The EU General Data Protection Regulation (GDPR), a major privacy law introduced by the European Union in May 2018, not only shook up the business of data-driven digital service providers but keeps affecting companies of any size and any industry all over the world. Many executives, IT managers and compliance professionals outside the EU are uncertain if and to what extent compliance requirements of the GDPR affect their business. These concerns are highly reasonable and urgent, given the fact that the GDPR has a very broad extraterritorial scope of application and triggers severe liability risks. This article outlines the territorial scope of the GDPR for companies that solely operate from establishments outside the EU.
But first, some GDPR basics
The underlying principles of EU data protection laws are designed around the traditional European privacy concept, emphasizing the idea that everyone should have a say in how others use personal information relating to him or her. One major driver of the GDPR was that the EU regulators were concerned about the impacts of the digital revolution on such values:
What level of data security would be required to protect individuals from hackers revealing private electronic communications to the public or from other severe data breaches? Is targeted advertising based on detailed user profiles hindering market transparency for consumers? How can we prevent algorithms from discriminating ethnic groups when assessing whether an application for a consumer loan is approved or rejected?
The GDPR provides for a comprehensive regulatory framework for any use of information relating to an identified or identifiable person. In any relevant context, the GDPR requires companies to ensure principles like transparency, accountability, and co-determination of the data subject concerned.
Which industries are affected by the GDPR?
Instead of imposing sector-specific regulation, the GDPR follows a one-size-fits-it-all approach. It applies to the collection and use of personal information in any environment such as customer relations, product-related analysis of user behavior, marketing, HR, to the delivery of goods, and the provision of websites, mobile applications and other online services.
Which business activities fall within the scope of the GDPR?
The GDPR applies to any “data processing”, meaning any use of personal information in a very broad sense, including, amongst others,
- collecting IP addresses of website visitors or e-mail addresses from registered users,
- processing orders and commissioning parcel services for delivery,
- logging and analyzing user behavior in any IT environment,
- delivering communications like sales offers or invoices, and
- storing personal information in a database or cloud.
The legal concept of thinking in different “data processing activities” is particularly relevant for non-EU companies, as the question of whether they must comply with specific obligations under the GDPR has to be answered with regard to a specific business process rather than to the company as such. For example, maintaining a customer relations management system to handle EU customer data may fall within the scope of the GDPR, whereas storing HR master data of Japan-based employees do not trigger any obligations under the GDPR.
What are the roles under the GDPR?
Data are monetized by making them flow. Personal information can be shared between business partners, matched against other data sources, analyzed, hosted or aggregated by vendors.
Under the GDPR, two different levels of data ownership must be distinguished for determining the distribution of responsibilities if more than one company is involved in a business process:
- “Data controller” is a legal entity “which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This is the company which is responsible for the business activities requiring the data, so usually the entity to whose benefit the information is primarily used.
- “Data processor” is a legal entity “which processes personal data on behalf of the controller”. This definition includes many B2B vendors such as SaaS, hosting, IT maintenance, cloud or accounting service providers.
Whereas a data controller is fully responsible under the GDPR and must comply with a broad range of requirements, the responsibilities of a data processor are limited. When it comes to the question of whether the GDPR is applicable to a company at first, the differentiation between data controllers and data processors also plays a crucial role, as we outline below.
Applicability of the GDPR to non-EU companies
On November 13, 2019, the European Data Protection Board (EDPB), an EU body formed of the national data protection supervisory authorities, issued official Guidelines on how to interpret the provisions on the international applicability of the GDPR, which we summarize subsequently.
Data controllers based outside the EU
For data controllers without any establishment in the EU, the GDPR directly applies to the processing of personal data of data subjects who are in the EU, where the processing activities are related to:
- the offering of goods or servicesto individuals in the EU, irrespective of whether the service is chargeable or free; or
- the monitoring of their behavior as far as their behavior takes place within the EU.
Hence, the GDPR will not affect companies which unintentionally process information on individuals in the EU. If, for example, a mobile app is solely dedicated to the US market (e.g. determined by the fact that the app requires users to provide a US phone no. during the registration process or that terms and conditions limit the services to the US and purchases can only be made in USD), the data of users collected while they are travelling the EU will not trigger applicability of the GDPR.
According to the EDPB, processing of personal information is subject to the GDPR if two triggers simultaneously apply, namely that the data processing concerns persons “in the EU”, and that the business somehow targets the EU market or monitors EU citizens.
Trigger 1: Data subjects in the EU
The GDPR applies only to the processing of information on individuals “who are in the EU”. According to the EDPB, this condition does not refer to the citizenship or residence of the data subject but rather to his or her current location. By contrast, this also implies that the GDPR does not apply to the processing of personal data relating to EU citizens who are residing or travelling in non-EU states.
If, for example, a Spanish citizen is travelling in China and using a mobile application that is operated by a Chinese company and that collects location data, the GDPR will not apply to this processing. However, in case a Chinese citizen who is living in Spain is using the same app, the collection of location data falls within the scope of the GDPR, if the second trigger explained below also applies with regard to the mobile application.
Trigger 2: Targeting the EU market / monitoring of behavior
As a second condition for the GDPR to apply, the company’s business activities must somehow target the EU market, no matter if the offered services or goods are chargeable or offered for free. According to the EDPB, this encompasses the following business operations:
- budgeting ad campaigns targeted at consumers in the EU, such as through search engines and social networks, or displaying testimonials from the EU,
- offering services with an international nature, such as certain touristic activities,
- using EU website top-level domains such as .de, .fr., .es. or .eu or providing EU language versions of an online service or mobile application, if different from the language commonly used in the country where the company is based,
- accepting payments in Euro or another EU currency,
- mentioning the EU or its member states in the context of a good or service, or providing specific support contact details for EU customers,
- delivering goods to EU member states,
- profiling, including behavioral advertisement and processing of geolocation data, particularly for marketing purposes,
- online tracking with cookies or other tracking techniques such as device fingerprinting,
- personalized digital diet and health analytics services,
- market surveys and other behavioral studies based on individual profiles,
Assessing whether and to what extent the GDPR applies to non-EU companies should be subject to a legal assessment in the individual case. For an initial assessment, we set up an online test to check whether your company needs to appoint an EU representative, which is the case for most non-EU companies whose activities fall within the scope of the GDPR.
Data processor based outside the EU
Non-EU data processors are subject to the GDPR if their business customer (data controller) is, according to the triggers mentioned above. To give an example: an online retailer based in the US advertises its products at Google AdWords and targets consumers in the EU and therefore falls within the scope of the GDPR. If the retailer uses the services of a cloud provider to manage its EU customer information, hosting of such data in the cloud will also trigger applicability of the GDPR. The cloud vendor must comply with the (limited) GDPR obligations for data processors.
What do we need to do?
Non-EU companies that are subject to the GDPR must follow various legal requirements. We at EU-REP.Global are specialized on acting as an EU representative, thereby ensuring compliance of our customers with the requirements under Article 27 GDPR.
With our legal partners, we also advise our international clients on all other GDPR-related topics, such as international data transfers, compliance documentation and providing Data Protection Officers. Please contact us for further information.