Editors’ Note: This is the sixth in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Our previous entry discussed the CCPA, energy, Brexit, health care regulation, and state enforcement trends.
The European Union’s General Data Protection Regulation is possibly the world’s most burdensome data protection scheme. Since it came into effect in 2018, companies have expended significant costs figuring out compliance. Now, those outside the EU might think they have it easy. Isn’t this a data protection scheme for Europeans? But they are often wrong about this, and being wrong could cost them big: the GDPR allows regulators to impose penalties for violations as high as €20,000,000 or 4% of a company’s annual revenue, whichever is greater.
Whether the GDPR applies to a company depends on whether the company falls within the GDPR’s territorial scope. This occurs in two main situations. The first is when the company processes data in the context of its EU establishment. The second is when the company performs certain processing activities that target data subjects located in the EU.
In late 2019, the EU’s lead data protection regulator, the European Data Protection Board, issued its final guidelines on the GDPR’s territorial scope. Enforcement bodies are familiar with them, and companies should be too. So let’s look at what they say and what questions they leave 2020 to answer.
Basically, establishment means that a company has an EU presence. So, obviously, a Belgian company located in Belgium has an establishment in the EU, and, if it processes data, must comply with the GDPR. But, crucially and counterintuitively, the GDPR doesn’t care much about the corporate form. In fact, the EDPB’s guidelines are explicit that an American company with a wholly-owned Belgian sub also has an establishment in the EU.
To see why, let’s examine the two factors relevant to determining the existence of an EU establishment: the real and effective exercise of activity and stable arrangements. Clearly, a sub can be stably located in the EU and perform real and effective activities there. And, since the GDPR doesn’t care much about the corporate form, the guidelines attribute the sub’s stability to the parent, as they do the sub’s activities.
In fact, a non-EU company can be established in the EU with far less presence than a wholly-owned sub. The guidelines even suggest that doing online business in the EU plus having one EU representative, an EU bank account, and an EU mailbox might be enough for establishment.
At this point you’re probably wondering: how far does this go? Unfortunately, the guidelines raise as many questions as they answer. Consider, for example, an American parent whose investment in its Belgian sub is small and passive. Is it really true that this parent acts through its sub even though it has neither the ability nor the inclination to exercise control? The answer isn’t clear, and very well might be no. Yet, if the answer is no, how do we draw the line? The parent’s ownership stake? The number of directors it can appoint? If either, how much need a parent own, or how many directors need it appoint? Or is it something entirely different? Hopefully these answers will become clearer in the coming year.
Now, assuming a company has an EU establishment, there’s some good news and some bad news for it. Let’s just rip off the Band-Aid: the GDPR applies no matter where it processes its data. Thus, the American parent with the wholly-owned Belgian sub can’t avoid the GDPR simply by processing the relevant data in the US.
And now for the good news: the GDPR doesn’t cover all data processing activities by companies with EU establishments, but only those that are in the context of the EU establishment’s conduct. In practice, this means that non-EU companies can avoid the GDPR by not processing data that relates to their wholly-owned EU subs. Suppose that the American parent’s only data processing activities involve storing the data of its own (not its Belgian sub’s) employees for HR purposes. The parent’s data processing activities are unrelated to the Belgian sub, so the parent won’t have to comply with the GDPR.
This raises a fundamental question: what does in the context of mean? Again the guidelines don’t give a concrete answer, but they do give one example. If the data processing is inextricably linked to the EU establishment’s revenue-raising conduct, then it is in the context of the EU establishment: the American parent that processes data must comply with the GDPR if the data processing’s purpose is to help its Belgian sub make money.
The guidelines suggest that conduct other than revenue-raising can create inextricable links, but they don’t say what. One could imagine the following broad principle: the data processing need only benefit the EU establishment in some way. In that case, presumably a parent will have to comply with the GDPR whenever it processes data on behalf of its sub – say, by storing the sub’s employee data for HR purposes. But maybe not every instance of beneficial processing counts. Again, it’s not clear where the GDPR draws the line. Let’s hope 2020 sheds some light.
Targeted Data Processing Activities
Even if you’re not ensnared by the establishment criterion, you could still be on the hook. That’s because the GDPR applies when a company targets data subjects located in the EU in one of two ways: by (1) offering them goods or services (whether or not payment is required), or (2) monitoring their behavior.
According to the guidelines, targeting requires a focus on data subjects located in the EU. This means that, say, having an e-commerce website available in the EU won’t by itself require GDPR compliance. But once that website is in an EU language that one wouldn’t otherwise expect from the company (a Mexican company with a website in French), quotes prices in Euros, and the like, then the targeting criterion may well be satisfied. 2020 promises a number of enforcement actions that could clarify how regulators interpret the targeting criterion.
One important set of questions the guidelines do not address concerns business-to-business marketing. The GDPR requires compliance when a company offers goods or services to data subjects, which, by definition, excludes corporations. This seems to mean that a Canadian manufacturer that offers its products to German corporate wholesalers doesn’t, for this reason, need to comply with the GDPR. But what happens if, in the course of its marketing activities, it processes the data of a German corporate wholesaler’s employee (say, by storing the employee’s email address)? The manufacturer could reasonably argue that its offer was to the wholesaler, not the employee, so the GDPR by its plain terms doesn’t apply. But the employee could respond that he or she did the work in managing the offer, and the GDPR can apply even if he or she isn’t asked to pay for the product. Moreover, what if the wholesaler is a sole proprietorship? Should this make a difference? And doesn’t the GDPR not care much about the corporate form, at least for some purposes? Hopefully the coming year will provide some answers to these vexing questions.
Also vexing is the monitoring condition, which, to beat a dead horse, the GDPR doesn’t define. The guidelines do say that monitoring includes profiling, which the GDPR defines roughly as the automated processing of data for the purpose of evaluating certain aspects of a person, such as his or her economic situation, health, personal preferences, behavior, etc. And the guidelines also emphasize the centrality of behavioral analysis and prediction to the notion of monitoring. Thus, internet tracking (e.g. using cookies) and tracking via other wearable devices (e.g. smartwatches) will count as monitoring. But what exactly counts is still somewhat of a mystery.
Answers to these questions hopefully will become clear as enforcement bodies interpret the GDPR and the guidelines in the coming year.