The Extra-Territorial Reach of EU Data Protection Law
Under the GDPR, EU data protection law applies when personal data is processed in the context of the (business) activities of a controller’s or processor’s establishment in the European Union (EU). This rule applies regardless of whether or not the data processing takes place in the EU. For example, a pharmaceutical company with headquarters in France sponsors a clinical trial in Bangladesh, and receives (coded) study data from the Bangladeshi site. Although the data processing takes place in Bangladesh, it is carried out in the context of the activities of the sponsor/controller established in France. Therefore, the provisions of the GDPR apply to such processing.
Even if a company is not established in the EU, the GDPR can still apply if the company (a) “targets” individuals in the EU by offering them products or services; or (b) “monitors” their behavior, as far as that behavior takes place in the EU. Since the GDPR came into effect last year, there has been confusion around the targeting and monitoring criteria, and how to apply them in practice. For companies that have no physical presence in the EU, but are receiving personal data relating to individuals in the EU, it is not always clear whether their data processing activities fall within the ambit of the GDPR.
On November 23, 2018, the European Data Protection Board (EDPB) published draft guidelines with a view towards addressing the lack of clarity around the territorial scope of the GDPR (Guidelines). The Guidelines explain, for instance, that a key element for the application of the targeting criterion is whether the conduct of the controller or processor demonstrates its intention to offer goods or services to an individual located in the EU. In other words, the targeting criterion can only apply if controllers/processors outside of the EU have manifested their intention to establish (commercial) relations with individuals — mostly consumers — in the EU.
Regarding the monitoring criterion, the Guidelines considers that a broad range of monitoring activities through various types of networks and technologies could bring data processing under the scope of the GDPR, as long as the monitored behavior takes place within EU territory. The Guidelines provide the example of an Indian pharmaceutical company without a business presence or establishment in the EU, which sponsors clinical trials carried out by sites in Belgium, Luxembourg, and the Netherlands. Since trial participants in these EU countries are being “monitored,” the sponsor in India is arguably subject to the GDPR.
The Guidelines were open for public consultation until January 18, 2019, and were expected to be finalized shortly afterwards. However, during the public consultation many stakeholders raised questions about the interaction between the provisions in the GDPR around territorial scope and Chapter V of the GDPR, which deals with data transfers outside of the EU. For instance, whether data transfer safeguards, such as model contracts that have been pre-approved by the European Commission, should be put in place vis-à-vis controllers/processors outside the EU that are subject to the GDPR because the targeting or monitoring criterion is met. The Guidelines currently fail to address these questions. At this point, it is still unclear when the EDPB will publish its finalized Guidelines and to what extent they will include guidance on the GDPR’s data transfer restrictions.