The General Data Protection Regulation (GDPR) widely expands application of European data protection law. Thus, non-European companies will fall increasingly within the scope of European data protection law. The scope of application in detail remains uncertain and can pose serious legal challenges to non-European companies. Where European data protection law claims its application there is a serious likelihood of conflicts with the rules of their national (data protection) law.
The territorial scope of the GDPR, and accordingly of European data protection law, is defined in Art. 3 GDPR and bases the applicability on either the location of an establishment of a controller (see 1) or the market that a controller targets with its data processing (see 2).
1. “Establishment” test – Art. 3(1) GDPR
Pursuant to the “establishment” test in Art. 3(1) GDPR, controllers fall within the scope of European data protection law, where they are established in the territory of the European Union and the processing of the personal data is carried out in the context of the establishment’s activities.
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
This is true irrespective of where the data processing actually takes place or where the hardware used for the processing is located. In consequence, a company established in the European Union cannot escape application of European data protection law by outsourcing its data processing activities to a non-European country.
Requirements for a company to be established in the European Union are low. According to Recital 22 establishment implies
“the effective and real exercise of activity through stable arrangements.”
In accordance with the rulings of the ECJ (Weltimmo judgment) the presence of only one representative can suffice to constitute a stable arrangement
“if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.”
In order for a company to fall within the scope of European data protection law, a permanent office within the European Union with one computer and one employee e.g. being in charge for sales in the European Union, may establish application of European data protection law. This even holds true if any personal data is stored and processed outside the European Union where and to the extent, the activities of the employee within the European Union are economically or organizationally linked to the data processing. The ECJ continues to uphold this broad understanding of an European based establishment- Latest and widely discussed landmark judgment in this respect is the so-called Google Spain decision. Here, the ECJ ruled that the search engine activities of Google (headquartered in the US) are activities sufficiently connected to the subsidiary Google Spain and thus fall within the scope of European data protection law. The function of the subsidiary in the case at hand was marketing of advertisements for Google; Google Spain itself did not process any personal data.
The principles resulting from ECJ case law concern European data protection law prior to the GDPR entering into force, but may be applied under the GDPR as well. Hence, for applying European data protection law, it is not required that the establishment itself processes personal data. Rather, the processing must be carried out in the context of the activities of an establishment.
2. “Offering goods or services” test and “monitoring” test – Art. 3(2) GDPR
Introduction of the two-limbed test in Art. 3(2) GDPR triggers far-reaching changes for the extraterritorial application of GDPR. According, GDPR applies
“to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Even if companies are not considered to be established in the European Union (see above), European data protection law may nevertheless be applicable to companies processing personal data in order to offer goods or services in the European Union or monitoring the behavior of data subjects in the European Union.
2.1 Offering goods or services – Art. 3(2)(a) GDPR
A non-European company offering goods or services to natural persons in the European Union and processing personal data in this context falls within the scope of the GDPR. Regardless as to whether or not the offering is subject to remuneration or free of charge. Pursuant to Recital 23, the essential question is
“whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
Operation of a website and connected web shop offerings are the classic example. The mere fact that the website is accessible within the European Union is not sufficient to apply European data protection law. The operation must rather target the European market. In order to determine the European Union as target market, relevant factors are use of European Union languages and the option to pay in a currency of the European Union. For instance, if a data subject in the European Union were to book a trip to New York using the website of a US-based travel agency that offers English, French and Spanish language options and payment in Euro, European data protection law would apply.
2.2 Monitoring of data subjects – Art. 3(2)(b) GDPR
Art. 3(2)(b) GDPR further expands the territorial scope of the GDPR and thus of European data protection law, where the processing of personal data is related to monitoring behavior of natural persons within the European Union. This rule is technologically neutral. However, it is clear from Recital 24 that the legislator’s intention was making web tracking and profiling by non-European businesses subject to European data protection law.
“The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
Whether a website is targeting the European market or not is irrelevant according to the wording of Art. 3(2)(b) GDPR. Mere accessibility of a website from within the European Union could lead to apply European data protection law. Where a website is accessed by a data subject in the European Union and the website deploys cookies to analyze surfing behavior of the data subject, European data protection law would apply. In light of the rule in public international law to refrain from extraterritorial application of its national laws, the scope of Art. 3(2)(b) GDPR would need be restricted to websites that target European users. Whether or not this legal view will be accepted in literature and jurisprudence, however, remains to be seen.
3. Consequences and the lack of conflict-of-law solutions
Due to the wide territorial scope of Art. 3 GDPR, European data protection law applies to many non-European companies. These companies must at the same time have to follow their national (data protection) laws. This may result in conflicting obligations. For instance where US national security legislation imposes an obligation to provide specific personal data to the authorities, this provision of data may be considered a violation of European data protection law.
Conflicts between different jurisdictions regarding their application occur in many areas of law and must be resolved on a case-by-case basis in order to determine the applicable jurisdiction. In many areas there are extensive rules on such conflicts-of-law. So far, there is no coherent conflict-of-law regime for data protection; also GDPR does not offer any related guidance to find an applicable jurisdiction other than European data protection law. From the perspective of European data protection law, the rule thus stands: “EU Data Protection Law First.”
In case the national data protection law applying to the company in question comes to the same conclusion regarding its own applicability, it is a catch-22. While in individual cases an adequate legal or technical solution might be found and it may be possible to mitigate the conflict, in many cases the affected companies may be forced to decide for the violation of one jurisdiction’s requirements in order to comply with the other’s. The only solution to this dilemma is the development of an international conflict-of-law regime for data protection that is until today pending.
GDPR has widely expanded the territorial scope of European data protection law. Even businesses with little connection to the European Union can fall within the scope of European data protection law. For those companies, conflicts regarding the application of European and national (data protection) law may arise and may not always be resolved adequately. Until the creation of an international conflict-of-laws regime for data protection, it comes down to individual and creative solutions and eventually a trade of between compliance with one jurisdiction’s data protection laws to expense of another jurisdiction.