December 13, 2018
EDPB Releases Guidelines on GDPR Territorial Scope for Public Consultation
On November 23, 2018, the European Data Protection Board released guidelines on the territorial scope of the General Data Protection Regulation. These guidelines are critical for U.S.-based businesses to determine whether they are directly subject to the GDPR. The EDPB is welcoming public comment on the guidelines.
The guidelines detail the understanding of the GDPR's territorial scope by the EDPB, the European Commission body tasked with coordinating consistent enforcement by the Data Protection Authorities in each of the 28 European Union member states. The guidelines confirm that the EDPB considers case law from the Court of Justice of the European Union relating to the old EU data protection regime, the Data Protection Directive, to be generally helpful in analyzing the territorial reach of the GDPR. The guidelines also outline how data controllers and processors should analyze whether they are subject to the GDPR by way of either the "establishment" criterion or the "targeting" criterion, providing hypothetical scenarios.
The establishment criterion provides that the GDPR applies to the processing of personal data "in the context of an establishment" in the EU. The guidelines confirm that this means that the GDPR applies to any processing activities that are "inextricably linked" with the activities of a local establishment, even if the processing activities are not directly carried out by the establishment. The guidelines also provide clarification of the meaning of "establishment." Among other examples, the guidelines provide a hypothetical example where an e-commerce website operator based in China is deemed to process personal data "in the context of an establishment" in the EU - and is thus subject to the GDPR - because it has an office in Berlin that engages in commercial prospection and marketing campaigns toward EU markets.
The guidelines also provide clarification of the targeting criterion, including the circumstances under which an entity might intend to offer goods and services to individuals in the EU. One hypothetical example provides that a photo album company based in Turkey is deemed to intend to offer goods and services to individuals in the EU because it ships products to EU member states and accepts payment for those products in euros. The guidelines also provide some detail around the term "monitoring," stating that behavioral advertising and geo-localization for marketing purposes might constitute "monitoring" and trigger application of the GDPR.
Finally, the guidelines emphasize that both controllers and processors should independently engage in a fact-specific analysis to determine whether they are covered by the GDPR and remind GDPR-regulated entities without a local establishment to designate a representative in the EU.
Comments are due by January 18, 2019.
Click here to read the guidelines.
© 2018 CounselorLibrary.com, LLC. Republished with permission. All rights reserved.
CounselorLibrary.com, LLC, is an entity affiliated with the law firm of Hudson Cook, LLP. CounselorLibrary.com, LLC articles are written by attorneys with Hudson Cook, LLP, and by other authors, including employees of CounselorLibrary.com, LLC. The views and opinions contained in the articles do not constitute the views and opinions of Hudson Cook, LLP. CounselorLibrary(R) products and services are available directly through and from www.CounselorLibrary.com and are not legal advice.