On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of the consultation period on January 18, 2019, the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. Parties may submit comments to the EDPB by sending an email to: EDPB@edpb.europa.eu.
The Guidelines are divided into four sections. The first three give interpretive analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, respectively. The final section provides additional clarification about the possible duty to appoint a representative within the EU for controllers and processors not established in the EU. The Guidelines analyze specific provisions of the GDPR, make reference to existing EU case law, and offer practical examples that illustrate how to apply the provisions of Article 3 in everyday situations.
With regards to Article (3)1, the EDPB examines the broad concept of an “establishment” under EU law, and specifically its application to personal data processing which may take place “in the context of the activities” of an establishment. The EDPB points to landmark cases such as Google Spain and Weltimmo to show how these concepts have been applied by EU courts. The EDPB also notes that this broad notion of an “establishment” is not unlimited and recommends a case-by-case analysis.
With regards to Article 3(2) – which is perhaps the most controversial of the GDPR, potentially triggering its extraterritorial application to parties with no EU establishment – the EDPB provides some helpful clarifications. The Guidelines emphasize the importance of considering (i) whether targeted data subjects are in the EU (regardless of nationality, residency or legal status), and (ii) whether the processing relates to offering them goods/services or monitoring them in the EU.
“Targeting” by offering goods and services. The EDPB emphasizes that a controller or processor with no establishment in the EU must show a clear intention of doing business with EU customers to be considered “targeting” individuals in the EU with goods or services. Again, this requires a case-by-case analysis involving a range of different factors (e.g., whether the EU or a specific Member State is mentioned on a website, whether search engines are paid to market to a specific EU country audience, or the use of EU-specific languages or currencies).
“Targeting” by monitoring behavior. A controller or processor is “targeting” individuals in the EU by monitoring their behavior if the monitored behavior (i) relates to an individual in the EU and (ii) takes place in the EU. Once again, the EDPB offers several criteria to consider when making this determination (e.g., behavioral advertising, geo-localization activities, online tracking using cookies, CCTV, and so forth) . However, the EDPB does not hold that all online collection or analysis of personal data of individuals in the EU counts as “monitoring”. Rather, it is necessary to consider the controller’s purpose in processing the data, and particularly any behavioral analysis or profiling techniques used.
Finally, in the last section of the Guidelines, the EDPB clarifies certain issues related to the appointment of a representative in the EU by non-EU controllers and processors subject to the GDPR. The Guidelines discuss, among other things, the need to have a contract in place with the representative, the fact that the role is incompatible with that of a Data Protection Officer (and thus the two should not be combined), and, furthermore, that the GDPR may be enforced against a non-EU controller by way of its EU representative.