How does the GDPR apply to organisations outside the EU?
The General Data Protection Regulation applies to organisations outside the EU under some circumstances. Organisations outside the EU should consider how they structure their EU activities and the source of any personal data they process to work out whether the GDPR applies. If the GDPR does apply, those organisations will need to take steps to comply with its requirements.
Which organisations are affected?
The GDPR applies to an organisation outside the EU if:
- the organisation processes personal data about people who are in the EU in relation to offering goods or services to those people, even if the goods or services are free;
- the organisation processes personal data ‘in the context of an establishment’ that is in the EU; or
- the organisation monitors behaviour of people in the EU.
What does ‘in the context of an establishment’ mean?
An ‘establishment’ is any stable arrangement in the EU that an organisation outside the EU uses to carry out its activities. The classic example of an establishment would be an EU subsidiary of a non-EU parent company, but the definition of ‘establishment’ is broad enough to include a wide range of other organisational structures in the EU.
Data are processed ‘in the context of’ an establishment if there is a sufficiently strong link between the data processing activities of the organisation outside the EU and the other activities of its EU establishment. The link is likely to be strong enough if the data processing activities would not make sense without the other activities, or are inextricably connected parts of a single business model.
A practical example of data processing in the context of an EU establishment was considered by the Court of Justice of the European Union when it decided that personal data processed in search results by Google Inc, the US arm of Google, was processed in the context of the activities of its Spanish advertising sales subsidiary. The court decided that the advertising sales were the way that Google Inc made its search engine profitable, and that the advertising activities of its Spanish subsidiary could only take place because of the data processing carried out by the search engine.
What does ‘monitoring’ behaviour mean?
‘Monitoring’ behaviour means tracking people on the internet, and includes using information gathered through tracking to construct profiles of people, for instance to predict their preferences, behaviours, and attitudes.
Monitoring could include using cookies or other technology to track web users across different websites or devices. It could include analysing their web behaviour to serve targeted ads.
How will the GDPR be enforced outside the EU?
Although the GDPR will sometimes apply outside the EU, in practice EU data protection regulators may find it difficult to enforce their decisions against organisations that do not have assets in the EU.
Where the GDPR applies to an organisation outside the EU because it is offering services to people in the EU or is monitoring the behaviour of people in the EU, the organisation must appoint a representative in one of the EU member states where the affected individuals are. The representative acts as a point of contact for data protection regulators and individuals whose data are processed, and the regulators can take enforcement action against the representative in the event of a breach by the organisation that appointed it. There are a few exceptions to the requirement to appoint a representative, but many organisations will have to appoint one.
If my organisation is affected, what should it do?
An organisation that is outside the EU but is subject to the GDPR should identify which of its data processing activities bring them within the scope of the GDPR and identify which data are affected. The organisation will need to put in place measures to ensure compliance in relation to that data. Carrying out a privacy impact assessment for the relevant processing activities will help to clarify what steps need to be taken.
A non-EU organisation that is subject to the GDPR will need to consider whether it is obliged to appoint a representative in the EU. If there is no obvious candidate for appointment as a representative, the organisation may need to consider incorporating an EU subsidiary to take on this role. If that is the case, the organisation should consider where the individuals affected by its data processing are. Organisations that have choice of possible member states should compare the incorporation formalities in those different states; it is easier and cheaper to incorporate a subsidiary in some member states than others.
1 September 2017