On European Folklore: Stories They Tell About Scope
Written by Elizabeth M. Young LaBerge, NCCO, NCRM, CIPP/US, Senior Regulatory Compliance Counsel, NAFCU
We have blogged about the GDPR here and briefly here, and NAFCU has spoken with a lot of credit unions about the GDPR one-on-one. We are finding that there is a lot of misinformation flying around about the GDPR, so we thought it might be useful to directly address a couple of myths that keep being perpetuated. And unlike other internet resources, we are going to do something different: we're going to actually cite to the rule.
The Legend of the European Union Citizen and Resident
We are consistently seeing other outlets state that the GDPR applies to information belonging to European Union citizens, or occasionally EU residents. Wouldn't it be great if it were true ― it would be a bright, clear line. However, there is no basis in the rule itself to support this; in fact the words "citizen" and "resident" do not appear in the text of the GDPR at all. Further, a careful reading of the regulation's recitations and policy goals makes it clear that the EU specifically intended not to limit the scope of the rule to EU citizens or residents:
"The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data." EU Regulation 2016/679, Rec. 2 (Emphasis added).
So, when defining its scope with regard to U.S.-based organizations without a presence in the EU, the GDPR states that it applies to "the processing of personal data of data subjects who are in the Union." EU Regulation 2016/679, Ch. 1, Art. 3(2). The GDPR's definitions indicate that a data subject is an "identifiable natural person. EU Regulation 2016/679, Ch. 1, Art. 4(1).
According to the GDPR itself, it does not apply to European Union citizens or residents, it applies to any identifiable, natural person who is physically in the European Union, regardless of their nationality or residence.
The Myth of the Missing Organizational Scope
Another piece of the GDPR applicability that is continually glossed over is whether it applies to all organizations. For a large multi-national organization with a physical presence or significant customer base in the EU, there may be no point in discussing this. However, for most credit unions based entirely in the U.S., this deserves a much closer look.
The territorial scope of the GDPR is found in Chapter 1, Article 3. Below is the discussion of the scope of the rule to organizations not established in the European Union:
"2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union." EU Regulation 2016/679, Ch. 1, Art. 3(2).
So merely having a member or customer in the EU is not, by itself, enough to pull a credit union into the scope of the regulation. It must be processing that data in connection with one of these activities. The GDPR provides more detail about when an organization is engaging in these two activities.
Offering Goods or Services
The GDPR's recitals discuss who is and is not offering goods and services, and it specifically states that merely making a website or contact information accessible to persons physically in the EU is not sufficient to indicate an intention to offer goods and service to data subjects in the EU. See, EU Regulation 2016/679, Rec. 23. Instead, the GDPR states that one would need to ascertain "whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union." EU Regulation 2016/679, Rec. 23. This is a fact-based determination that hinges on the question of the individual organization's intention to engage with individuals physically in the EU. The GDPR states that factors that indicate such an intention might include the use of languages used in one or more Member States, the use of currency used in EU Member States, or referencing EU-located customers or users. See, EU Regulation 2016/679, Rec. 23.
We are still waiting on further guidance from the EU about how this language will apply, however, it is important to remember that the GDPR is not the first data protection regulation the EU has put in place, and there is a large body of case law from the EU and its Member States interpreting prior regulations. For example, the question of whether merchants were directing their activities to consumers in the EU has previously been addressed. In prior case law, the court looked at the use of international telephone numbers, top-level EU domains, language translation and currency conversion options, and whether advertising was directed at EU users, among other factors. See, Judgment of 7 December 2010, Pammer and Hotel Alpenhof, Joined Cases C-585/08 & C-144/09; EU:C:2010:740, para. 75-94.
The recitals also discuss what constitutes "the monitoring of behavior" under the meaning of Article (3)(2)(b):
"In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes." EU Regulation 2016/679, Rec. 24.
The language referring to "tracking on the internet" is fairly broad, and may include simple tools like cookies. Until further guidance from the EU is provided to indicate what activities are actually considered "monitoring," it is not clear what activity by EU-located members that is accidentally captured by tools pointed at U.S.-based customers may fall within the scope of the GDPR. However, the language in recital 24 regarding profiling should not be overlooked. It is important to understand that the GDPR is particularly concerned with the monitoring of behavior in order to establish customer profiles, and how those profiles are used in establishing criteria and conditions for decision-making with regard to those customers. See, EU Regulation 2016/679, Rec. 71; Ch. 3, Sec. 4, Art. 22.
It is critical to understand that a credit unions tools and activities play a key role in determining whether it falls into the GDPR's scope as it is set out by the rule. This gives credit unions the power to speak with their vendors and IT staff to determine whether limitations on those tools and activities can be put in place so that the credit union will not fall into the GDPR scope as it is written by the EU. But what the rule says on paper is only a piece of this analysis. We will talk about the possible need for risk assessments surrounding the GDPR next time.