The most praised goals of the new regulation are the harmonization of rules within the EU, the reduction of overall regulatory burden and more privacy rights for ordinary citizens.
Fortunately, companies have recognized the importance of complying with the new regulation, but they often cite various uncertainties and ambiguities as significant obstacles towards ensuring compliance.
They are right in some ways: we are still waiting for official clarifications regarding some of the provisions, such as the conducting of privacy impact assessments or cross-border transfers, for example. One of the major confusing issues is the actual scope of the GDPR as well. Plenty of companies and institutions have cited concerns with determining the overall scope of the GDPR, that is, determining whether the GDPR is applicable to them, so let’s take a closer look at this issue.
The territorial scope of the GDPR is unambiguously defined in Article 3 of the Regulation, in theory at least.
Most transparently, the GDPR applies to all companies based in the EU. This includes all small businesses incorporated in a single EU state, as well as those spanning multiple EU member states. Broadly speaking, all companies with a EU “establishment” are bound by the GDPR. Determining establishment is easy for the examples above, and not much different from the current state of affairs. But what about international corporations or businesses from outside the EU?
The GDPR is a very ambitious piece of legislation in this regard. It aims to protect the information of EU citizens even from international businesses or businesses processing their data internationally.
The term “establishment” is a tricky one to define, and courts have had issues with it too. The most representative example is the 2015 Court of Justice of the European Union case of Weltimmo vs Naih, where it was determined that having a representative and a website marketing to consumers in a single country was sufficient for the purpose of ‘establishment’. Local bank account or a PO box is also enough evidence.
Therefore, companies from outside the EU with their sales offices, websites or services marketing to EU citizens are bound by the GDPR regarding data from EU citizens. This is valid regardless of where the actual processing takes place, as long as the data hails from the EU. If the data is related to the provision or sale of goods and services or monitoring of behaviour of EU citizens, as long as the behaviour took place in the EU, the GDPR applies to these data.
The GDPR is not as strict as you might imagine. While a physical presence is not required for a company to fall under the GDPR, since online provision of services is also taken into account, there are certain measures that restrict the ‘overextension’ of the GDPR.
Mere availability of the website to the EU citizens does not necessarily mean that the company is engaging in GDPR-notable activities. A company must ‘envisage’ (Recital 23) the sale or the provision of goods and services to EU citizens in order for the GDPR to apply to them. Again, this can still be open to interpretation. So far, this has been determined on a case-by-case basis for especially complex cases. In most cases, circumstantial evidence is used to determine ‘establishment’: currencies, languages, top-level domain names, targeted advertising and shipping options offered are some of the criteria that can be used, for example.
This extraterritoriality of the GPDR is something that concerns many companies. Current examples (the right to be forgotten and Google Search) have been met with resistance from the IT sector. In the Google case, deleted personal results are invisible only when browsing from within the EU. Other countries can see the original results. While the EU regulators would be happy to enforce the GDPR provisions worldwide, it is unclear as to what extent this will be possible.
The protections afforded by the GDPR do not apply to EU citizens when they are travelling or if they live abroad (outside the EU).
Additionally, any large-scale processing or processing of sensitive data from the EU requires non-EU companies to appoint a representative in an EU member state of establishment. The role of the representative is unclear – it is more likely than not that the representative will be just an administrative officer without much ability to enforce the GDPR provision or affect decision-making abroad in any significant way.
Potential issues soon become apparent: non-EU businesses could find themselves under the GDPR inadvertently. Since the GDPR considers IP addresses, cookies and other session identifiers as personal data, advertisers and online services find themselves in a tight situation since they process it and use it to profile and analyse the recipients. They have two options: they could either cease offering their services to the EU citizens or ensure compliance with the GDPR. For most, both options are onerous and costly but the latter will obviously prevail.
The material scope of the GDPR is outlined in Article 2. The Regulation applies to ‘processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’
This definition includes both automatic processing (“big data” and similar) as well as manual processing by humans.
Personal data is information belonging to an identified or identifiable natural person, i.e. an individual could be identified with directly or indirectly with these data. You can find more detailed analyses of personal data in one of our other articles. It is worth pointing out that compared to the DPD, online identifiers (RFID tags, location data, cookies, IPs, etc.) are explicitly treated as personal data. Biometric and genetic data are novel categories of sensitive personal data.
Interestingly, the GDPR provides for exemptions when natural persons are doing the processing for their limited personal purposes. This would include the production of phone books, address books, but also data processing relating to one’s profile on social networks, cataloguing of online messages, pictures etc. as long as the data is for personal use only. It is a good reminder that practices we take for granted are actually considered data processing in the eyes of the law.
The GDPR considers ‘data processing’ as any operation performed on personal data – use, reading, structuring, deletion, modification etc. The entity responsible for managing the use of data is called a ‘data controller’; while the entity carrying out the actual processing is called a ‘data processor’. A single company can be both at the same time.
The provisions of the GDPR regarding handling of personal data still hold even if data is ‘pseudonymised’, i.e. stripped of its identifying elements, but certain provisions are relaxed. Anonymised data is largely free from restrictions.
The GDPR covers only data relating to natural persons. Legal persons are not covered under the GDPR in most circumstances.
Certain kinds of data are exempt from the GDPR. These are: data related to dead persons, data used in public interest, for crime prevention, for scientific, research and statistic purposes as well as for the activities related to carrying out security policy of the EU. The Regulation also often does not apply in cases of unstructured physical data (files).
As it is obvious from this article, much is still unclear. We are still waiting for the official guidelines from the Article 29 Working Party. Itshould resolve most ambiguities and shed light onto the most pressing issues.
The most ambitious goal of the GDPR is to force companies from outside the EU to behave – or risk losing access to the EU market. We will see if the enforcement will be effective. If current practices are any indication, the regulatory authorities are facing an uphill battle.
If you own an EU-based company, there is no doubt – better start preparing for the GDPR right away. Conversely, if your company is based outside the EU, it could pay to consult an expert and determine whether you should ensure compliance. However, as a rule of thumb, if you have customers within the EU or any kind of business relationships with EU citizens, the GDPR will most likely be applicable.