United States: CF On Cyber: The GDPR's New Territorial Scope Guidelines

Last Updated: December 12 2018
Article by John E. Clabby, Steven Blickensderfer and Michael L. Yaeger

The European Data Protection Board on November 16, 2018, released new guidelines to help describe how the GDPR will apply to data controllers and processors both within and outside the European Union. The Guidelines focus on the territorial application of the GDPR, including both the "establishment" and "targeting" criteria. In this podcast, attorneys Jack Clabby, Michael Yaeger, and Steven Blickensderfer discuss these new guidelines and how they affect businesses not only in the EU, but around the world.

Transcript:

Jack: So today we're going to talk about the new guidelines adopted on November 16th of 2018 from the European Data Protection Board. The goal today is not to go through this in long detail. They're pretty significant and that would take a long time. The goal today is to hit some of the highlights of these new guidelines, focusing on the impact of them for U.S.-based companies.

We have with us two Carlton Fields attorneys, Michael Jaeger, who's a shareholder in our New York office. Michael does a significant amount of cybersecurity work across industries with a particular experience in health care and financial services. We also have with us Stephen Blickensderfer who's a privacy attorney and a CIPP from our Miami office. So welcome, Michael and welcome, Steve.

Steve, let's get started with you. These guidelines are published by something called the European Data Protection Board. Can you give us a sense of what that is?

Steve: Hey Jack, thanks. So the European Data Protection Board or "the Board" for short, is an independent European body that promotes cooperation between e-regulators. It's comprised of the various Member State Data Protection Authority representatives and one of the main things they do is achieve this cooperation through guidelines, through issuing guidelines on the GDPR on big issues.

Just to provide some context on how important some of these guidelines are, back in March I went to the, you know, was at a big conference. The European regulators were there and one of the messages that they conveyed to us was that they believe that we have enough guidelines or that there are sufficient guidelines out there and that they, you know, put enough information out there where companies can start, you know, can be well on the road to GDPR compliance.

So, you know, we've been waiting for these guidelines on extraterritoriality of Article 3 for quite some time so it's, you know, one of those things that we shouldn't expect too many more guidelines. So when we do see guidelines from the Board, it's pretty important. We should all take notice.

So one of the other things I wanted to mention were the import—or the effect of these guidelines. Really, at the end of the day, they're persuasive authority. The GDPR is enforced by the Member State Data Protection Authorities and it's interpreted by European courts, not the Board. However, it's safe to say that these guidelines are pretty persuasive. Particularly where we see the Board aligning itself with European court case law, you know, the Google versus Spain case for instance. So, you know, I think it's safe to say that these guidelines in particular were pretty persuasive.

Jack: Alright, so Michael, we heard from Steve a bit about the Board that creates these guidelines, but this particular release in mid-November, you know, what is it aimed at?

Michael: Well, Jack, I'd say the purpose of these guidelines is to make clear the territorial scope of the GDPR. It's like the old cliché, the long arm of the wall. So, the guidelines are trying to tell you how long the arm is, how far it reaches. And the guidelines have to be reviewed kind of carefully because they're full of caveats and nuance, but they're still helpful. It's not all pain.

And I'd say there are two main ways that the arm of the GDPR can reach somebody, can reach a company. First, if you're an establishment in the EU, and second, if you're targeting data subjects in the EU. And that's how the guidelines are organized. They discuss what makes a controller or processor an establishment and they discuss what actions qualify as targeting.

Jack: So we've linked to these guidelines in the podcast prompt you can pull them up and take a look, but it really, they are organized around these two principles. You know, the first, of the establishment criteria and the second, the targeting criteria. Let's start with this establishment criterion. Stephen, what is this?

Steve: So Article 3(1) lays out the establishment criterion and it says that the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union regardless of whether the processing takes place in the Union or not. So that's what we know from Article 3(1).

The recitals give us a little bit more background, and now these guidelines provide us even more information as to how to understand how the GDPR applies to a controller or processor with an establishment in the EU. So breaking this down, first, the guidelines actually remind us, which is always helpful to take a step back and ask and conduct this analysis by first asking are we talking about a controller or a processor. A company's GDPR responsibilities and this analysis of extraterritoriality hinges on whether or not the company is acting in the capacity of a controller or processor and that sometimes is a complicated question.

But addressing that first, the guidelines then instruct that we are to then address whether there is an establishment in the Union. And what does this mean? Well, Recital 22 talks about an establishment as being one that implies the effective and real exercise of activity through stable arrangements regardless of legal form. Well, what are stable arrangements? The guidelines further explain that this is a very fact-specific analysis. Both the degree of stability of the arrangement and the effective exercise of real activities in the state are to be taken into account. So, could one single employee or agent of a non-European Union entity be sufficient? Maybe. That's actually one of the examples that the guidelines gives us as this could be sufficient and it's not necessarily tied to any particular legal form.

So figuring out whether you have an establishment can be particularly tricky for internet businesses and, you know, and companies that sell services online. But one of the things that the guidelines does help us with it eliminates the idea that just because your website is accessible in the EU, that's not enough to create an establishment there. That's something that the guidelines definitely answer in the affirmative.

It's also important, and just before we move on to the next point, that there must be a connection. The guidelines talk about, in the context of the activities of an establishment. So in doing conducting the analysis under establishment, there must be a link between the processing and that establishment.

And then the guidelines then talk about the case law and this is where the EU case law kind of comes in and adds additional flair. In particular, the Google versus Spain case, and that that case is important as the guidelines instruct because the connection between the processing and the establishment can even exist if the local establishment is not taking a direct role in the data processing itself, which is pretty significant.

Jack: And I want to, Michael, I want to go back to this idea that Steve talked about where under certain circumstances a single employee would be enough to find an establishment. How do you think that's going to play out?

Michael: Yeah, sure. Yeah, it's important to think about it. I mean let's say you're an academic medical center or a hospital system. If you have just one employee residing in the EU who is promoting consults toward EU markets you might be making yourself an establishment. Oh hey European Union residents, we have really expert cancer docs here. You can get a consult from them without coming and having to visit the U.S. If someone is established, if someone is in the U—EU promoting those consults, that could be enough.

Same goes for an investment advisor. If there's one person in the Union soliciting investors, even that by itself could be enough. The examples in the guidelines make this clear. In this case I think it's example two. But in general I, you know, frankly it's worth pausing a little bit to talk about the examples and the role they play in the guidelines. They seem, actually, quite important for cashing out what the guidelines mean. You can tell because they keep using this Latin term, in concreto. It's like five times in the document. Elegant? It's a little goofy, frankly. I mean, when I googled this I found it mostly popping up in Immanuel Kant's Critique of Pure Reason, so this is not exactly the kind of thing that you see in U.S. regulators guidance, but we're in Europe and it's there. And in concreto serves a purpose. It tells you that the analysis will be concrete, tied to verified facts, and crucially on a case-by-case basis.

So, a lot of this analysis is just not about bright-line rules. It's about context and the totality of the facts. Even where they say oh, this one factor by itself is not enough, they can still use that factor as part of their contextual analysis to say you are in fact an establishment.

Jack: Right so, you know, Steve, another aspect of this establishment prong is that if you are an establishment it doesn't matter if it's you, resident data or not. Can you unpack that a little bit?

Steve: Yeah. This is a big distinguishment between the establishment prong and the targeting prong which we'll get into in a second, but the establishment prong applies no matter where the data subject is and this is really illustrated in example four in the guidelines. This is the example of a French company that developed a car sharing application exclusively to customers in Morocco, Algeria, and Tunisia. And the service is only available in those three countries, but all the personal data is being processed and carried out by the data controller in France. At first, you would think, you know, there's no European residents involved no citizens so this can't possibly apply. Wrong. Under the establishment prong three—Article 3(1) this French company will be required to comply with the GDPR.

We also know from the guidelines that the place of processing is irrelevant. We already knew this, but what we didn't know for sure is whether an EU processor working with a U.S. controller is required to comply with the controller requirements too. And these guidelines clarify that that is not the case.

But note, if you're a, if you're a U.S. processor working with an EU controller, for example going back to example four, if you're a U.S. processor working with that French company that it has developed a car sharing application the GDPR technically does not apply to you. However, the guidelines say that some of the GDPR will indirectly apply through contractual arrangements under Article 28. While those may not already be in place we suspect that in light of these guidelines we'll see more of these in the future, these data processing addendums to contracts.

Jack: I think as we, sort of, wrap up the discussion of establishment there was one, I remember sitting at thinking, wow this is, this is a gift that the Board is giving to EU-based data processors. So the flip of the example you just gave, Steve, where you have a U.S. or Mexico or Canada-based controller, which otherwise does not have an establishment in the EU who wants to hire an EU-based data processor. Right? The act of hiring an EU-based data processor does not make the U.S.-based controller subject to the GDPR.

And I have to think that's simply the practical reality of, you know, the EU-based data processors are growing in size as a result of the GDPR and if you had made, I think there could be a good argument, right, that a U.S.-based controller that avails itself of an EU-based data processor and sends all it's, you know, PII over to have this done in France, you know, would be subject under the establishment provision. But this guideline clearly says it's not. I think that is the, example seven which uses a Mexican retail company that happens to use an EU-based processor is probably the clearest example of that in the guidelines.

Alright, so Michael, let's talk about the second of the two criteria the targeting criteria.

Michael: Sure. Well, even if a company is not an EU establishment it can still be subject to the GDPR if it is targeting people in the Union. So, the targeting criterion is about behavior of the company not always its location. There are two kinds of targets, offering and monitoring. So offering is about offering goods and services to people in the Union. Monitoring is about monitoring a person's behavior in the Union. That second term, I think seems a little odd on the first reading, but those who spend time with the GDPR are probably already aware of it and the guidelines clarify it. They give an example of a marketing company that analyzes customers' movements in a shopping center. Let's say those movements are collected through Wi-Fi tracking. So that is monitoring behavior and the company may be in the U.S., but the behavior that it's monitoring is happening in the Union.

In any case, whichever kind of targeting is going on here, targeting applies to any natural person in the EU, any flesh-and-blood human being. Doesn't matter if it's not an EU citizen or the person is not an EU resident. So, if there's a U.S. startup that has an app that's designed for U.S. residents to use when they're visiting Paris or Rome, then the U.S. startup is targeted in the way that the guidelines describe. Why? Because that company is intending to process data about the location of natural persons at a time when they are in the EU.

There's some good news here though. As you can see, the way I'm putting it there's a kind of intent, or purpose, or foreseeability analysis going on here. And that puts some limits on how far the arm of the GDPR can reach. You can see this in example 9 of the guidelines. They explained that if a U.S. news app is exclusively directed at the U.S. market, it doesn't matter if a U.S. tourist checks the app on her European vacation. In that case the GDR—GDPR doesn't apply because the app isn't directed at the Union.

Jack: Stephen, in Michael's example about the app sales, you know, at the moment that the sale occurs it's clear that it's going to be used and only used, right, in an EU environment so there's a good, there's a good intent. But when does, when do these guidelines say that intent, or however you want to describe it, what, when is it triggered? When is it measured?

Steve: Yeah, Jack. The guidelines actually help us understand what is the triggering event for the analysis and they say that it's, that when you're, whether you're targeting depends on the moment of offering the goods and services.

So let's return to Michael's example. I believe it was example 8 in the guidelines. While the company, the U.S. company, could say it only intended to target U.S. residents while they were stateside, perhaps this is where they were going to download the app they were going to use abroad, the moment of offering goods and services actually happened while they were abroad and started using the app. That's when the data was starting to come in and processing started taking place.

I also want to, let's go into the website examples that are given in the guidelines which I thought were really helpful. So the first is example 12. We see a Turkish website that creates prints, photo albums, and sells them to various countries in the EU. So what did we know before in recital 23? We knew that there were certain factors that the GDPR looks at, that the regulators are gonna be looking at to determine the intent to target to offer goods and services and the EU. What are some of these examples? Making websites available in EU languages, accepting EU currency, indicating delivery in an EU country. The more countries you deliver, the more likely it's going to apply to you and that goes back to Michael's comment about being, this being an in concreto analysis.

So what does the, what do the guidelines add? Well, they dive again back into the EU case law and they help us understand that there are some other factors that may be at play.

One of those that really stuck out to me, that I thought was interesting, is where a website uses a search engine to optimize its ability to offer good services in an EU country. You wouldn't think that a regulator would be looking at something like that, but in fact, they are. And so it's very important to be looking at indirect touches and putting kind of everything on the table when talking about targeting, intent to offer goods and services in the EU.

So, you know, going back to my, that example 12, just having a website, accepting EU currency, and indicating delivery in the EU country was enough for the Board to say that the GDPR applies to that country. And I also wanted to note example 13 which was an interesting example. This is about the private company in Monaco processing personal data for employees for the purposes is just issuing salary, issuing checks, and a large number of those employees reside in Italy in France.

So, at first this was like, oh, naturally the GDP has to apply this country. But when you, when you disciplined—take the analysis one by one. Let's look at establishment. Well, this country is in Monaco. It's outside the EU and so, the GPR doesn't apply under the establishment prong.

Then let's go to the second prong, which is targeting, well, the guidelines now help us understand that offering goods and services doesn't include paying salary, which is a big deal for some companies that, you know, perhaps they have employees that also reside in the in Europe. So that's kind of another helpful guideline or another example in the guidelines.

Jack: I mean, there are, there are 20 examples in this, in the guidelines and you really could make them into flashcards where the factual light on the front of the card, right, you could put the factual prompt and on the back of the card the answer. I think I would have gotten maybe 18 out of 20 right but that was one of the ones I would have gotten wrong.

I would have thought that if a non-EU country had employees that were EU employees and they were tracking their data as employees, including pay stubs and whatnot, that they would have to be subjected to GDPR. But it's, when you break it down by the two criterion that the guidelines discuss it does become evident that they're not. Right?

Steve: Right. And it's al— it's important to note that the guide—the example is very clear. It was about processing for purposes of salary. Right? So you can imagine there's a number of examples where that company could maybe do something else with data of their own employees and then start offering goods and services within the scope of that prong.

Jack: And I think that next example, which is exhibit, example 14 talks about a Swiss company, actually a Swiss University, and again Switzerland, not in the EU, but because it's adjacent to the EU a lot of Swiss companies and entities are gonna have to deal with some tough questions.

And the example of the Swiss university is pretty important to our practice. We've been advising a fair number of private schools and colleges on the application of the GDPR. And it's tricky, but under the targeting prong the example gives, you know, if the Swiss university has a master's degree program, it has a website for it, it has it in the Swiss languages that, you know, just German and English, and it accepts payment only in Swiss currency it's not necessarily, probably not going to be found to be targeting. Right? Because it's just a passive, they're willing to take someone from the EU, but they're not targeting the EU.

But the example 14 gets tweaked a little bit at the end where the Swiss University starts offering summer courses and takes out ads or otherwise advertises in German and Austrian universities trying to solicit students within the EU directly. And in that case, it's gonna be found to have targeted and it would apply. You know, a third piece of this with the universities that we've seen a fair amount is, you know, if universities in the U.S. or elsewhere not, outside the EU, keep admissions officers, you know, in satellite offices or on the road in EU trying to drum up applicants from the EU, you know, there's going to potentially, there's going to need to be an establishment analysis as well to see if, you know, those employees who are working on behalf of the non-EU universities in the EU, you know, end up subjecting those universities to GDPR.

Alright but what, so what happened, Michael, what happens here in that kind of a scenario where, let's say you're a university like you are in exhibit 13 where you're not established, you don't have an establishment, but you are doing targeting? What do you have to do?

Michael: Well, okay. So you're targeting, you're covered by Article 3(2), at a minimum, you've gotta designated representative in the EU. You know, there are some things that ease this up a little bit because an entity with an establishment can take advantage of the one-stop shop mechanism in the GDPR and doesn't need to separately designate an Article 27 rep, but here we're talking about companies that aren't establishments but they followed their targeting, they've gotta have a rep in the Union.

The good news is the guidelines do mention there isn't some weird catch-22, the act of having a representative doesn't actually convert you into an establishment. But you gotta have one. And the representative has to be different from your data protection officer. Your DPO can't be the same person and they're envisioning somebody who's more, a DPO has to be more independent than someone who is representing you.

Steve: You know, one of the other things that stood out to me and the guidelines is that the regulators are, or the Board, is telling us that when one of the requirements in the GDPR is that you identify your Article 27 representative that Michael was just talking about. And, you know, when we're doing these privacy policies for clients and, you know, one of the things that we need to, it's all about transparency and being transparent includes identifying ways in which you can contact representatives. So, the fact that the regulators are telling us, you know, make sure you also include this in the privacy policy, that's a reminder that the regulator's gonna be looking for that in reviewing privacy policies for companies.

And so, that's just a, you know, in the very beginning of the guidelines the Board says that once the GDPR applies, all of it applies and it's very—this is one of the sticking points is that Article 27 representative designation for those who fall under that targeting prong, it's a challenge but if at the end of the day you reach the conclusion that the GDPR applies under that, Article 27 comes with it under, you know, minus exceptions that that Article talks about, but for all intents and purposes Article 27's trigger.

Jack: But that's good. I mean that, when you go through the guidelines, I like to think, okay, what am I adding to checklists that I have in place for incident response guides. What am I adding to checklists that we have in place for privacy policies? And certainly listing your Article 27 representative is now gonna be added to everybody's checklist about your privacy policy. You gotta put it there because it, you know, with these guidelines it almost makes it seem like if you don't have it there to be in trouble and it's something that they couldn't have been more plain about.

Michael: Yeah, and it's an easy thing to cite people for. It's black and white.

Jack: Well, wanted to thank Michael Jaeger from our New York office, who's a shareholder does a lot of cybersecurity work, and we've got Steve Blickensderfer from our Miami office, who does quite a bit of privacy and GDPR counseling. Thank you, Michael and Steve. And I'm Jack Clabby, shareholder in our Tampa office, works on a number of data breach incident response matters. Thank you all for joining us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions