IndiaCorpLaw

Territorial Scope under General Data Protection Regulation

[Kunal Garg is an associate at Alaya Legal Advocates, New Delhi]

After years of discussion and debate, the European Union (“Union”/“EU”) adopted the General Data Protection Regulation (“Regulation”) on April 8, 2016 for personal data protection of natural persons. This Regulation came into effect on May 25, 2018 replacing the old Directive 95/46/EC (“Directive”) on data protection. All the organizations that come under the purview of this Regulation were given a two-year time period to modify their policies and systems to bring them in accordance with this Regulation. But one question many organizations encountered was whether their activities or business establishment came under the scope of this Regulation. Due to the extra-territorial applicability of this Regulation, even the organizations which do not come directly under its purview modified their policies and systems to escape any future liability. Article 3 of the Regulation talks about the extra-territorial scope of the Regulation. It states that this Regulation will apply:

(i) to the activities of an establishment of a controller or processor in the Union in relation to the processing of personal data irrespective of the place where processing takes place;

(ii) to the controller or processor irrespective of their place of establishment, in context of processing of personal data of data subjects (“Identifiable Natural Person”) who are in the Union, where processing activities are related to offering goods or services to data subjects (whether free or paid) or monitoring their behaviour within the Union;

(iii) to the processing of personal data by a controlle, established outside the territory of Union, but in a place where member state laws will apply by virtue of public international law, such as a consulate, diplomatic mission etc.

Applicability to EU Businesses

This Regulation will apply to the controllers or processors established in the Union if they are processing any personal data of data subjects who are in the Union. More emphasis is required on the meaning of establishment that has been dealt under recital 22 of the Regulation – that an establishment implies the effective and real exercise of activity through stable arrangements. The forms of arrangement like branch or subsidiary is not relevant here. The term establishment was firstly interpreted by Court of Justice of European Union in theGoogle Spain case wherein Google Spain, a subsidiary of Google Inc., had been considered an establishment of Google Inc. in the Union and accordingly held liable for infringing the data protection Directive. The Court further stated that “Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment”. In this case, the processing of personal data by Google Inc. of users from the Union had been considered as an activity carried out in the context of the activities of its establishment in the Union i.e. Google Spain. Therefore, both Google Inc. and Google Spain were said to be covered under the Directive.  

Further, the Court of Justice of European Union in Weltimmocase broadened the meaning of establishment by including all stable arrangements which have any real and effective activity, even a minimal one, in any member state of Union. For example, if an airline company from India has any booking office or any agent office in the Union, then it will come under the meaning of establishment. This clarifies that a legal form of establishment is not a relevant factor in determining the existence of an establishment in the Union. The meaning of term ‘establishment’ in this Regulation is same as it was in the Directive. Hence, in accordance with article 3(1), this Regulation will apply to all businesses around the world, which exist in the Union in any form as they come under the meaning of establishment.    

Applicability on Non-EU Businesses

In order to give the utmost level of protection to personal data of data subjects who are in the Union, this Regulation also covers a controller or processor not established in the Union, but offering any goods or services (whether free or paid) to the data subjects in the Union. Unlike the Directive, this Regulation has specifically included an extra-territorial applicability clause. This clause clearly intends not to give a single chance to any controller or processor for using personal information of data subjects who are in the Union without their express permission or for other purposes as mentioned under article 6(1).

Article 3(2) states that this Regulation will apply to all the controllers or processors who are processing any personal data of data subjects who are in Union, either through any establishment in the Union or outside the territory of Union. Now this clause has also included businesses which do not have any type of establishment in the territory of the Union but they are targeting the individuals within the Union for buying or selling any products or services either for free or for any consideration. Recital 23 discusses the meaning of offering any goods or services. The mere fact that the controller’s or processor’s website or email address is accessible in the Union does not mean that they are offering any goods or services. It should be determined through their intention for offering goods and services in more than one member states. The intention of controller/processor can be determined based on whether they are using a member state’s language on their website for offering goods and services, dealing in their currency, targeting the customers or users who are in the Union, etc. This clause has compelled non-EU businesses to modify their policies and systems in accordance with this Regulation. Companies that are substantially affected by this clause are e-commerce companies which target a large number of people from different parts of the world and in some cases these companies store the personal data of their customers for giving them better services.

Sometimes, non-EU companies that operate outside the EU and do not provide any type of services to EU-based persons find it confusing that whether this Regulation will apply tothem in case one of their clients visits EU for for any short term purpose and access their website from EU because this clause reads: “this Regulation will apply to the processing of personal data of data subjects who are in the Union”. The phrase ‘data subjects who are in the Union’ does not mean that it will be applicable to all the individuals who are in the Union. The below example given by the European Commission on their website explains it better:

“Your company is service provider based outside the EU. It provides services to customers outside the EU.  Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”      

This Regulation also covers those controllers or processors (irrespective of their establishment) who engage in processing the monitoring of behaviour of data subjects if their behaviour takes place within the boundaries of Union. If such type of processing leads to any information relating to an identifiable natural person or through such processing if a data subject can be traced by using such person’s potential subsequent use of personal data processing techniques (including behavioural characteristics, personal preferences, attitude, interests, location etc.) then the activity will be considered as processing the monitoring of behaviour of data subjects. This Regulation will also apply on the controllers/processors that place cookies on a data subject’s devices for monitoring their online behaviour. Cookies are small piece of data placed by the service provider’s website on user’s systems in order to monitor their activities. Cookies are capable to provide a variety of personal information to service provider like data subject’s identity, location, device information, etc. The main idea to include this sub-clause under article 3(2) is due to the increase in the use of cookies by service providers in recent years. This Regulation has not left any scope for controllers or processors from escaping any liability arises in case of any unlawful processing or processing of personal data without the consent of data subject.                                                                         

Applicability on Member-State by Virtue of International Law

To grant an utmost safety to data subjects, this Regulation also includes a specific clause under article 3, i.e. clause 3, which extends its applicability to a controller/processor established in a place where member state law applies by virtue of public international law like diplomatic mission or consular position. This clause is inserted to avoid any ambiguity and gives a clear meaning to the territorial scope of the Regulation.

Obligation to Appoint Representative

Article 27 of this Regulation obliges controllers or processors who fall under the category of article 3(2) to designate a representative in the Union. This obligation is not mandatory in case of processing laid down in article 9(1) or processing referred in article 10 like occasional processing, processing of personal data revealing racial or ethnic origin, political opinions, religious beliefs etc., processing relating to criminal convictions and offences. By virtue of article 27(2)(b), this obligation shall not apply to a public authority or body. Recital 80 talks more about designation of a representative and that designation should be in a written mandate by controller or processor. The representative can be a natural or legal person and shall be established in one of the member states, where the personal data of data subjects is being processed. The main idea behind appointing a representative is to act as a person of contact between Data Protection Officer and controller/processor since the controller or processor is not established in the Union. The representative is considered as an agent of controller or processor and should act on its behalf. The designation of representative does not minimise the liability of controller or processor. He is just an agent and all his liability during the course of his work will be upon controller or processor.                                                                   

 Conclusion

This Regulation is a next step forward in the context of personal data protection of natural persons. Increase in online service provider companies and absence of an effective measure to control these companies in collecting personal information and processing such information of natural person is the main reason behind implementation of this Regulation. Unlike the Directive, the extra-territorial scope of this Regulation has indirectly mandated non-EU businesses to comply with this Regulation if they are targeting the people who are in the EU. The main businesses that are facing problems are online service providers or advertisers which are targeting EU-based consumers. One of the main problems that non-EU businesses are facing is in determining whether they fall within the scope of this Regulation or not? If they are, then what are all the compliance requirements? Hopefully, this Regulation may also influence non-EU states to implement data protections laws in their jurisdictions to ensure the personal data protection of natural persons.                                             

Kunal Garg