May 25, 2018, is around the corner and many people (including privacy professionals) are anxious and doubtful about certain enforcement aspects that the General Data Protection Regulation (GDPR) will bring with it, as soon as it is applicable as provided by its article 99.2.
One of the many changes that GDPR is introducing is its territorial scope rules. These rules will make GDPR one of the most impacting European laws in recent years, and it will obligate certain companies to rethink the way they are providing time, efforts and money to data protection compliance.
Article 3.2. of GDPR has a lot of history, but let's just say that when approved the European Union (EU) was ready and determined to make it clear: we will protect personal data of data subjects who are in the Union from whoever process them and despite the place of the world such processing occurs. We shall not forget what the EU legislator said in recitals 23 and 24:
"(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. [...]"
"(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. [...]"
Clear statements that were followed by concrete steps to transform EU's former data protection legal framework (i.e. Directive 95/46/CE and 28 national data protection laws) into one solid and unique set of rules that look to provide worldwide protection to personal data to data subjects who are in the Union.
And now, data controllers all around the world are wondering if they must comply with GDPR and how that will do it correctly.
In this space, we can briefly refer to real scenarios happening in Mexico.
Offering of goods and services (GDPR: Article 3.2.a)
Despite being working with one of our clients since late 2017 in order to prepare its group of companies for the application of the GDPR, reality knocked at the door sooner than expected.
This particular client operates luxury resorts that, as it may result obvious, receives costumers from all around the world including nationals from EU countries. Complying with the Mexican Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) was never an issue for this client: they always wanted to comply since this law came into force in 2010.
However, and even when they were very convinced that the GDPR would be applicable to some of their activities and that we were working in certain implementation steps, a sudden request from a big group of European tourists gave our client the conviction that we were on the right path.
The European group of tourists made two questions: (i) Does your resort comply with the GDPR?, and (ii) if so, do you mind to include an addendum to your Service Agreement regarding GDPR compliance? Big questions and an important request for a Mexican service provider that shapes part of its corporate image in its compliance policies.
Thanks to our understanding of article 3.2 and of the intentions of the European legislator, we were ready to answer positively to those questions, and we are still working to finish a complete set of actions to fully inform Europeans on how is it that their personal data are adequately processed by this resort and how they can exercise their relevant rights.
This brief example unfolds general questions to several service providers in Mexico (and, actually, around the globe):
- Is the GDPR applicable to our offering of products/services?
- How can we comply with the GDPR if applicable to our offering activities?
- Shall we look for a representative as set forth in article 27 of the GDPR?
Others (let's be honest) are asking if there is a way to avoid the application of the GDPR to their activities.
Data transfers to third countries
Even if article 3.2 is not applicable to a Mexican company, the GDPR may come to its attention if such company acts as an importer of personal data coming from the EU.
We are providing legal advice to Mexican subsidiaries of European holding-companies that for their daily operations require importing personal data from such holdings. These Mexican companies have received a number of requests from their holding companies to "comply" with the GDPR in order to provide "appropriate safeguards" when processing personal data coming from the EU.
We must remember that, until this day, Mexico has not been recognised by the European Commission as a third country offering an "adequate level of data protection". Hence, data transfer to Mexico shall comply with the new GDPR provisions that regulate data transfers in the absence of an "adequacy decision".
Article 46 of the GDPR provides that in the absence of such "adequacy decision" the controller or processor (data importers) shall provide some of the following "appropriate safeguards" before a controller or processor (data exporters) may transfer personal data to a third country:
- Binding corporate rules,
- Standard data protection clauses adopted by the European Commission,
- Standard data protection clauses adopted by a supervisory authority and approved by the European Commission,
- An approved code of conduct, or
- An approved certification mechanism.
Deciding which of the "appropriate safeguards" shall be implemented by a Mexican data controller or processor before receiving personal data from a European data exporter is a task that shall be decided and implemented with the cooperation of all parties. The European side may be the leading party in this decision process, but it is also important to know the Mexican side and, evidently, to define what is the level of compliance of the Mexican side with its own data protection law.
We can anticipate that several communications will be exchanged between this type of companies for their data transfers to be compliant with the GDPR.
Monitoring of behaviour of data subjects who are in the Union (GDPR: Article 3.2.b)
We haven't had a consult regarding the application of this article. However, we find useful to remind what recital 24 of the GDPR says about this scenario:
(24) [...] In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
This has just begun. New paradigms will appear with the application of the GDPR.
Non-EU companies are becoming aware that they shall review if the GDPR will be applicable to them, as in both sides of the Atlantic data controllers and data processor are taking steps to comply with this new regulation.
We are sure that new stories coming from the extraterritorial application of the GDPR will emerge.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.