Guidance from Across the Pond: Guidelines on the Territorial Scope of the GDPR
Written by Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel, NAFCU
The European Data Protection Board (EDPB) is an independent European body created by the GDPR and comprised of representatives of the various Data Protection Authorities (DPAs) from each European Union (EU) member state and a European Data Protection Supervisor. It is tasked with ensuring consistent application of the GDPR across the EU. Part of the EDPB’s duties is to provide guidelines regarding the GDPR. In November, it issued its third set of guidelines which might be of interest to some credit unions.
Guidelines 3/2018 discuss the territorial scope of the GDPR. We blogged on the GDPR’s territorial scope back in April. While these guidelines still leave a lot of unanswered questions, it does clarify and confirm some things that might provide a little security for credit unions still trying to determine their risk around the GDPR.
Data Subjects in the EU
The guidelines continue to stress that the GDPR’s protections are extended to individuals who are in the EU, regardless of their nationality or place of residence. However, the EDPB indicates that the GDPR was not necessarily intended to capture incidental data processing:
“The EDPB also wishes to underline the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behavior (as further clarified below), must always be present in addition.” (Emphasis added).
The guidelines offer this example:
“Example 9: A U.S. citizen is traveling through Europe during his holidays. While in Europe, he downloads and uses a news app that is offered by a U.S. company. The app is exclusively directed at the U.S. market. The collection of the U.S. tourist’s personal data via the app by the U.S. company is not subject to the GDPR.”
The Targeting Criteria
The territorial scope of the GDPR is stated in Chapter 1, Article 3. Of interest to most US credit unions is article 3(2), which contains the language that attempts to include organizations with no establishment in the EU into the GDPR’s scope. Generally, it states that an organization that offers goods or services to a data subject in the EU or monitors behavior that takes place in the EU may be subject to the GDPR. The guidelines refer to this part of the article as “the targeting criteria.” An organization that falls under either criterion would theoretically fall within the scope of the law.
Offering Goods and Services
The discussion regarding the “offering goods and services” criterion is mostly a confirmation of earlier interpretations across the privacy industry. The EDPB stated that to determine whether an organization offers of goods or services to someone in the EU, it would consider whether the organization’s conduct demonstrates an intention to do so. It cited the same EU case law discussed in our April blog and the factors discussed in that case including:
- Naming EU member states in connection with an offered good or service;
- Paying a search engine to facilitate access to its website by EU customers;
- Launching marketing or advertising campaigns direct to an EU audience;
- International nature of goods or services offered, such as tourist activities;
- Mention of dedicated addresses or phone numbers for consumers in the EU;
- Use of a top-level domain using an EU member state suffix such as .de or .eu;
- Description of travel instructions from EU member states;
- Mention of an international clientele including customers domiciled in EU member states;
- Use of EU currency or languages other than that from the organization’s establishment; or
- Offering delivery of goods to EU member states.
See, Judgment of 7 December 2010, Pammer and Hotel Alpenhof, Joined Cases C-585/08 & C-144/09; EU:C:2010:740, para. 75-94.
As you can see, these all include some degree of intention and purposeful targeting of potential or existing customers in the EU, not one-off accidental or incidental offerings to someone who happens to be in the EU. While this was not a surprise, it is good to have this analysis confirmed.
Monitoring Data Subjects Behavior
The second criterion, “monitoring data subjects’ behavior” has always been the less clear of the two. Whereas there is a degree of intentionality with the “offering goods and services” criterion, it has never been clear that the same applies to monitoring data subjects’ behavior. The EDPB indicates that there is no “intention to target” requirement with regard to this criterion, “[however] the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.
“Example 16: An app developer established in Canada with no establishment in the Union monitors the behavior of data subjects in the Union and is therefore subject to the GDPR, as per Article 3(2)b. …”
What has never been clear is whether that monitoring or “specific purpose” in collection of the data has to be with regard to behavior generally or behavior in the EU specifically. However, as the guidelines seem to indicate that there must always be some degree of targeting, there does appear to be some cover for purely incidental monitoring.
Regarding what constitutes monitoring, the EDPB indicated that several activities, including cookies, do meet this bar:
- Behavioral advertisement;
- Geo-localization activities, in particular for marketing purposes;
- Personalized diet and health analytics services online;
- Market surveys and other behavior studies based on individual profiles; or
- Monitoring or regular reporting on an individual’s health status.
While the guidance provides both a little comfort and a little frustration, it is important to remember that, ultimately, it is not clear that the GDPR is even enforceable against credit unions without a physical presence in the EU. As we have discussed before, credit unions still working on assessing any risk around the GDPR may wish to consult an attorney competent in international law.