On May 25, 2018, the EU General Data Protection Regulation (“GDPR”),1 a sweeping regulation that strives to safeguard individuals’ fundamental right to the protection of their personal data will enter into force. The regulation replaces the EU Data Protection Directive of 1995 (“the 1995 Directive”) and greatly expands the reach of the current EU privacy regime to include non-EU organizations that had not previously been subject to European privacy requirements. However, despite the two year implementation period, many organizations still do not appreciate that their activities will fall within the scope of the GDPR.
Because the cost of non-compliance is significant and because there is still time to take action, this article strives to provide some basic insight on a fundamental question: To whom does the GDPR apply?
The first step in determining the applicability of the GDPR is to consider the regulation’s material scope. As per Article 2, the GDPR applies to the processing of personal data. Processing means any operation performed on personal data2 including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.3 “Personal data” is a defined term that encompasses a host of information relating to an identifiable natural person (referred to in the regulation as a “data subject”), including an individual’s name, identification number, location data, online identifier or one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.4 More concrete examples include biographical information such as date of birth, marital status, social security number, phone number, physical and email addresses; data about physical appearance such as height, weight, eye color and defining characteristics; biometric data such as facial recognition, fingerprint and retinal scans; and online identifiers such as IP addresses, cookies and radio frequency identification tags.
Organizations inside and outside of the EU that process the type of data described above, especially organizations that make use of online advertising, analytics and social media platforms, may be subject to the GDPR if they fall within the regulations’ territorial scope.
There is no question that the GDPR will apply to organizations “established” in the EU.5 As one would expect, the term “established” includes organizations legally formed or headquartered in the EU. The term is, however, considerably more expansive. As made plain by the Court of Justice of the European Union (“CJEU”) establishment is a “broad” and “flexible” concept that does not depend on legal form.6 Based on the CJEU’s interpretation, an organization that engages in “any real and effective activity – even a minimal one,” through stable arrangements in the EU may be considered established. This will likely include maintaining sales offices, branches, subsidiaries or joint ventures in the EU. In addition, in certain circumstances, the presence of even a single representative may be sufficient to constitute real and effective activity through a stable arrangement.7
The above should come as no surprise as it is consistent with the 1995 Directive. What some may not fully appreciate is that organizations with no presence or establishment in the EU may nonetheless be subject to the GDPR if they: (a) offer goods or services to EU data subjects; or (b) monitor the behavior of EU data subjects.8 This is arguably the biggest change to the regulatory landscape.
Regarding the first prong, whether or not a non-EU organization offers goods or services to EU data subjects (irrespective of whether payment is required) is a determination that must be made on a case by case basis. To fall within the scope of the GDPR an organization must intend to target data subjects in the EU. The mere fact that an organization operates a website that is accessible to an individual in the EU will not establish the requisite intent.9 However, additional factors such as offering website visitors the option of interacting with the website in the language or currency of an EU Member State or referencing customers/users within the EU with the aim of appealing to other EU customers/users will likely establish intent and thereby subject non-EU organizations to the GDPR.10 Other indications of intent include paying search engines to facilitate access within Member States, using a Member State’s top level domain (e.g. .nl, .de, .eu), including localized website content and conducting targeted marketing campaigns in Member States.
Regarding the second prong, monitoring of EU data subjects behavior refers to activities such as: online behavioral advertising; location tracking based on mobile app data; profiling for the purpose of risk assessment (e.g. credit scoring, establishing insurance premiums, fraud prevention); monitoring health and fitness via wearable devices; and tracking data collected from IoT devices.11
Non-EU organizations that conduct processing activities that fall within the GDPR’s material scope and either target or monitor EU data subjects in the manner described above should definitively determine whether they are subject to the new EU privacy regime. Non-EU organizations should also be mindful that future changes in the scope of their processing activities or efforts to target individuals in the EU may subject them to the GDPR. Before implementing, non-EU organizations should assess whether such changes will trigger compliance obligations and, if so, consider how best to meet their business objectives while minimizing the associated burdens of compliance.
The May 25, 2018 deadline is quickly approaching but it is not too late to evaluate your company’s practices and, if necessary, incorporate processes for compliance. If there is a possibility that your company may be subject to GDPR requirements, consult with counsel to find out what your obligations are and how you can achieve compliance.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2 GDPR Article 2(1).
3 GDPR Article 4(2).
4 GDPR Article 4(1).
5 EU GDPR Article 3(1).
6 C-230/14, Weltimmo v NAIH (2015).
8 GDPR Article 3(2).
9 GDPR Recital 23.
10 GDPR Recital 24.
11 GDPR Recital 24.