In brief - Before concluding that GDPR applies, a close analysis of what exactly the overseas entity does and the components of its supply chain is warranted
This article was first published in the Privacy Law Bulletin 17.6 and reprinted in the Financial Services Newsletter - Issue 19.8
- Closely analyse data flows.
- Pay careful attention to how a transaction chain works in reality, as no transaction is seamless.
- Consider how entities can be structured to contain EU touchpoints and therefore risk in a manageable way.
The European Union is (depending on the way one counts) the largest economy in the world and its constituent nations occupy prime positions in global trade. The size and effective influence of the EU's trade regime has meant that the General Data Protection Regulation (GDPR) represents a large change in the way data privacy is protected in the EU, with the regulation fundamentally reshaping healthcare to banking, marketing and beyond.
The effect of the GDPR is felt not just in the EU, as it can apply to those who trade in the EU and those who process data in the EU. However, the effect does not stop there as the GDPR purports to have a significant extra-territorial effect.
Biggest change for data privacy laws
The extra-territorial reach of the GDPR is arguably the biggest change for data privacy laws internationally. However, exactly how the GDPR has extra-territorial reach is a subject that has in certain aspects been little explored, other than via what seem to be viewed as performative utterances by the EU.
In our view, it should not just be assumed that the GDPR applies to an overseas controller or processor, simply because EU data subjects have access to the overseas entity's website or services. A close analysis of what exactly the overseas entity does, and its supply chain is warranted before it should be concluded that the GDPR applies.
In the classical legal theory of jurisdiction, there are two main heads: citizenship and presence.
A country will assert jurisdiction over its citizens on the basis of their citizenship. This means that a nation will assert that it can criminalise or regulate the conduct of its citizens anywhere in the world. Classic examples are child sexual exploitation and taxation.
By extension, a nation will assert citizenship jurisdiction over a corporation or other non-natural person which is incorporated or otherwise brought into being by the law of that nation.
The other classical head of jurisdiction is presence. A nation will assert jurisdiction over those natural or non-natural persons who are present in its jurisdiction. Hence, visiting aliens are subject to the laws of a nation that they are visiting, and an alien company that trades in a nation will also be subject to its laws.
The latter head has been expanded somewhat by the "targeting" or "effects" extension (ie when a company or person targets consumers in another country).1
The internet has meant that nations have had to re-consider their conception of jurisdiction and to adapt the two classical heads of jurisdiction. It is obvious that when analysed closely, most digital transactions occur somewhere, but in the form of digital signal communications. In that respect they are analogous to transactions by letter or telegram, and the legal rules developed to handle those transactions are not manifestly unsuitable to consider jurisdictional issues relating to electronic transactions and data.
Traditional approach to territorial jurisdiction
The GDPR replaced the European Data Protection Directive (Directive 95/46/EC) on protection of individuals with regards to the processing of personal data. The Data Protection Directive regulated how personal data was collected and processed in the EU.
In 2012, the European Commission proposed a comprehensive reform of the EU's 1995 data protection rules by strengthening online privacy rights and boosting Europe's digital economy through the creation of a single, EU-wide law.
On 25 May 2018, the GDPR came into force.
GDPR Recital 23 - performative utterance or head of jurisdiction?
The most significant performative utterance of the GDPR's extra-territorial effect is found in Recital 23 of the GDPR.
It is important to concentrate on the key aspects of this recital:
- There must be an offering of goods and services in the EU.
- The offeror must envisage offering those services to data subject in the EU.
- Mere accessibility or use of an EU language is not sufficient.
- The ability of an EU data subject to order the offeror's goods or services may be sufficient.
We have discussed the various ways in which states assert jurisdiction, and the targeting jurisprudence, above.
It is clear that Recital 23 of the GDPR purports to assert a jurisdictional basis for the substantive law of the GDPR. However, we submit that, when closely read against the reality of the background of internet transactions, the extra-territorial reach of the GDPR, at least insofar as it affects international digital commerce, is not as far as many may think.
Article 3's five heads of jurisdiction
Article 3 of the GDPR reflects the legislator's intention to ensure comprehensive protection of EU data subjects' rights and to establish, by creating a level playing field for companies active on the EU markets, in a context of worldwide data flows and data protection requirements.
There are five heads of territorial effect in article 3 of the GDPR: processing in the EU, controlling in the EU processing anywhere, offering in the EU, monitoring behaviour in the EU, and where international law so provides.
The GDPR applies to the processing activities of business, regardless of size, that are either data processors or controllers established within the EU. Whether or not the processing actually takes place in the Union is irrelevant.
Four of the five heads are relatively straightforward exercises of citizenship or presence jurisdiction. It is with the one standout head (3.2(a)), offering in the EU, that this article deals.
Conceptually, article 3.2(a) provides that the GDPR:
- applies to the processing of personal data
- of data subjects who are in the Union
- by a controller or processor not established in the Union
- where the processing activities are related to the offering of goods or services
- to such data subjects in the Union
Most of the relevant commentary in respect of this paragraph is European. That commentary, naturally, assumes that a data controller or processor is in the Union, and therefore is caught by article 3.1.
Article 3.2 has not, as far as we can ascertain, been the subject of detailed scrutiny at this stage.
We suspect that since the principal data processors and services offerors, such as Amazon and Facebook, all have establishments in the EU (and are therefore caught by article 3.1 in any event), no large overseas entity is likely to challenge the territorial reach of the GDPR.
While the GDPR appears significantly broad, a close reading of article 3.2(a), the critical issue in considering whether the ADC is caught is whether:
- it is the offering of goods or services that must take place in the Union or
- merely the recipient of the offering of goods or services must be in the Union
The Office of the Australian Information Commissioner (OAIC), in its guide Australian entities and the EU General Data Protection Regulation (GDPR) (which has no legal effect), notes that the GDPR applies to data processors or controllers "outside the EU, that offer goods or services to individuals in the EU".
Neither Recital 23 nor the OAIC guide deals with the issue of the meaning of the words "such data subjects" in article 3.2(a).
In our view, the natural reading of that clause is that "such data subjects" refers to "data subjects who are in the Union" set out in the introduction of clause 2. On that reading, the words "in the Union" at the end of article 3.2(a) must refer to the offering of goods or services, rather than the data subjects, because "such data subjects" must already be in the Union.
On that analysis, there must be a double nexus-the offering must be in the EU and it must be to data subjects who are in the EU.
That reading raises no real issues of extravagant jurisdiction and we submit that this is the way a court should interpret it to do the least violence to principles of international comity.
Community language versions
In our view, the correct meaning of the English version of the Regulation is that the offering of goods and services must take place in the Union to people who are in the Union. Offering from outside the Union to people in the Union is not per se sufficient.
This is consistent with the French, Spanish, Swedish, Dutch, Italian and Portuguese language versions of the article (authors' own translation). The German version of the article does not contain a qualifier to betroffenen Personen (ie "affected persons/data subject") in article 3.2(a). A German academic commentator2 suggests that it is the offering that must take place in the EU rather than that the only test is that "a subject" be in the EU.
Although all language versions of EU instruments have equal validity, the European Court of Justice formally works with the English and French versions. It seems clear that at least the survey of languages mentioned above (excluding German) suggests that they agree with the English version, and it is the German version that is (subtly) an outlier.
On that close reading of the targeting jurisdiction, both the data subject and the offering must be in the Union. In the context of digital transactions, the latter presents interesting questions that ultimately, we submit, mean that the extra-territorial effect of the GDPR is more limited than Recital 23 suggests.
Factual example 1
Assume a professional body provides credentialing services for overseas professionals who wish to practise in Australia. The professional body hosts the application form on a server (presumably) in Australia. That server has a website that is accessible on the world wide web via the internet.
A person in the EU by searching or by access to information sites will locate the body's website.
The EU data subject will send a command via their own computer to a server (in the EU). The EU server then transmits that command via packetisation across the internet.
That command will be received by the Australian server hosting the body's website and re-formed.
The server will then execute a command to send the application document in PDF form via packetisation to be reformed in downloadable form on the recipient server (which may be in the EU). The applicant then prints the PDF and completes it in a hard copy and sends it to the body by old fashioned post or as above.
The body, in Australia, assesses the material, confirms that it meets criteria (or not) and then (presumably) sends an email to the applicant in the EU indicating whether or not the credentials match the criteria.
In our view, the services that the body provides are:
- posting the application form on the world wide web
- arranging for the server hosting of the application form to be sent on request via the internet
- assessing the material, and
- informing the applicant as to their success or otherwise
In our view, none of these services (as described above) take place outside Australia. By hosting the material on the Australian server, the body includes code commands that will respond to an enquiry from the EU and send the PDF to the EU. The server in the EU is merely an active sender of a request in the first case and a passive recipient of a command in the second.
The services provided by the server in the EU are certainly services provided "in the EU" for the purposes of article 3.2(a), but we assume that the body is not in the business of hosting servers and therefore that is not a service provided by the body.
It seems to us to be relatively clear that the service of assessing applications takes place in Australia. In our view, therefore, no service provided by the body takes place in the EU and provided no other article 3 head of jurisdiction is enlivened, the body does not have to comply with the GDPR.
Factual example 2
We deliberately chose a more esoteric services provider as example 1 as it raises interesting issues. More prosaically, what about a physical book provider called Nile (assuming for the purposes of our example that a German user only has access to Nile US and that Nile has no EU affiliates or presence).
Once again, the transaction breaks down into various stages:
- The German user sends a command via their computer to an EU server which then sends the command to Nile US's US server.
- The transaction is paid for in the same way and processed in the US on a US card server.
- Nile US packs the book in its US warehouse and contracts with a US carrier in the US to ship the book to Germany.
- The book arrives at Hamburg on a US flagged ship or plane.
- A local German company collects and delivers the book.
In our view, the only obvious services offered in the Union are (a) and (e). Neither are offered by Nile US. On our reasoning, Nile US is not caught by the GDPR.
The question is then posed, what about Recital 23?
In our view, at best this is a performative utterance as to the power of the EU to enact article 3 of the GDPR. There is nothing vague in article 3 such as to require the assistance of Recital 23, and in any event we submit that this would be an impermissible exercise, at least in a common law approach, as article 3 is clear on its face.
To read Recital 23 as widening the clear words of article 3 would firstly be adding words when no words are needed to make sense of article 3, but more importantly would be to breach comity by asserting extravagate jurisdiction. Recital 23 aids in the interpretation of article 3 at best, in that it supports an argument that the GDPR seeks to cast its net widely, but Recital 23 cannot add more links to the net than article 3 provides.
It is clear that the GDPR raises significant extra-territoriality issues.
However, in our view, a close reading of article 3.2(a) and the general principles of international jurisdiction, especially when read against the background of Recital 23's disavowal of mere availability on the world wide web as a basis for jurisdiction, suggest that the GDPR's extra-territorial reach may not be as long as those on the more imperial side of the debate think it might be.
This is an important issue in terms of ongoing functioning of businesses located in other jurisdictions such as Australia, and merits close analysis and consideration.
Whatever the legal argument, non-EU offerors of goods and services via the world wide web would do well to consider appropriate structuring of their operations to minimise the ability of the EU to assert (incorrectly in our view) jurisdiction over their operations overseas.
As the GDPR gives power to exact significant fines, Australian companies should limit any physical EU, either absolutely or via a structure, involving sister companies rather than a parent subsidiary relationship, as the latter can have unintended consequences in terms of liability for control or processing in the EU.
1 See in the US the seminal case of Zippo Manufacturing v Zippo.com 952 F Supp 1119 (WD Pa 1997), South Dakota v Wayfair, Inc 585 US (2018), and in Australia by analogy Dow Jones & Co Inc v Gutnick (2002) 210 CLR 575; 194 ALR 433;  HCA 56; BC200207411.
2 Ennöckl, Europaische Datenschutzgrundverordnung, Nomos-Verlag, 2 ed, Baden-Baden, 2018 (authors' own translation).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.