New Guidance on the Territorial Scope of the GDPR
Privacy in Focus®
The General Data Protection Regulation (GDPR) is a sweeping privacy regulation notable for its broad territorial reach that pulled many companies and organizations with no physical connection to the European Union (EU) under its umbrella. As with previous EU privacy regulations, the GDPR applies to companies that are established in the EU. However, unlike previous regulations, the GDPR also applies to companies with no presence in the EU that offer goods or services to individuals in the EU. This second element – the targeting of individuals in the EU – has caused significant confusion and angst as companies worldwide debated whether merely having a website that was accessible from the EU required that they comply with its onerous obligations.
Recently, the European Data Protection Board (EDPB) – the organization responsible for the consistent application of the GDPR across member states – issued guidance that clarified in part when a company without an EU presence could become subject to the GDPR. The EDPB’s guidance, issued in late November 2018, provides context and real-world examples to help companies assess their contact with the EU to determine if their operations are subject to the GDPR.
The EDPB guidance confirms that there must be some intention to offer a good or service to an individual in the EU. Thus, the first step for non-EU based companies is to determine if they are in fact offering a good or service. For example, the EDPB notes that the processing of HR data is not the offering of a good or service.
If your company is offering a good or service, the next step is to determine whether the good or service is actively directed to an individual in the EU. As clarified by the EDPB, this means that there must be an intention to direct the good or service to an individual in the EU. For example, a U.S.-based company that offers an app that is specific to a service in the EU, such as an interactive map of London, Paris, or Berlin, would be subject to the GDPR. But a U.S.-based company that offers a U.S. news app that happens to be downloaded and consulted while an individual is traveling in the EU would not be subject to the regulation because there is no intention to target an individual in the EU.
Likewise, for a company that has an online presence, the EDPB confirms that the mere fact that a website can be accessed from the EU or an individual in the EU purchases a product from the website would not necessarily subject the website operator to the GDPR’s requirements. Rather, there needs to be a clear intention to sell the good or service to an individual in the EU. Examples of factors that demonstrate this intention are: offering payment options in EU currencies, offering information in the language of a member state, using a search engine operator to direct EU traffic toward the website, the international nature of the service (e.g., tourist services), a dedicated address or phone number in the EU, use of a top-level domain from the EU, or testimonials from EU clientele.
While the EDPB guidance does not narrow the territorial scope of the GDPR, it provides some welcome context to help companies with no EU presence assess if their online operations will trigger the GDPR.
© 2019 Wiley Rein LLP