The European Data Protection Board (EDPB), the successor to the Article 29 working party, recently provided long-awaited guidance on the territorial scope set forth in Article 3 of the General Data Protection Regulation (GDPR). This e-alert addresses the threshold issue of the applicability of the GDPR to a particular organization, but a detailed discussion of compliance is beyond its scope.

What we knew from the GDPR

In short, the GDPR applies under three circumstances: (1) if processing occurs in the context of the activities of an establishment of either a controller or processor in the EU; (2) if the controller or processor is not established in the EU but offers goods or services to data subjects in the EU; and (3) if the controller or processor is not established in the EU but monitors behavior of data subjects in the EU.

One very popular myth is that the GDPR is so broad that it applies to any business with a website that is accessible in the EU. Recital (23) to the GDPR dispels that myth, explaining that for the GDPR to apply, the controller or processor must “target” data subjects in the EU:

Recital (24) gave limited guidance on what constituted monitoring:

What we know from the new guidance

On November 23, 2018, the EDPB released Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). That guidance is particularly helpful when evaluating whether the GDPR is applicable to a controller or processor who is not established in the EU.

In that guidance, the EDPB made clear that the “targeting criterion” for the offering goods or services prong requires a case-by-case analysis of (1) whether the processing relates to personal data of data subjects who are in the Union and (2) whether it relates to the offering of goods or services or to the monitoring of data subjects’ behavior in the Union. See Guidelines 3/2018 on the territorial scope of the GDPR at 13.

The EDPB clarified that “[t]he requirement that the data subject be located in the Union must be assessed at the moment the relevant trigger activity takes place, i.e., at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.” See id.

The guidance also reveals that the processing of personal data of individuals in the EU alone does not subject a controller or processor not established in the EU to the GDPR. As the EDPB explained, “[t]he element of ‘targeting’ individuals in the EU, either by offering goods or services to them or by monitoring their behaviour .  .  . must always be present in addition.” Id. at 14. The guidance includes the following example:

Id.

The guidance is also helpful because it elaborates on Recital 23’s discussion of targeting and targeting examples. The EDPB explains that the following factors should be taken into consideration:

• The EU or at least one Member State is designated by name with reference to the good or service offered;
• The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertising campaigns directed at an EU country audience;
• The international nature of the activity at issue, such as certain tourist activities;
• The mention of dedicated addresses or phone numbers to be reached from an EU country;
• The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example, “.de”, or the use of neutral top-level domain names such as “.eu”;
• The description of travel instructions from one or more other EU Member States to the place where the service is provided;
• The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
• The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member States;
• The data controller offers the delivery of goods in EU Member States.

The guidance also addresses monitoring that can subject a business to the GDPR. Although the concept of targeting is not specifically addressed in the GDPR or its Recitals in the context of monitoring, the EDPB notes that the use of the word monitoring “implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU.” Id. at 18. Importantly, the EDPB acknowledges that it “does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as ‘monitoring.’” Id. It is necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving the data.  Id.

The EDPB notes that the following activities could constitute monitoring:

• Behavior advertising;
• Geo-localization activities, in particular for marketing purposes;
• Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
• Personalized diet and health analytics services online;
• CCTV;
• Market surveys and other behavioral studies based on individual profiles;
• Monitoring or regular reporting on an individual’s health status.

Id.

Take-Aways

The main take-aways concerning the extra-territorial scope of the GDPR are that not every instance of processing of personal data of a data subject in the EU subjects an entity to the GDPR and that not every online collection or analysis of personal data constitutes monitoring. Whether the GDPR applies is a fact specific inquiry that requires an evaluation of many different factors. If you have questions about whether the GDPR is applicable to your business or other GDPR compliance issues, please contact Jackson Walker’s data privacy team.