Part 2: Scope of the Application of the Law
Unlike EU ‘directives’, EU ‘regulations’ are by nature directly effective in EU Member States and so do not require further implementation into national laws. Previously, European data protection law was governed by the Data Protection Directive. It was the responsibility of Member States to implement the Data Protection Directive into their national law. When the Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. As a consequence, national data protection acts will cease to be relevant for all matters falling within the scope of the Regulation.
Why does this matter?
It is absolutely crucial for organisations to know if they are or are not subject to the Regulation. Since the Regulation strengthens data protection principles, requires organisations to demonstrate compliance and ushers in greater enforcement powers for regulators, it is essential for all organisations, public and private, local, national or global, to understand in what circumstances the Regulation will apply to their use of personal data.
When will the Regulation apply?
The Regulation will be applicable in three situations:
1) Established in the EU
The Regulation applies when an organisation (whether a controller or processor) is processing personal data in the context of the activities of an establishment in the EU, whether the actual processing takes place within the EU or not. This rule retains the concept of processing data in the context of an establishment based in the EU which is included in the current Data Protection Directive. Therefore, the presence in the EU of a branch or subsidiary or only a single individual may all bring the data processing activity (whether the EU presence is acting as a controller or processor) within the scope of the Regulation.
What this means
For many organisations (companies, branches, partnerships etc.) based in the EU there is no change since they are already acting as controllers established in the EU and required to comply with the current Data Protection Directive. The Regulation clarifies that it is irrelevant if the actual processing takes place within the EU or not (i.e. the data could be stored on clouds in the US). An organisation established in the EU making decisions about the processing of personal data (wherever that processing occurs) in the context of its activities is caught by the Regulation.
However, now entities that are established in the EU and act as processors when processing client data (e.g. technology service providers) will be required to comply with the Regulation and not just with their contractual obligations to their clients. This will require processors established in the EU to assess what obligations under the Regulation apply to them and take the necessary steps to comply.
2) Residence of the individuals
In order to ensure that organisations cannot avoid their responsibilities under EU data protection law simply through being located outside the EU, the Regulation introduces a new provision which is based primarily on processing the personal data of individuals residing in the EU. If a non-EU organisation is processing the personal data of individuals residing in the EU for activities relating to:
- Offering goods or services to such individuals
- Monitoring their behaviour
then such non-EU organisations are required to comply with the Regulation.
What this means
All non-EU organisations that collect data on individuals through websites and other remote interactions are now potentially susceptible to the scope of the application of the Regulation. This is the biggest change to the applicable law rule under the Regulation. This new rule is not without its complexities. For instance, it is not immediately clear how to determine whether someone is a resident of the EU or not. Does an individual need to possess residency status as awarded under the local law of the Member State? Likewise, there are online offerings of goods and services or monitoring activities that are not obviously directed at EU residents. What factors will the EU regulators use to determine whether the processing activities of a non-EU organisation are related to offering goods or services to EU residents? Will the language of the website be determinative as indicating that particular individuals are being targeted? Given that the English language is the prevailing language on the Internet, will all those English language websites be considered to be offering goods or services to UK and Irish residents? There is an indication that it will come down to whether it is apparent that the controller is envisaging doing business with individuals residing in a Member State but this will need to be assessed in a consistent manner.
In determining whether processing amounts to monitoring of behaviour, the recitals to the Regulation indicate that it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of profiling them, particularly in order to take decisions concerning them or to analyse or predict their preferences, behaviours and attitudes. The language looks primarily designed to catch online behavioural advertising networks (although there will be other services) that create profiles according to the behaviour of a device online (and behind the device, an individual) and then serve up relevant ads. This moves the focus away from identifying ‘equipment’ located in the EU (as required under the Data Protection Directive) and onto the actual deliberate activity of targeting EU residents.
3) Public International Law
The Regulation applies to controllers not established in the EU but in a place where the national law of a Member State applies by virtue of public international law.
What this means
This is the same rule from the Data Protection Directive and is designed principally to capture data processing by Member States’ overseas diplomatic establishments. Judicial and regulatory support for a broad scope Recently courts and regulators have indicated their support for a broad interpretation of the application of the law rule which complements the position under the Regulation. In its decision of May 2014 (known as the Google Spain ‘right to be forgotten’ decision) the Court of Justice of the European Union (CJEU) found that the advertising sales generated by Google Spain (the local subsidiary of the US company Google Inc.), were sufficiently linked to the Google search activities that the individual affected complained about. Even though Google Spain neither designed nor operated Google’s search business in Spain, because the data processing at issue related to the search business which Google Spain’s sale of online advertising space helped to finance, this was processing of personal data carried out ‘in the context of the activities’ of the Spanish establishment. Therefore, the Data Protection Directive applied to the data processing the individual complained about. Similarly the Belgian Privacy Commissioner (in May 2015) issued a recommendation that clarified that Belgian law applied to Facebook’s activities in Belgium regardless of the arguments Facebook made that the data controller of its processing in the EU was established in Ireland and therefore its processing was subject to Irish data protection law.
Following the CJEU’s Google Spain decision in May 2014 and increasing regulator activism, all global businesses should take note of how they may be brought within the scope of the Regulation even if it appears that a non- EU based part of their business is involved in different services from EU operations.
What to do now
- Identify any processor entities established in the EU and initiate a plan to ensure that such entities comply with their applicable obligations under the Regulation.
- Non-EU organisations should assess whether their online presence will fall within the rules of offering goods or services to EU residents or monitoring EU residents. Where this is the case, they should assume that the Regulation will apply.
- Global businesses without a clearly identified EU-based controller should position an entity in one EU Member State as the entity through which they conduct all data processing subject to EU rules. For some controllers it will be additionally important to facilitate an ongoing dialogue with the data protection regulator of that Member State to explain its position.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.