Since adoption of the Data Protection Directive ("Directive") by the European Union in 1995, technology and internet continued to evolve and intervene in our lives more and more. Due to the wide use of internet, processing of personal data has become transnational and introduced a serious challenge for legislators1. Considering those challenges within the scope of data protection law, the European Union decided to put the genie back into the bottle and started to work on a new data protection law. As a result, General Data Protection Regulation ("GDPR") took stage and entered into force on 25 May 2018 while repealing the Directive. Yet, GDPR became one of the most crucial and controversial legislation globally due to its territorial scope policy.
GDPR introduces rules relating to protection of natural persons with regard to processing of their personal data2. Within the scope of GDPR, processing personal data covers such actions, including but not limited to, "collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"3. Within this perspective, any activity within the scope of this Article 4 of GDPR carried out by a controller or a processor will be considered as "processing" within the scope of GDPR.
Processing carried out by which subjects shall be subject to GDPR? Will processing realized by natural or legal persons even outside of Europe be subject to GDPR? Recently European Data Protection Board ("EDPB") adopted a guideline on the territorial scope of the GDPR ("Guideline") on 16 November 2018 to have an additional say with respect to territorial scope of GDPR.
I. ARTICLE 3: TERRITORIAL SCOPE OF GDPR
GDPR's territorial scope is based on two main criteria: the "establishment" criterion as per Article 3(1) and the "targeting" criterion as per Article 3(2).4
A. Article 3(1) – Establishment Criterion
Article 3(1) states that "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."5 Pursuant to Article 3(1) of GDPR, i) if an establishment of a data processor or controller is in the Union and ii) if such establishment processes personal data, there is no doubt that such establishment will be subject to GDPR. According to Recital 22 of GDPR, "establishment" implies "the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."6 Since the wording for establishment is same as Recital 19 of the Directive, the Court of Justice of European Union's ("CJEU") two ground-breaking decisions on the territorial scope of Directive based on "establishment" criterion are instrumental for interpretation of Article 3(1). The first one is Google Spain v. Costeja Gonzales decision. Even though Google Inc. is a company based in the United States, Google processes personal data in Member States through an establishment based in Member States, a subsidiary of Google. According to CJEU, the activities of such establishment are inextricably linked to Google Inc.7 therefore Directive shall be applicable to Google Inc., even though the headquarters of such establishment is based outside of EU. Having a subsidiary and conducting business through such subsidiary is enough to fall within the EU jurisdiction, it is not necessary for a data controller to process data within the EU8.
The second significant decision is Weltimmo case, in which the decision is in line with Google Spain yet with a broad interpretation of the territorial scope of Directive. In such case, having even one representative in Member States who is acting with a sufficient degree of stability for provision of specific services of a company based outside of EU is considered enough to constitute a stable arrangement.9 In addition if such establishment has effective activity10 through stable arrangements, it shall be considered within the scope of the Directive.
In the Guideline, EDPB follows the interpretation methods of establishment for the Weltimmo and Google Spain cases made by the CJEU for determining the scope of Article 3(1). According to the Guideline, if there is an inextricable link between the activities of an EU establishment and the data processing carried out by a non-EU controller or processor, even if the EU establishment does not have any role on data processing activities, such situation may trigger the applicability of GDPR.
EDPB recommends a two-fold assessment to determine whether GDPR will be applied to the non-EU organization's processing activities; first by determining whether personal data is being processed, and secondly by identifying potential links between the processing activity and the activities of any presence of the organization in the EU.11
Moreover, GDPR will be applied to the processing activities of an establishment in the EU even though such processing takes place outside of the EU. An example of Guideline on such issue is that let there be a French company which operates a car-share application for customers only in Morocco, Algeria, and Tunisia but processing the personal data in France as a data controller. In that case, although the collection of personal data takes place in non-EU countries since the processing activity is carried out through an establishment in the EU, GDPR will apply to such processing activity, as per Article 3(1).12
Consequently, if a Turkish company established outside the EU but has a representative or establishment in EU, processes personal data in the name of that Turkish company, that Turkish company in Turkey would be subject to the GDPR due to its representative/establishment processing activities.
B. Article 3(2) – Targeting Criterion
The controversial part of the Article 3 is obviously the second paragraph since GDPR has the power to be applicable to data controllers and processors even though they are not established in the European Union. Article 3(2) states that "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."13
These two paragraphs allow GDPR to have an "extraterritorial" scope. Article 3(2) is not explicit enough for interpretation method of extraterritoriality scope, therefore Recital 23 and 24 play an important role for further interpretation. Yet, before giving more detail about the recitals, one needs to remember that recitals are non-binding sources; in other words they can be used for interpretation of the articles but not for binding authority such as provisions of a legislation.
First of all, in order GDPR to be applied to data controller or processor outside of EU, the data subject of such processing activity should be an EU resident natural person. The regulation makes this clear that the application is not based on citizenship but residence. If such controllers' or processors' processing activities for offering goods and services or monitoring the data subjects targets the EU residents, then GDPR will be a factor that they have to deal with.
Although the determining factor for application of targeting criterion is data subject being in the EU pursuant to Article 3(2), EDPB considers that the nationality or legal status of data subject may not have any impact on the territorial scope of GDPR. Furthermore, according to EDPB, in order Article 3(2) to be applicable, data subjects shall be in the EU at the moment when the relevant trigger activity of targeting criterion takes places.14
EDPB also underlines in the Guideline that, mere processing activity of data subjects in the EU, without the element of "targeting" individuals in the EU, is not sufficient for GDPR to be applicable. For instance, if a U.S. citizen downloads and uses a news application offered by a U.S. company -which is exclusively directed to the U.S. market- while being in Europe, processing of such U.S. citizen's personal data via the news application by the U.S. company is not subject to GDPR15; since such processing lacks the targeting element as per Article 3(2).
Another example would be that, a bank in Taiwan which does not direct its activities to EU market, is only active in Taiwan, however, has German customers residing in Taiwan. In this case, GDPR is not applicable to processing the personal data of such German customers since the bank's processing is not related to a specific order directed at individuals in the EU.16
According to EDPB -since there is no specific offer to data subjects in the EU- GDPR is not applicable in the case where a Canadian immigration authority processes the personal data of EU citizens for examining their visa application at the time of entering Canadian territory.17
B.1. Offering Goods and Services
Recital 23 states that "mere accessibility of controller's, processor's or an intermediary's website in the union, of an e-mail address or of other contact details, or use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods and services to data subjects in the Union". Although the Recital 23 provides a general frame on interpretation regarding sale and service contract, further clarifications concerning Article 3(2)(b) is also given in the Guideline.
EDPB states in the Guideline that, a combination of some of the factors listed below could be considered for determining whether an offer of goods or services is directed at data subjects in EU
- "The EU or at least one Member State is designated by name with reference to the good or service offered;
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union, or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
- The international nature of the activity at issue, such as certain tourist activities;
- The mention of dedicated addresses or phone numbers to be reached from an EU country;
- The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example ".de", or the use of neutral top-level domain names such as ".eu";
- The description of travel instructions from one or more other EU Member States to the place where the service is provided;
- The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
- The use of a language or a currency other than that generally used in the trader's country, especially a language or currency of one or more EU Member states;
- The data controller offers the delivery of goods in EU Member States."18
An example would be, a website, based and controlled in Turkey, offers services for creating, editing, printing and shipping family photos to UK, France, Benelux countries and Germany. Such website is available in some of the Member State languages (English, French, Dutch, German) and indicates that payments could be made in Euros and Sterling. Since more than one abovementioned indication are present in such case, it is clear that GDPR is applicable to such Turkish website as per Article 3(2)(a).19
On the other hand, in the case where a private company based in Monaco processes the personal data of its employees for salary payment purposes, who are French and Italian residents, GDPR is not applicable to such processing as per Article 3(2)(a) since salary payment could not be considered as an offer of goods and services.20
As a result, if Turkish companies specifically and purposely provide services or offer goods to the EU residents through their activities and if such data subjects are in the EU at the time of such activities, at this point such Turkish companies will be in the scope of GDPR. In order to determine whether the Turkish companies' activities truly target the EU residents, the recitals and the list published in the Guideline could be considered as a first round checklist before going into any further analysis.
On the processing of personal data via monitoring, Recital 24 states that "monitoring could be considered as whether natural persons are tracked on the internet ... in order to take decisions concerning her/him or analyze or predict her/his personal preferences, behaviors and attitudes". According to EDPB, any collection or any analysis of personal data of data subjects in the EU would not automatically be considered as "monitoring". Data controller's purpose for such processing activity and behavioral analysis or profiling techniques should also be taken into account within the scope of Article 3(2)(b).21 Even though GDPR does not provide any explanation regarding the targeting degree of monitoring neither in Article 3(2)(b) nor in Recital 24, EDPB states that data controller should have a specific purpose for collection and there should be subsequent reuse in order a collection to be deemed as "monitoring".22 In addition to targeting, such monitoring activities should be taken place within EU in order Article 3(2)(b) to be applicable.
To shed light on activities, which would be deemed as monitoring, EDPB gives examples in the Guideline which are as follows;
- "Behavioural activities,
- Geo-localization activities in particular for marketing purposes,
- personalized diet and health analytics services online,
- Market surveys and other behavioural studies based on individual profiles,Monitoring or regular reporting on an individual's health profiles."23
An example would be that a marketing company, established in the USA, analyzes customers' movements shopped in a shopping center in France through WI-FI tracking. Since the marketing company monitors individuals' behavior with such activity and the underlying data subjects' behaviors take place in the EU, the marketing company -as a data controller- would be subject to Article 3(2)(b) of GDPR.24
II. THE PERSPECTIVE OF THE DOCTRINE ON THE INTERPRETATION OF THE EXTRATERRITORIAL SCOPE
To interpret what would be ECJU's way of practice for further cases in relation with GDPR, a judgement given within the scope of consumer protection law in Europe (which has several key features about data privacy law) can be useful. In CJEU's judgement, the rationale on deciding whether a trader has directed its activity to the Member State of the consumer's domicile shall be as follows; "whether, before the conclusion of any contract with consumer, it is apparent from those website and the trader's overall activity that the trader was envisaging doing business with consumers domiciled in one or more Member States, including the Member States of that consumer's domicile, in the sense that it was minded to conclude a contract with them"25. That in mind, it may be interpreted as the CJEU is likely to involve decisions regarding GDPR by reviewing the business activities whether they intentionally conduct business with data subject in EU and clearly explicit it even before the conclusion of contract.
Moreover, Paul de Hert and Michal Czerniawski state that GDPR does not apply if EU law and data controller's activity do not have a strong relationship, except when the data subject is an EU resident. Moreover, Guideline shows that EDPB is in the same line with them. They assert that an opposite interpretation of this could be beyond the legitimacy principle, an excessive extraterritoriality. According to them, GDPR could not be applicable where a European tourist doing shopping on Fifth Avenue in New York26. The only connection between the shop and EU law is that tourist being EU resident, however, such situation has a stronger connection with the U.S. law (according to territoriality principle).27
On the other hand, a U.S. provider's cloud-based-services offering to individuals in the EU, even where such services require no payments and the provider has no establishment in EU but includes processing of personal data and targets the EU28 could be an acceptable example of the extraterritorial scope of GDPR.
A case on profiling the EU resident's data is related with Nest Labs Inc., which is a company based in California but has offices in London. Considering that UK was in the EU when Directive was in force- Nest Labs Inc. was offering goods in EU with Nest thermostats and such thermostats were collecting personal data such as at what room temperature that "you like eating breakfast"29. The Directive was applied to Nest Labs Inc. and GDPR should also be applicable considering the fact that Nest Labs Inc. both offers to sell such thermostats to EU markets and profiling data subjects with their temperature preferences in their houses.
Article 3 is an ambiguous provision of GDPR at the same time one of the most important ones. Since territorial scope is not explicitly regulated in GDPR, EDPB's Guideline brought further clarification on the ambiguity of the territorial scope.
A company established outside of EU, such as a Turkish company, must comply with rules of GDPR in the case where such company has (a) a representative -having a stable arrangement and having effective activity through such stable arrangements for the non-EU company- or (b) an establishment -whose activities are inextricably linked with the non-EU company- in the EU who is processing personal data in the name of such non-EU company.
Furthermore, a company established outside of EU must comply with GDPR if such non-EU company intentionally offers goods and services to EU residents or monitors the data subjects, who are in the EU as explained above. Multiple criteria mentioned in the Recital 23, 24 and in the Guideline may be used as a first round checklist to determine whether such non-EU company would be subject to GDPR and has to comply with GDPR.
According to "you may be subject to EU law only if you target" rationale30, companies who actually have the intention to reach to persons in the EU have to consider conforming with GDPR at first, since GDPR has severe penal sanctions; such as 4% of companies total global turnover.
1. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3
2. Article 1 of the General Data Protection Regulation
3. Article 4 of the General Data Protection Regulation
4. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 3
5. Article 3 of the General Data Protection Regulation
6. Recital 22 of the General Data Protection Regulation
7. CJEU 13 May 2014, C-131,712 (Google Spain v. Costeja Gonzalez), para. 56.
8. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3
9. CJEU 1 October 2015, C-230/14 (Weltimmo), para. 30.
10. CJEU 1 October 2015, C-230/14 (Weltimmo), para. 29.
11. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 7
12. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 8
13. Article 3 of the General Data Protection Regulation
14. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 13
15. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14
16. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14
17. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14
18. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 15
19. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 16
20. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 16,17
21. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18
22. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18
23. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18
24. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18
25. Svantesson, D. (2015) Extraterritoriality and targetting in EU data privacy law, International Data Privacy Law Vol.5, No.4
26. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3
27. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3
28. Gregory Voss, B. The Busines Lawyer; Vol 72, Winter 2016-2017
29. Nest Labs 2016a.
30. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.