EDPB Draft Guidelines on Extraterritorial Scope of the GDPR Provide Few Clear Answers for US Companies
Since the General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, US companies without facilities or employees in Europe have struggled to understand the extraterritorial scope of the GDPR. Under Article 3(2), US companies without an “establishment” in the EU are required to comply with the GDPR where their processing activities relate to the “offering of goods or services” to EU data subjects or where they “monitor” the behavior of EU data subjects. The meaning of these concepts is a particularly vexing question for US companies that have a website accessible to Europeans or have some European customers, but lack a physical presence in the EU.
The European Data Protection Board (EDPB) recently issued long awaited draft Guidelines on the territorial scope of the GDPR. Unfortunately, for many US companies that lack a physical presence in the EU, the draft Guidelines do not provide any easy answers. What few clear lines the Guidelines appear to offer come bracketed with exceptions, vague language, or circular definitions that in many cases swallow the rule.
Offering goods or services to individuals in the European Union – “Targeting”
Initially, the Guidelines appear to offer some comfort for US companies hoping to avoid GDPR compliance. Interpreting Article 3(2)(a) – under which US companies that offer goods or services to EU data subjects are subject to the GDPR –the draft Guidelines clarify that US companies must “target” individuals in the European Union.
This is arguably a higher standard than the text of Article 3(2)(a), which covers activities relating to the offering of goods or services to individuals in the European Union. It also differs somewhat from Recital 23, which focuses the question of extraterritoriality on whether a company envisages offering goods and services to Europeans. The EDPB seems to raise the threshold by clarifying that a company must “manifest its intention to establish commercial relations with consumers in the European Union” in order to come within the meaning of Article 3(2)(a). Merely maintaining a website that is accessible by Europeans, or processing data of Europeans, without additional acts does not amount to targeting.
The Guidelines then articulate a number of factors that, when viewed collectively, may provide evidence of “an intention to establish commercial relations” sufficient to trigger extraterritorial application of the GDPR. These factors include:
Delivery of goods in European Union Member States;
The use of European Union Member State language or currency;
Dedicated addresses or phone numbers for the company to be reached from the European Union;
The international nature of the activity, such as tourist activities;
Marketing and advertisements directed at individuals in the European Union; and
The use of a European Union Member State top-level domain name.
Unfortunately, many of these factors are vague and apply to a broad subset of US companies. For example, why would “delivery of goods in the European Union Member States” trigger GDPR compliance if, as the draft Guidelines state, operating a website that is accessible by Europeans or processing data of Europeans does not amount to targeting? Taken on its face, this factor seems to suggest that any US company that has a EU customer—even if the company didn’t target such customer–could be subject to the GDPR.
The “international nature of the activity” is another undefined factor. Tourism is an easy call, but what about newsgathering activities, which often have an international scope? What if a company knows that a significant portion of its customer base is international? Does that qualify the company’s offering of goods and services as “international in nature?”
More problematically, the draft Guidelines fail to address or assign a relative weight for each factor. Rather, the draft Guidelines provide that any combination of these factors could amount to “targeting.” US companies are thus left to engage in a necessarily subjective analysis that in many cases will bring them no closer to determining whether the GDPR applies.
Monitoring behavior of individuals in the European Union.
A similar vagueness underlies the EDPB’s guidance on what activities constitute “monitoring” under Article 3(2)(b). The EDPB, on the one hand, states that the mere collection or analysis of personal data of EU data subjects does not, by itself, constitute monitoring. Rather, monitoring implies that the “controller has a specific purpose in mind for the collection and subsequent reuse” of the personal information collected. Similar to the “targeting” trigger, the draft Guidelines articulate a number of activities that may constitute “monitoring.” These include:
Online tracking via cookies and other tracking technologies, such as fingerprinting;
Personalized diet and health analytic services online;
Market surveys and behavioral studies based on individual profiles; and
Monitoring or regular reporting on an individual’s health status.
Unfortunately, the identification of “online tracking via cookies” is likely to cause confusion since almost all US websites utilize cookies to some degree. For example, many US companies utilize performance cookies that collect personal data (at least under the GDPR’s broad definition) for purely analytic purposes and not for marketing to or profiling of EU data subjects. Likewise, many companies utilize strictly necessary cookies to service customers’ online requests. These cookies technically collect personal data, but the data is not “reused” for marketing or profiling purposes. Does this constitute monitoring? Absent a clearer definition of online tracking, many US companies without any physical presence in the EU may continue to wonder if the GDPR applies to them.
Another issue that the draft Guidelines fail to address is when a US based company without an establishment in the EU must identify a Local Representative pursuant to Article 27. The GDPR provides an exception to this requirement when the processing is “occasional” and does not include “on a large scale, processing of special categories of data” or “processing of personal data relating to criminal convictions.” The Guidelines, however, fail to define “occasional” or “large scale.” This is no small question, as many US companies without an establishment in the EU may be relying on this exception to avoid identifying a Local Representative, whose presence would potentially bring the company under the jurisdiction of local regulatory authorities in the EU.
As is common with much of the guidance promulgated by the EDPB and previously the WP29, the EDPB draft Guidelines on the territorial scope of the GDPR leave unanswered a number of key questions relevant to US companies without an establishment in the EU. Without further guidance on what “targeting” means for a US company that does not seek out, but nonetheless has EU customers – or the meaning of “online tracking” — or “occasional” or “large scale processing” — many US companies without an EU establishment are no closer to understanding whether they have to be GDPR compliant.