The GDPR, or General Data Protection Regulation, is the EU’s most recent attempt to create a harmonised data protection framework across all Member States. It aims at giving users more control over their personal data, and making the storage, transfer and use of such data more transparent. But as the enforcement date approaches, a couple of misconceptions are circulating on the internet. The extraterritorial reach of the GDPR, especially, has confused a lot of non-EU companies about whether the GDPR actually applies to them or not. The complexity of the GDPR doesn’t make figuring it out easier.
“If the company is located in the EU or has an establishment in the EU, GDPR applies to its data processing activities.”
First off, the territorial scope of the GDPR can be found in Article 3. In short, the GDPR applies to (i) companies located in the EU and/or their establishments in the EU, (ii) non-EU companies targeting their products and services at the EU, and (iii) non-EU companies monitoring the behaviour of users in the EU.
An EU law applies to EU companies
The GDPR applies to any company or its establishment located within the EU, regardless of where the actual processing takes place. Under the GDPR, it does not matter that servers are located in a non-EU country – if the company is located in the EU or has an establishment in the EU, GDPR applies to its data processing activities.
What about non-EU companies?
Of course, the European Commission is aware that personal data from people in the EU are not necessarily collected by European companies. Business is increasingly global and many non-EU companies attract users from all over Europe, whether they wish to or not. At the same time, it’s certainly not the European Commission’s intention to start monitoring all data processing around the world. The GDPR itself clarifies that it’s not because a website is accessible to people in the EU, that it should automatically fall within the GDPR’s scope.
That’s why Article 3 of the GDPR extends the territorial scope to include non-EU companies when they engage in certain activities. These activities include targeting and monitoring.
If a non-EU company is offering products or services to users located in the EU, its processing activities relating to those users also fall under the GDPR. It doesn’t matter if the user is required to pay or not. This wording implies that the company must have the intention of targeting people in the EU.
The question now is how authorities will determine when this intention exists. Of course, the GDPR is new and there’s no set of precedents to look at. But there is some guidance to be found in the recitals of the regulation and in previous case law of the European Court of Justice (ECJ).
Recital 23 first states that “the mere accessibility of [the company’s] website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established” is not sufficient to establish such intention. Factors that could however point to the offering of goods or services in the EU, are for example “the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union”.
“If a non-EU company is offering products or services to users located in the EU, its processing activities relating to those users also fall under the GDPR.”
Other factors that may indicate the intention of offering goods or services in a certain country can include the following:
- The international nature of the services, for example services from travel agencies or tour operators;
- Paying for marketing or advertisements in the EU;
- Having a top-level domain name ending in .eu or any of the Member States’ suffixes;
- Featuring a local telephone number on the website;
- Featuring languages specific to one or more Member States on the website;
- Providing the possibility to use a local currency;
- Providing the possibility to ship goods to a Member State.
In any of these cases, there is a chance an EU data protection authority will consider the GDPR applicable. On the contrary, if there is no such intention to market goods or services to EU clients and there are no actions taken to facilitate the provision of goods or services to EU clients, there is no reason to worry about the GDPR (provided you do not fall under the monitoring rule below).
The GDPR will also apply to companies that monitor users’ behaviour, as far as their behaviour takes place within the EU. Again, more information can be found in Recital 24: monitoring takes place when “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
According to the Article 29 Working Party, the EU’s advisory body on data protection, this clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
“The GDPR will also apply to companies that monitor users’ behaviour, as far as their behaviour takes place within the EU.”
It’s also worth mentioning that article does not use the terms ‘EU nationals’, ‘EU citizens’ or ‘EU residents’. Their applicability is therefore not connected to a person’s nationality or residence, but rather to the location of a person in the EU. Strictly speaking, the GDPR therefore also applies to the data of an American tourist on holiday in Italy, collected while he was on Italian soil. But in practical terms, this will be extremely hard to track by any national data protection authority.
The implications of the GDPR will be consequential, even huge for some companies, so it’s important to have the correct information. The Article 29 Working Party admitted in a press release of February 2018 that it is “continuing its work on the development of a position on the application of Article 3 of the GDPR, relating to its territorial scope.” This means we may not have all of the pieces of the puzzle just yet. Nonetheless, non-EU companies should definitely start by asking themselves the following questions:
→ Does your company process personal data?
If not, congratulations, you’re outside of the scope of the GDPR! If the answer to this question is yes, then you should look at the following questions:
→ Is your company located in the EU or does your company have an establishment in the EU?
→ Does your company offer goods or services to users in the EU?
→ Does your company monitor the behaviour of users in the EU?
If the answer to at least one of these questions is yes, your company’s processing activities will most likely fall within the scope of the GDPR and you may want to reassess your company’s data protection policy.