of data protection authorities in the EU bringing enforcement action against organisations who are not established in the EU. If the organisation has appointed a representative, how would a fine or undertaking be enforceable against the representative if, for example, the representative had limited assets? Furthermore, if an organisation has failed to appoint a representative, how in practice can enforcement action be brought against it if it does not have a presence or assets in the EU? These issues remain controversial and unsettled for the time being.
“One Stop Shop” and Enforcement Practicalities
A cornerstone element of the Regulation was meant to be its “one stop shop” concept, which was intended to allow organisations operating in multiple EU Member States to be regulated only by a single data protection authority. That concept has, however, been steadily watered down. Whilst the concept of a “lead authority” remains, it will have to make decisions through consultation with other relevant national authorities which will likely negate any efficiencies intended to derive from the “one stop shop” concept.
As stated in Recital 97, where an organisation is established in multiple EU Member States, the supervisory authority in the country where the organisation has its main establishment should act as the lead authority.
The lead authority will have to cooperate, exchange information and make decisions with other concerned supervisory authorities (Article 54a). Therefore, the lead authority may have to liaise with as many as 28 regulators with respect to data protection matters. Moreover, if there is disagreement between the supervising authorities, the European Data Protection Board can step in to decide on the correct approach to the matter (Article 58).
One interesting extension of the current law by the Regulation is through a reference in Recital 97 to data processing that “substantially affects or is likely to substantially affect data subjects in more than one Member State”. The implication of these words being that notwithstanding that an organisation may have no establishment in that other Member State where affected individuals reside, the supervisory authority in that other Member State has a place in the enforcement process and should be consulted by the lead authority. That is not a formal requirement of the current law but the Regulation perhaps codifies what currently happens on an informal basis.
As stated above, the vagueness of relevant provisions of the Regulation lends itself to wide interpretation, and it is hoped that guidance will be issued before the Regulation comes into force, to assist overseas organisations to identify whether they are caught by it and understand their obligations under the new rules.
Whilst the Regulation seems set to come into force in 2018, organisations will be given a two year period to bring their data protection practices into compliance. Nonetheless, organisations should already be considering the potential impact on how they intend to process personal data going forward; what changes will likely be required in their data protection policies and practices; what resources will need to be allocated to data protection compliance; and how to prioritise areas where the impact of the EU Regulation could be the most significant.
For organisations with an international footprint in jurisdictions that do not have data protection regimes that are aligned with that of the EU, the practical consequence of compliance may well be that they will need to adopt a uniform global set of data practices that satisfy the rules of the most protective jurisdiction (most probably the EU) and which effectively raise data handling practices for its offices globally.
For organisations located in jurisdictions that have established data protection laws aligned with EU standards, an analysis of local laws against the Regulation will be required to determine the gaps and adapt existing policies and practices accordingly.
Businesses will need to look at their internal capacity to manage risks of non-compliance adequately, with a general trend towards investing in better information governance. Undoubtedly this process will bring legal expertise together with operational areas of IT, security and data management, allowing risks to be identified early and managed coherently, ensuring the organisation stays ahead of this increasingly complex and shifting regulatory landscape. There are of course issues of enforcement and the possibility of conflicts between the Regulation and the organisation’s local laws, which we envisage will not be easy to resolve.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.