The General Data Protection Regulation is a new privacy and data regulation going into effect in the European Union on May 25, 2018. The “GDPR” represents a radical change for companies located outside of the EU that do business within its borders. Businesses are particularly concerned about the territorial scope of the GDPR
The EU issued its first privacy/data regulation in 1995. The Internet was laughably undeveloped at that time, and the 1995 directive reflected as much. Without getting into the details of it, the Directive had a fatal fault in that it applied primarily to companies in the EU. If a company located in New Jersey sold to consumers in the Union, the Directive did not apply unless prosecutors could show the New Jersey outfit had a physical presence in the EU such as servers or an office.
Fast forward to 2016, and we find the European Union considering an update to its privacy and data directive. Compared to 1995, the digital world has grown complex with issues such as behavioral tracking and hacking playing a prominent role in consumer concerns. EU representatives also recognized the territorial restrictions mentioned previously were slightly outdated since the location of a company doing business online is immaterial when considering whether the laws of a particular jurisdiction should apply to a company or not. Instead, shouldn’t the focus be on the location of the target audience?
And thus a fundamental change occurred.
General Data Protection Regulation
At 99 Articles and 173 Recitals, the GDPR is a regulation only a bureaucrat could love. The regulation is also poorly written from a legal perspective with critical verbiage going undefined and many concepts described in an excessively vague manner. GDPR enforcement will be arbitrary, and companies will contest enforcement actions for decades…with success.
For the purpose of this article, let’s circle back around and focus on the territorial scope of the GDPR. If you’ve read information about the GDPR on the Internet, you will often see assertions that if you collect even one email address from a person in the EU, then you must comply with the GDPR.
Article 3(2) of the GDPR addresses the territorial scope topic:
“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.”
Many commentators have seized on this language and speculated as to its application. These interpretations aren’t worth the HTML they are written with online. The GDPR is not a novel for critics to give fanciful interpretations to that the drafters never intended like that poetry teacher you had in college who tried to interpret Frost as the vanguard of the meaning of life before heading off to his second job at McDonald’s.
No, the GDPR is meant to be interpreted…by looking at the Recitals. Recitals are explanations provided by the party drafting the GDPR to explain what they have in mind. The Recitals are not binding, but courts tend to issue decisions that closely mirror the language found in these statements. In this case, we need to focus on Recitals 23 and 24 when looking at the territorial scope of the GDPR:
“(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
Let’s start with the idiotic notion that you must comply with the GDPR if you capture the email address of a single person in the EU. The Recitals do not mention such a requirement anywhere. Indeed, the test for “offering goods or services” involves weighing a sliding scale of factors, none of which include an email address as revealed in Recital 23.
Ahhhh. But Recital 24 notes that the monitoring of data subjects behavior in the EU will trigger GDPR compliance. Yes, but one must read the full Recital to understand what the drafters are contemplating:
“It should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes.”
Do Facebook and Google undertake such extensive monitoring? Yes.
Do most small online businesses? No.
The drafters of the GDPR are clearly focussing on scenarios where companies are profiling residents of the EU for marketing purposes based on their tastes, etc. The vast majority of small business websites that maintain email lists for marketing purposes never dig so deep into their data.
The GDPR is not yet in effect, so we do not know how the courts in Europe will interpret the article on the territorial scope of the GDPR. However, we can look to similar provisions in other regulations in the Union to see how courts have decided jurisdictional matters. Specifically, the Brussels Regulation contains a similar arrangement. In determining its scope in a case known as Pammer v. Schulter, the court looked at factors such as:
- Is the language of an EU Member State used if it is different from the companies language?
- Does the website or app offer payment options in the currency of the EU and country in question?
- Does the website appear on a country-specific domain associated with the EU such as .uk?
- Is language on the site or app directed at an audience of a country in the EU?
- Does the company use advertising targeting an audience in the EU?
- Does the company offer customer support phone numbers to an international audience?
If a commercial website meets none of these standards and has a few incidental sales to people in the EU over the years or has a few EU-specific email address on its mailing list, it is difficult to see a court requiring GDPR compliance.
The General Data Protection Regulation is an imperfect regulation for an imperfect time. Company management and ownership should seek to gain an understanding of the GDPR concepts, and then evaluate your exposure and take the steps necessary to overcome it.
Don’t fall prey to scare tactics.
Richard A. Chapo, Esq.
Other Articles on Europe You Might Be Interested In: