Spanish Court debts, an 11-year-old newspaper story and google results highlight data protection concerns. These concerns resulted in EU data protection law extending to some non-EU based data controllers. Some companies based outside the EU will need to comply with GDPR. How can you assess if your company falls within the “territorial scope” and what will you need to do?
GDPR clearly applies if you are a data controller or data processor based in the EU. If you fall into this category there are changes to the rules that determine under which EU country’s laws your activities fall. These broadly impact where you deal with access requests, which Supervisory Authority(SA) you interact with and which regime will impose fines in the case of a breach. I will deal with these in August.
This instalment is of interest to those companies who are based outside the EU but do business with data subjects based within the EU. Explaining how GDPR impacts if you are a data controller based outside the EU.
First an 11-year-old Newspaper story that just won’t go away
In 1998 a Spanish property owner had some social security debts that were widely reported in the newspapers. In 2009, a google search on the same person’s name returned the 11-year-old newspaper reports in 1st place.
The Spanish property owner asked Google Spain to remove the results. He argued they were old and out of date. Google Spain forwarded the request to Google Inc., whose registered office is in California. Google Inc. refused to alter the search results.
This prompted the Spanish property owner to make a data protection complaint to the Spanish Data Protection Authority(AEPD). His argument was that 11 years have passed and this was no longer relevant. It, therefore, amounted to a breach of his data protection rights.
A geographical conundrum
The case eventually passed to the European Courts of Justice (CJEU) where Google Inc. tried to argue that it was not subject to EU data protection laws. Google Inc. claimed it was not established in the EU.
Google claimed that no processing of personal data relating to its search engine takes place in Spain. (Interestingly, it did not disclose where exactly processing does take place). Google Spain, it argued, was merely acting as a commercial representative of Google for its advertising functions. Google Inc. then said as it was not established in the EU it was not subject to EU regulation.
Many, many arguments later in the Court of Justice of the EU (CJEU) found that Google Spain’s business model depended on the processing carried out by Google Inc. is in fact “established” in the EU for the purposes of data protection law.
The conclusion of the case resulted in the Right to be Forgotten ruling of which was more at a later date!
[Google aren’t necessarily “bad guys”. They are fiercely protective of their search algorithms and hate any outside interference with them. However, in most cases no one wants 11-year old news appearing at the top of any results. Ultimately cleaning up Google’s algorithms is not such a bad thing. Ironically a search on the Spanish property owner’s name is permanently linked with European case law and will forever justifiably top google search results. (Google Mario Costeja González)]
“Where is data protected” is a complex question?
The case highlights some of the complexities in determining who applies European data protection law and in which country.
Something that the GDPR is addressing using a number of measures:
- Harmonisation of data protection law and enforcement approaches across the EU.
- New rules for data controllers and data processors within the EU.
- Rules for non-EU based data controllers who are based outside the EU but do business with data subjects based in the EU.
The territorial scope of data protection law is changing
Are you a non-EU based data controller who handles the personal data of anyone based in the EU? The “territorial scope” of European data protection law has been extended to include you. GDPR sets out rules for non-EU data controllers who do business with data subjects in the EU.
Under the new regulation if you process data while offering goods or services to data subjects who are in the EU then you are a data controller subject to EU regulation.
It doesn’t matter where your company is based. If you do business with data subjects in the EU then you need to comply with EU regulations.
It doesn’t matter if the service or goods are “connected to a payment”. Services offered in exchange for advertising eyeballs are just as much in scope as services subject to an exchange of contracts and invoices.
The wording “data subjects who are in the Union” is quite deliberate. The GDPR covers data processing of EU citizens as well as temporary residents and even those on vacation. (Those Brexiters who just love their weekend European city breaks for instance!).
How do you know if your non-EU business comes in scope of EU data protection law?
The “territorial scope” clause doesn’t mean that every single web-based business that is accessible from within the EU is in the scope of the GDPR. The fact that someone in the EU can visit your New Zealand Wineries or your Melbourne Coffee Tours website does not automatically bring your website into “territorial scope”. You have to be doing something to actively reach out to someone in the EU.
The regulation outlines a few tests to determine if your processing is targeting EU based data subjects.
- Domain Name: Do you have an EU based domain name? A .de or .fr , .ie or .eu domain is inferred to be aiming services within the EU.
- Language: Do you have a French language version of your website? If you aren’t located in a French speaking country, then that could be inferred as addressing EU based data subjects.
- Currency: Do you offer transactions in Euros or another EU based currency?
- Content: Do you have referrals from Thalia from Athens? Or testimonials from Isabella from Santander?
Your New Zealand winery tours have prices quoted in Euro and testimonials from Thalia and Isabella. This could bring your company under EU data protection regulation.
(Don’t worry New Zealand Winery Tours Company, there is a get-out clause in your case. You are offering services to EU citizens while they are not in the Union. GDPR clearly states “the processing of personal data of data subjects who are in the Union “. I don’t think you’ll be getting any urgent visits from EU Data Protection Authorities quite yet!).
So you are targeting within the EU, what now?
So you might tick some of the boxes above but there are some more tests you need to apply. Based outside the EU and coming within the territorial scope of GDPR, what now?
Is the processing occasional or regular? Do you process special categories of data? Does your data processing represent a potential risk to the data subjects?
You may still be exempt:
- If you only occasionally process personal data from EU based data subjects;
- if the personal data you process is not “on a large scale”;
- If the personal data you process does not include special categories of personal data or the processing of personal data relating to criminal convictions and offenses.
- If the nature, context, scope and purposes of the processing is unlikely to result in a risk to the rights and freedoms of the data subject.
A Data Protection Impact Assessment will help you to identify if you are exempt or if you need to consider compliance with the GDPR. (I am currently drafting a DPIA questionnaire aimed at non-EU based controllers. If you would like a copy to drop me an email. I’ll get one to you as soon as it is completed).
If you conclude that you do need to comply with the GDPR you will need to appoint a European representative to carry out various compliance duties on your behalf. Territorial scope of GDPR = regular processing personal data + targeted within the EU.
The role of a representative data controller in the EU
Where the “territorial scope” extends to non-EU based data controllers, those companies will need to nominate an EU representative.
- The EU representative is the first point of contact with your business for data subjects and for the data protection supervisory authorities. You must publish the contact information for your EU representative alongside your own contact information on your website and with your terms of service.
- Locate your representative in a member state where your EU data subjects are based. For instance if you operate a German language website and target your services toward Germany you should locate your representative in Germany. If you more generally target the entire EU then you should be able to select the country where you base your representative.
- The EU representative must operate under your directions and these must be in writing. The legislation does not specifically state “under contract” but it’s fairly safe to assume it needs to be under contract.
- Your EU representative will be designated “without prejudice” to legal actions that may be taken against the data controller or the data processor. You will not be outsourcing your ultimate responsibility to the data subjects.
In my opinion, a good EU representative won’t simply provide an EU presence and point of contact for your business but will add value by offering training, specialist advice and assessment services. There will be companies in Europe offering European Data Controller services. (Safe Data Matters will be one of these, for the technology sector). I will also come back to this at a later stage when the guidelines from the GDPR working party and supervisory authorities becomes clearer.