On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of the consultation period on January 18, 2019, the EDPB will issue a final version incorporating any changes or amendments made on the basis of comments received from stakeholders. Parties may submit comments to the EDPB by sending an email to: EDPB@edpb.europa.eu.

The Guidelines are divided into four sections. The first three give interpretive analysis on Articles 3(1), 3(2) and 3(3) of the GDPR, respectively. The final section provides additional clarification about the possible duty to appoint a representative within the EU for controllers and processors not established in the EU. The Guidelines analyze specific provisions of the GDPR, make reference to existing EU case law, and offer practical examples that illustrate how to apply the provisions of Article 3 in everyday situations.

With regards to Article (3)1, the EDPB examines the broad concept of an “establishment” under EU law, and specifically its application to personal data processing which may take place “in the context of the activities” of an establishment. The EDPB points to landmark cases such as Google Spain and Weltimmo to show how these concepts have been applied by EU courts. The EDPB also notes that this broad notion of an “establishment” is not unlimited and recommends a case-by-case analysis.

With regards to Article 3(2) – which is perhaps the most controversial of the GDPR, potentially triggering its extraterritorial application to parties with no EU establishment – the EDPB provides some helpful clarifications. The Guidelines emphasize the importance of considering (i) whether targeted data subjects are in the EU (regardless of nationality, residency or legal status), and (ii) whether the processing relates to offering them goods/services or monitoring them in the EU.

“Targeting” by offering goods and services. The EDPB emphasizes that a controller or processor with no establishment in the EU must show a clear intention of doing business with EU customers to be considered “targeting” individuals in the EU with goods or services. Again, this requires a case-by-case analysis involving a range of different factors (e.g., whether the EU or a specific Member State is mentioned on a website, whether search engines are paid to market to a specific EU country audience, or the use of EU-specific languages or currencies).

“Targeting” by monitoring behavior. A controller or processor is “targeting” individuals in the EU by monitoring their behavior if the monitored behavior (i) relates to an individual in the EU and (ii) takes place in the EU. Once again, the EDPB offers several criteria to consider when making this determination (e.g., behavioral advertising, geo-localization activities, online tracking using cookies, CCTV, and so forth) . However, the EDPB does not hold that all online collection or analysis of personal data of individuals in the EU counts as “monitoring”. Rather, it is necessary to consider the controller’s purpose in processing the data, and particularly any behavioral analysis or profiling techniques used.

Finally, in the last section of the Guidelines, the EDPB clarifies certain issues related to the appointment of a representative in the EU by non-EU controllers and processors subject to the GDPR. The Guidelines discuss, among other things, the need to have a contract in place with the representative, the fact that the role is incompatible with that of a Data Protection Officer (and thus the two should not be combined), and, furthermore, that the GDPR may be enforced against a non-EU controller by way of its EU representative.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.