The European Data Protection Board replaced the Article 29 Working Party as the group responsible for providing clarity to the GDPR’s more complex puzzles. As one might expect, the “EDPB” has been rather busy in this regard. In November 2019, the Board issued new guidelines for interpreting Article 3 of the GDPR – the territorial scope provision. One particular section of the guidance is especially worth note – what constitutes monitoring of behavior?
Monitoring of Behavior
Article 3 of the GDPR reads as follows,
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
A veritable political campaign of hot air has been expounded on the potential ramifications of the “offering goods or services” language in Section 2(a) of the Article. Those of us with substantial experience working in the privacy law field, however, are more concerned about Section 2(b), where the language seems to suggest the parties drafting the clause had little understanding of how the Internet works.
Let’s consider why.
“…monitoring of their behavior…”
The phrase suggests a rather broad reach when we consider how companies function online, no? Nearly every website and app run some type of analytics program, and those that do not will inevitably be out of business soon. These programs, such as Google Analytics, not only collect traffic data for online properties, but the programs also organize it to provide meaning to users – how a particular person found a website, what pages they visited, their location in the real world, and so on. As a matter of common sense, it appears rather difficult to argue anything other than companies use these analytics programs to monitor the behavior of visitors.
The problem, of course, is there is nothing to stop a person in the EU from visiting a website in another part of the world. Does a single visit from a person in the EU trigger GDPR compliance? If not, how many visits would and over what period of time?
Five visits in two days?
Five visits in two months?
Five visits in two years?
The lack of clarity in Article 3(2) is yet another example of why heaps of scorn are piled on the GDPR by experienced lawyers. While the idea of giving individuals rights over their data online makes sense – hey, I’m an individual! – the language of the Regulation brings to mind the insult that 100 monkeys with typewriters could’ve done better.
Proponents of the GDPR would argue differently, of course. The argument usually flounders down one of two streams. First, the courts will provide the specificity. Second, the EU will provide further guidance later. The problem with both positions is companies must comply the moment the GDPR went into effect – May 25, 2018 – and face potentially massive, uninsurable fines and penalties for failing to do so. Such a scenario is both inequitable and unconscionable.
Ah, but we may have a breakthrough…or do we?
EDPB Territorial Scope Guidance
The EDPB has finally provided guidance concerning the territorial scope provision of the GDPR. Eighteen months after the GDPR went into effect, but who are we to complain? Of course, a quick review of the guidance reveals a significant amount of textual mumbling and little in the way of substantive, real-world guidance.
The new guidelines start with the following rather fantastic statement when discussing the GDPR language on territorial restrictions:
“While the present guidelines aim to clarify the territorial scope of the GDPR, the EDPB also wish to stress that controllers and processors will also need to take into account other applicable texts, such as for instance EU or Member States’ sectorial legislation and national laws. Several provisions of the GDPR indeed allow Member States to introduce additional conditions and to define a specific data protection framework at national level in certain areas or in relation to specific processing situations.”
If you don’t speak fluent bureaucrat, allow me to translate – “We probably screwed this up, so take a look at what each Member State requires in this area.” Such a statement is of particular magnificence when you consider one of the declared purposes of enacting the GDPR was to create a single set of rules for privacy in the EU instead of letting each Member State run amuck.
To its credit, the EDPB does attempt to wade into the territorial scope mire and thrash around a bit. After first suggesting we should really probably look to the legislation of the individual states, the EDPB then strains to fix the behavior monitoring territorial scope language by suggesting what is really meant is there must be an “intentional targeting” of the monitored party. Mind you, “intentional targeting” appears nowhere in the GDPR or Recitals, but it would appear to constitute an improvement over the current language.
“As opposed to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 expressly introduce a necessary degree of “intention to target” on the part of the data controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring.” It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.”
This new “intentional targeting” standard would seem to solve many of the ambiguities of the monitoring of behavior language. However, the EDPB then goes on to list examples of such intentional targeting, and includes,
Cookies, of course, are the most common tool use for tracking individuals online. This example would seem to suggest the EDPB has just thrown us back into the bushes of uncertainty as to what constitutes monitoring, even when one throws in the tantalizing “intentional” terminology.
As appears to be a tradition in the EU with regulatory agencies, the EDPB provides several examples that are almost entirely unhelpful. The only one close to being on point is as follows.
“Example 20: A US company has developed a health and lifestyle app, allowing users to record with the US company their personal indicators (sleep time, weight, blood pressure, heartbeat, etc…). The app then provides users with daily advice on food and sport recommendations. The processing is carried out by the US data controller. The app is made available to, and is used by, individuals in the Union. For the purpose of data storage, the US company uses a processor established in the US (cloud service provider). To the extent that the US company is monitoring the behaviour of individuals in the EU, in operating the health and lifestyle app it will be ‘targeting’ individuals in the EU and its processing of the personal data of individuals in the EU will fall within the scope of the GDPR under Art 3(2).”
Yes, but nearly every privacy professional would have reached the same conclusion. The EDPB fails to address a scenario where the online property is merely using an analytics program that captures information from visitors from all over the world. In short, thanks for the guidance, but it isn’t all that helpful.
Territorial Scope Case Law
No substantive case law addresses this issue as of January 2020. Unsurprisingly, Supervisory Authorities appear to have been reticent to tackle this issue. In the one case where the topic came up, the Supervisory Authority…backed down. The case involved the ICO in the UK and the Washington Post.
In November 2018, the UK Supervisory Authority – the Information Commissioner’s Office or “ICO” – issued a GDPR violation warning to the Washington Post. The ICO asserted that the cookie consent process used by the Washington Post was not GDPR compliant. The merits of the assertion are beyond the scope of this article, but the development of interest happened next. The ICO noted,
“We have written to the Washington Post about their information rights practices,” the ICO said. “We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies. We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”
The ICO appeared to face two problems – resources and enforcement of the GDPR in the United States. While the resource issue is likely to evaporate in the future, privacy lawyers such as myself are waiting with great anticipation to see how Supervisory Authorities will enforce the GDPR against companies in other countries that do not have a presence in the EU.
GDPR Territorial Clarity
The EDPB guidelines on territorial scope consist of 20 plus pages of content that are helpful on some subjects. Unfortunately, the question of what does and does not constitute “…monitoring of their behavior…” is not one.
Richard A. Chapo, Esq.