Extraterritorial Scope of GDPR: The effects of the Regulation on non-EU businesses

/ / Legal x-rays

The EU General Data Protection Regulation (GDPR) is not explicitly a global law, but it might be on the way to becoming a de facto law beyond the boundaries of Europe, at least for a number of businesses.

GDPR, which was enforced on the 25th of May 2018, affects all businesses based in EU territory acting as data controllers or data processors of personal data of data subjects who are located within the Union, similar to the previous European data protection law (Directive 95/46/EC). An important question, then, arises as to whether businesses that are based outside the European Union and process personal data, fall under the GDPR’s scope.

The European legislature, in an effort to protect data subjects from the arbitrary processing of their personal information by non-EU businesses, expanded the territorial scope of the Regulation. Article 3 GDPR states that the “GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union” if one of the following criteria is fulfilled:

The processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

Key to determine whether criterion (a) is met by a non-EU business, according to Recital 23 (offering of goods or services, to such data subjects in the Union) is the business’ intention, and whether it is apparent that an offer to an EU-based data subject was “envisaged”. More specifically, the mere provision of information about the offering of good or services on the business’ website does not sufficiently establish its intention to offer such services to European data subjects.

However, the website’s availability in an EU language which is outside the Controller’s jurisdiction, the offering goods/services in an EU currency or, unsurprisingly, the explicit targeting of EU citizens, could provide sufficient proof of intent and pull the business within the GDPR’s scope.

For example, if non-EU businesses meet at least one of the following criteria, then GDPR is applicable:

  • International telephone numbers are mentioned on their website for contact purposes;
  • Top level domains of an EU Member State (i.e. .eu, .ie, .de) are used;
  • Options to translate the contents of the website to an EU language are provided;
  • Options to convert any amount of money to EU; and,
  • Advertising to attract EU users (leveraging existing EU clients or users as advertising material).

To exemplify the above, if a Thai company with no EU subsidiaries has an e-shop in Dutch on which it offers goods with the possibility to order it using Dutch language and pay in EUR, accepts the offers of EU citizens and deliver its goods to them, then one could safely say that the Thai company targets Dutch consumers (and therefore EU citizens). Due to this, the Thai company is subject to GDPR. Similarly, an American company offers a mobile phone application to American users, and the application collects location data. Then, an American tourist uses the application while travelling in Spain. GDPR still applies to these data and the company must comply with the Regulation for the duration of that tourist’s holiday in Spain.

Obligation-Designation of a Representative

The GDPR requires overseas Data Controllers and Processors falling within its scope (and whose processing is not occasional) to designate an EU-based representative (Article 27) who will act on their behalf as well as the point of contact for the relevant DPA, and who are also subjected to certain record keeping requirements as well as receiving enquiries and complaints. The designation of such a representative does not affect the responsibility or liability of the Controller or of the Processor under this Regulation. The designated representative should also be subjected to enforcement proceedings in the event of non-compliance by the Controller or Processor. However, the GDPR fails to include an appropriate enforcement mechanism within the text itself, only declaring that the designation of the representative should be subject without prejudice to enforcement proceedings against him in case of non-compliance of the Controller or the Processor. Τo this end and given the new fines foreseen by GDPR (Article 83 par 4. a), DPAs have to continue to apply pressure indirectly to Data Controllers and Processors through EU-based representatives.

Our law firm’s comment οn this topic:

 Due to the extraterritorial scope of the GDPR set by article 3, the Regulation will be applicable irrespective of whether the actual data processing takes place within the EU or not. Whether this goal will be achieved or not, one thing is certain; the GDPR will undoubtedly change how multinational organizations operate globally regarding the collection, use and protection of personal data of all citizens within the EU.