The General Data Protection Regulation (GDPR), a major EU privacy law introduced in May 2018, not only shook up data-driven startups from London to the Silicon Valley but keeps affecting businesses of any size and in almost any industry. Many executives, IT managers and compliance professionals of companies without physical presence in one of the 28 EU member states are still confused about the question if and to what extent compliance requirements of the GDPR affect their business.
These concerns are highly reasonable and urgent, given the fact that the GDPR has a very broad scope of application and triggers severe legal liability risks. This article outlines the territorial scope of the GDPR for companies that solely operate from establishments in Asia, the Americas, Africa, or Oceania – and deal with B2B or B2B customers, vendors, website visitors and other business partners in the EU, may it be occasionally or on a regular basis
On November 13, the European Data Protection Board (EDPB), an official EU body formed of the national data protection supervisory authorities, issued guidelines on how to interpret the provisions on the international applicability of the GDPR, which we summarize subsequently.
But first, some GDPR basics
The underlying principles of EU data protection laws are designed around the traditional European privacy concept, emphasizing the idea that everyone should have a say in how others use personal information relating to him or her. One major driver of the GDPR was that the EU regulators were concerned about the impacts of the digital revolution on such values:
What level of data security would be required to protect individuals from hackers revealing private electronic communications to the public or from other severe data breaches? Is targeted advertising based on detailed user profiles hindering market transparency for consumers? How can we prevent algorithms from discriminating ethnic groups when assessing whether an application for a consumer loan is approved or rejected?
The GDPR provides for a regulatory framework for these and many more questions. In any relevant context, the GDPR requires companies to ensure principles like transparency, accountability, and co-determination of the person whose personal information is collected and used.
Which industries are affected by the GDPR?
Instead of imposing sector-specific regulation, the GDPR follows a one-size-fits-it-all approach. It applies to the collection and use of personal information in any environment such as customer relations, product-related analysis of user behavior, marketing and HR to the delivery of goods, and the provision of websites, mobile applications and other online services.
Which business activities fall within the scope of the GDPR?
The GDPR applies to any “data processing”, meaning any handling of personal information in a very broad sense, ranging from collecting IP addresses of website visitors or e-mail addresses from registered users, processing orders and commissioning parcel services for delivery, logging and analyzing user behavior in any IT environment, delivering communications like sales offers or invoices, storing personal information in a database or cloud – and even deleting said data at last.
The legal concept of thinking in different “data processing activities” is particularly relevant for non-EU companies, as the question of whether they must comply with specific obligations under the GDPR has to be answered with regard to a specific business process rather than to the company as such. For example, maintaining a customer relations management system to handle EU customer data may fall within the scope of the GDPR, whereas storing HR master data of US-based employees do not trigger any obligations under the GDPR.
Who is responsible if two or more companies are involved?
Data seldomly rest but are monetized by making them flow. Personal information can be shared between business partners, matched against other data sources, analyzed, hosted or aggregated by vendors. Under the GDPR, two different levels of data ownership must be distinguished for determining the distribution of responsibilities between various parties involved:
- “Data controller” is a legal entity “which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This is the company which is responsible for the business activities requiring the data, so usually the entity to whose benefit the information is primarily used.
- “Data processor” is a legal entity “which processes personal data on behalf of the controller”. This definition includes many B2B vendors such as SaaS, hosting, IT maintenance, cloud or accounting service providers.
The definition of the roles builds upon the concept of isolated “data processing activities” as explained above. For example, a cloud service provider is considered a data processor as long as it is solely hosting, analyzing or otherwise processing personal information for the benefit of a B2B customer. It may, however, also take the role of a data controller regarding the exact same set of data if it starts using the data for its own business purposes, irrespective of whether such processing is in compliance or in violation of the contract with its B2B customer.
Whilst a data controller is fully responsible under the GDPR and must comply with a broad range of requirements, the responsibilities of a data processor are strongly limited. When it comes to the question of whether the GDPR is applicable to a company at first, the differentiation between data controllers and data processors also plays a crucial role.
Applicability of the GDPR to non-EU data controllers
For data controllers without any establishment in the EU, the GDPR directly applies to the processing of personal data of data subjects who are in the EU, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the EU.
Hence, the GDPR will not affect companies which unintentionally process information on individuals in the EU. If, for example, a mobile app is solely dedicated to the US market (e.g. determined by the fact that the app requires users to provide a US phone no. during the registration process or that terms and conditions limit the services to the US and purchases can only be made in USD), usage data collected from users travelling the EU will not lead to applicability of the GDPR.
Regarding the interplay of the conditions for the GDPR to apply, the EDPB emphasizes that two triggers must apply to a certain processing of personal data at the same time, namely that the data processing concerns persons “in the EU”, and that the business activities which require personal information somehow target the EU market (“offering of goods or services” or “monitoring”).
Trigger 1: Data subjects in the EU
The GDPR applies only to the processing of information on individuals “who are in the EU”. According to the EDPB, this condition does not refer to the citizenship or residence of the data subject, but to his or her current location. By contrast, this also implies that the GDPR does not apply to the processing of personal data relating to EU citizens who are residing or travelling in non-EU states.
If, for example, a Spanish citizen is travelling in China and using a mobile application that is operated by a Chinese company and that collects location data, the GDPR will not apply to this processing. However, in case a Chinese citizen who is living in Spain is using the same app, the collection of location data falls within the scope of the GDPR if trigger 2 explained below also applies with regard to the mobile application.
Trigger 2: Targeting the EU market / monitoring of behavior
As a second condition for the GDPR to apply, the company’s business activities must somehow target the EU market (“offering of goods or services”), no matter if the offered services or goods are chargeable or offered for free. In the digital age, websites and online services are easily accessible from all around the world, however, from the statements of the EDPB it becomes clear that accessibility from EU member states alone will not lead to the burden of GDPR compliance.
Instead, the company’s business activities must indicate that they welcome EU customers. Whether this is the case must be assessed on a case-by-case basis, considering the full picture of a company’s business activities. The EDPB issues important guidance on the factors that must be considered when assessing whether this trigger applies to a business. We summarize and interpret those factors as follows (for the exact wording of the EDPB, please consult its guidelines):
- Budgeting ad campaigns targeted at consumers in the EU, such as through search engines and social networks, or displaying testimonials from the EU;
- Offering services with an international nature, such as certain touristic activities;
- Using EU website top-level domains such as .de, .fr., .es. or .eu or providing EU language versions of an online service or mobile application, if different from the language commonly used in the country where the company is based;
- Accepting payments in Euro or another EU currency;
- Mentioning the EU or its member states in the context of a good or service, or providing specific support contact details for EU customers;
- Delivering goods to EU member states.
If none of those criteria apply is met, data processing can still be subject to the GDPR if the alternative trigger (“monitoring”), focusing on how a company uses personal information rather than their marketing efforts, applies to the non-EU company. As a key consideration for assessing the business activities, according to the EDPB, it must be taken into account whether they intentionally involve “the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques”.
The EDPB lists some examples of data processing that are encompassed by the “monitoring”-trigger:
- Behavioral advertisement;
- Geo-localization activities, in particular for marketing purposes;
- Personalized diet and health analytics services online, or monitoring or regular reporting on an individual’s health status;
- Market surveys and other behavioral studies based on individual profiles;
Lastly, it should be emphasized that assessing whether and to what extent the GDPR applies to non-EU companies requires a legal assessment in the individual case. For a first examination, we set up an online test to assess of whether your company needs to appoint an EU representative, which is the case for most non-EU companies whose activities fall within the scope of the GDPR.
Applicability of the GDPR to non-EU data processors
For data processors located outside the EU, assessment of whether their activities fall within the territorial scope of the GDPR follows the assessment of the business activities of the data controller on whose behalf the company is carrying out certain data processing operations.
To give an example: an online retailer based in the US offers delivery to the EU and advertises its products at Google AdWords targeting consumers in the EU and, applying the criteria mentioned above, therefore falls within the scope of the GDPR. If the retailer uses the services of a cloud provider to manage its EU customer information, hosting of such data in the cloud will also trigger applicability of the GDPR. The cloud vendor must comply with the (limited) GDPR obligations for data processors. Under this concept, as a condition for the GDPR to apply to the data processor, the service must relate to the business activity triggering applicability of the GDPR for the data controller. If, in the example, the cloud vendor only hosts HR data relating to US-based employees of the online retailer instead of data relating to EU customers, the GDPR will not apply to the hosting.
Interestingly, the EDPB takes the view that the activities by non-EU data processors on behalf of EU-based data controllers do not necessarily fall within the scope of the GDPR. This may seem contradictory but is presumably owed to the concise wording of the legal text. Nevertheless, one should bear in mind that data controllers based in the EU are legally required to conclude “data processing agreements” (Art. 28 GDPR) with data processors. Futhermore, in case of international data transfers, they are often required to agree on “standard contractual clauses” (Art. 46 para. 2 GDPR) with data processors, namely in case the receiving country to which the data is transferred does not offer an adequate level of data protection and no other safeguards such as the EU-US Privacy Shield apply. Such contracts will, in consequence, burden nearly the same GDPR obligations to data processors which they would also have to comply with if the GDPR was directly applicable.