On 16 November 2018, the former Article 29 Working Party – renamed the European Data Protection Board (EDPB) – opened for public consultation its draft guidelines on the territorial scope of the European General Data Protection Regulation (GDPR). These draft guidelines, formally named Guidelines 3/2018, are available here in English. They are particularly relevant for Swiss businesses as they provide interpretative guidance on the conditions under which the GDPR applies to businesses outside of the EU/EEA.
The EDPB is an independent advisory body composed of representatives of the national data protection authorities and the European Data Protection Supervisor. Its purpose is to ensure a harmonized application of the GDPR throughout the European Union. It pursues this objective in particular by publishing guidelines or issuing binding decisions directed towards the national supervisory authorities.
In its draft Guidelines 3/2018, the EDPB looks into the scope of application of Article 3 GDPR which governs the territorial reach of the GDPR and bases this reach primarily on one of two criteria: establishment or targeting. More specifically, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union (Article 3 para. 1 GDPR) as well as to such processing if it relates to the offering of goods or services to data subjects in the Union or the monitoring of the behaviour of said data subjects if it takes place within the Union (Article 3 paragraph 2 GDPR; so-called “targeting” criterion).
That being said, some uncertainty exists as to the practical extent of the above provision leading to fears of near-unlimited applicability of the GDPR. Hence the EDPB indicates in particular the following:
- The establishment criterion requires first of all defining the notion of “establishment”. The EDPB recommends a broad definition pursuant to which the establishment extends to any “real and effective activity – even a minimal one – exercised through stable arrangements. […] The threshold for ‘stable arrangement’ can be quite low” (draft Guidelines 3/2018, page 5, this definition coming from the CJEU “Weltimmo” decision C-230/14). As a second step, the EDPB notes that the processing of personal data must be carried out in the context of the activities of an establishment, though it is not necessary for the establishment itself to carry out this processing; the EDPB argues in favour of a case-by-case analysis. A third consideration is the fact that the GDPR (Article 3 para. 1 GDPR) does not restrict its application to the processing of personal data of individuals who are in the Union. Hence, the EDPB considers that the location or the nationality of the data subject is not relevant. As a final consideration, the EDPB notes that Article 3 para. 1 GDPR applies to controllers and processors alike even if they are not subject to the same obligations under the GDPR.
- The targeting criterion also calls for various considerations. Firstly, the targeting criterion is limited to data subjects who are in the Union and requires more than “simple” processing of personal data, but truly calls for a “targeting” element (offering of goods or services; behaviour monitoring). Secondly, the offering of goods or services may lead to the applicability of the targeting criterion irrespective of whether a payment is required. In particular, the EDPB notes that there must be a connection between the processing activity and the offering of goods or services, but “both direct and indirect connections are relevant and to be taken into account” (draft Guidelines 3/2018, page 15). Thirdly, regarding the monitoring of data subjects’ behaviour, the EDPB notes that not all online collection or analysis of personal data should automatically be deemed “monitoring” and, instead, considers that it will be necessary to consider “the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data” (Guidelines 3/2018, page 18).
The above considerations are but excerpts aimed at highlighting some central questions and various topics regarding the territorial application of the GDPR are left unanswered. These draft guidelines are not binding and as mentioned above are undergoing a public consultation process which will end on 18 January 2018. At that point, the EDPB will prepare a final version of its guidelines. Though the guidelines of the EDPB are not binding, they will, to a certain extent, be taken into account by the courts. It is therefore important for businesses based outside of the EU/EEA to closely follow all new developments and court decisions. Furthermore, other situations may also lead to the applicability of the GDPR to businesses based outside of the EU/EEA.