Guidelines on the Territorial Scope of the GDPR: 5 Takeaways For U.S. Based Associations and Nonprofit Organizations
On November 23, 2018, the European Data Protection Board (the “EDPB”) published the Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (adopted on November 16), which are open to public comments until January 18, 2019. As the EDPB announced in its news release, the purpose of the Guidelines is to help provide a common interpretation of the territorial scope of the GDPR and clarify the GDPR’s application in various situations, in particular where the data controller or processor is established outside of the EU.
For most U.S.-based associations and nonprofit organizations, data processing activities could be subject to the GDPR if 1) there is an establishment in the EU (as defined by “establishment” criterion in Article 3(1)), or 2) the processing relates to the offering of goods or services, or monitoring data subjects’ behavior in the EU (as defined by “targeting” criterion in Article 3(2)).
It is common for U.S. associations and nonprofit organizations to have chapters, members, subscribers, certified professionals, etc., based in the EU. Many U.S. organizations also host events in the EU and offer international programs to a global audience. Would any of the foregoing activities trigger either the “establishment” criterion or the “targeting” criterion? The new territorial scope Guidelines provide some clarification. Here are five takeaways for U.S. associations and nonprofits:
1. Regarding “establishment,” US organizations should first determine whether they are exercising “a real and effective activity” through “stable arrangements,” regardless of legal form, in the territory of an EU member country.
As an example, the Guidelines provide that, in some circumstances, the presence of one employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability. Even if a U.S. organization is considered to have an “establishment” in the EU through stable arrangements -- such as by having an EU chapter, hosting events in the EU on a regular basis, or having employees/agents based in the EU -- in order for the GDPR to apply, the data processing involved must also take place “in the context of the activities of” such establishment, as explained in takeaway #2 below.
2. In applying the establishment criterion, US organizations should evaluate whether the data processing carried out is “in the context of the activities of” its establishment in the EU.
To illustrate, the Guidelines recommend that non-EU organizations identify potential links between their (non-EU headquarter) data processing activities and the processing activities of their EU establishment, and if the activities are inextricably linked, the GDPR may apply. The Guidelines identify revenue-raising in the EU as one of the key determination factors and state that revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as inextricably linked to the processing of personal data outside the EU, may be sufficient to result in the application of the GDPR.
For organizations that do not trigger the establishment criterion under Article 3(1), the GDPR may still apply if organizational activities fall within the targeting criterion under Article 3(2), as further explained below.
3. In applying the targeting criterion regarding the offering goods or services per Article 3(2)(a), the organization’s intention to offer goods or services is key.
The Guidelines reference a list of factors taken from case law (Pammer v. Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v. Heller), and note that these factors could be taken into consideration when determining whether non-EU organizations have the intention to offer goods or services to data subjects in the EU. Some examples are:
- The EU or at least one Member State is designated by name with reference to the good or service offered
- The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access of its site by consumers in the EU
- The data controller or processor has launched marketing and advertisement campaigns directed at an EU country audience
- International nature of the activity at issue
- Mention of a dedicated address or phone number to be reached from an EU country
- Use of domain name such as “.eu”
- Use of a language or currency of one or more EU Member States
- Offering delivery of goods in EU Member States
4. In short, the presence of one or more of the examples referenced in the Guidelines shows the organization’s intention to offer goods and services targeting the EU market, which triggers applicability of the GDPR. In applying the targeting criterion regarding the monitoring of data subject behavior taking place within the EU per Article 3(2)(b), the purpose for processing and subsequent analysis or profiling involving the data is key.
The Guidelines state that the use of the word “monitoring” implies that there is a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU. In determining whether the non-EU organization is collecting personal data to monitor data subjects’ behavior, it is necessary to consider the purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving the data. As examples, the Guidelines list a number of monitoring activities that may be considered monitoring activities:
- Behavioral advertisement
- Market surveys and other behavioral studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status
5. Organizations subject to the GDPR based on the “targeting” criterion are required to designate in writing a representative in the EU pursuant to Article 27, but this requirement may be exempted if the processing is occasional and not on a large-scale.
Non-EU organizations subject to the GDPR due to the targeting criterion under Article 3(2) are required to designate in writing a representative in the EU. However, an exemption under Article 27(2)(a) may apply if the data processing is occasional and does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offenses, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
The Guidelines acknowledge that the GDPR does not define what constitutes “large-scale processing,” but include a number of factors to assist organizations in assessing whether the processing is carried out on a large scale:
- Number of data subjects concerned—either as a specific number or as proportion of the relevant population
- Volume of data and the range of different data items being processed
- The duration or permanence of the data processing activity
- The geographical extent of the processing activity
When analyzing the GDPR territorial scope and its applicability to non-EU organizations, the Guidelines recommend that determination be made on a case-by-case basis and based on an analysis in concreto.
As the Guidelines are subject to public comments by January 18, 2019, Whiteford, Taylor & Preston’s nonprofit association law group is considering whether to submit comments to the EDPB, including as to a request for clarification of the direct applicability of the GDPR to U.S. certification and membership organizations that do not target individuals in the EU, yet have certificants and members in the EU. If your organization has any suggestions or input regarding the public comment submission, please email email@example.com.