New Guidance Helps Determine GDPR’s Application to New York Businesses

The European Union’s General Data Protection Regulation (the GDPR) took effect just about a half-year ago, but many small and mid-sized companies in New York, and elsewhere across the country, still may not understand whether the GDPR applies to them and, therefore, whether they must comply with its requirements. Fortunately, it now may be somewhat easier to determine whether a company operating in New York that has a website and that collects data online is subject to the GDPR. That’s because the European Data Protection Board (EDPB) has just adopted guidelines on the territorial scope of the GDPR as determined by Article 3 of the GDPR.

The GDPR seeks to protect the privacy and security of personal data of EU residents, but it can apply to companies outside the EU’s territorial limits. It is intended to apply to businesses that are located outside the EU but that have subsidiaries in the EU, provide goods or services to individuals in the EU, or are in the business of collecting or using personal data concerning an EU resident. If a business meets one of these three tests, and is engaged in collecting, using, storing, deleting, or otherwise using the data (known as a processor), or is directing a third party in that activity (a controller), the GDPR may apply. It does not matter whether the business received the data through its website, social media, or even on paper that is later entered into an electronic file, as the GDPR is “technology neutral,” as indicated in Recital 15 of the GDPR.

Whether a New York business is subject to the GDPR is important to determine because a company that is subject to the GDPR must meet a host of requirements regarding its collection or processing of covered personal data. For instance, data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” A company subject to the GDPR typically must obtain a person’s “opt-in” consent before collecting and using the person’s data. Data only may be used for “specified,” “explicit,” and “legitimate” purposes and must be handled in a way that protects its “integrity” and “confidentiality.” The GDPR also permits personal data on an EU resident to be kept for only so long as it is needed for the reason or reasons for which the resident provided consent.

Moreover, under the GDPR, in some instances, companies will have to appoint a data protection officer, or DPO, as its representative in the EU.

Article 3 of the GDPR defines the territorial scope of the GDPR on the basis of two main criteria: the “establishment” criterion, as per Article 3(1), and the “targeting” criterion, as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data by a data controller or data processor. The EDPB’s guidelines explore these two main criteria—and contain 20 separate examples to help to elucidate the EDPB’s explanations of the GDPR’s rules and its conclusions.

‘Establishment’

Article 3(1) of the GDPR provides that the GDPR applies to the processing of personal data in the context of the activities of a data controller or data processor with an “establishment” in the EU, regardless of whether or not the processing takes place in the EU.

An “establishment” can be a fully-owned branch or office located in the EU. However, the EDPB makes it clear that, in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute an establishment for purposes of the GDPR if that employee or agent acts with a sufficient degree of “stability.”

The EDPB cites as an example under Article 3(1) an e-commerce website with an app that is operated by a company based in a country that is not in the EU that carries out its data processing activities exclusively in the non-EU country, but that has a European office that markets its app to EU markets. According to the EDPB, the activities of the European office can be considered inextricably linked to the processing of personal data carried out by the non-EU company’s e-commerce website. The EDBP’s guidelines provide that the processing of personal data by the non-EU company can be considered as carried out in the context of the activities of the European office, as an establishment in the EU, and, therefore, the non-EU company is subject to the provisions of Article 3(1) of the GDPR.

‘Targeting’

The EDBP’s guidelines and the GDPR itself make it quite clear that the absence of an establishment in the EU does not necessarily mean that a data controller or data processor established in the United States or another non-EU country is excluded from the scope of the GDPR. Indeed, Article 3(2) sets out the circumstances in which the GDPR applies to a data controller or data processor not established in the EU, depending on its processing activities. It is in connection with these “targeting” activities that New York-based online businesses are most likely to have some exposure under the GDPR.

GDPR Article 3(2) applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities either are related to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects” in the EU or the monitoring of their behavior (for purposes such as behavioral advertisements, geo-localization activities, and market surveys) as far as their behavior takes place within the EU.

The application of the “targeting” criterion toward data subjects who are in the EU within the meaning of Article 3(2) largely focus on what the “processing activities” are “related to,” which is considered on a case-by-case basis.

In assessing the conditions for the application of the targeting criterion, the EDPB’s guidelines recommend a twofold approach to determine first that the processing relates to personal data of data subjects who are in the EU and second whether it relates to the offering of goods or services or to the monitoring of data subjects’ behavior while in the EU.

First, the data subjects must be located in the EU. The EDPB’s guidelines explain that, under Article 3(2), the GDPR’s protections are not limited to EU citizens, but apply to individuals located in the EU without regard to their nationality or legal status. According to the guidelines, the requirement that the data subject be located in the EU must be assessed at the moment when the relevant trigger activity takes place; that is, at the moment of offering of goods or services or the moment when the behavior is being monitored, regardless of the duration of the offer made or monitoring undertaken.

The guidelines cite as an example a start-up established in the United States that has no business presence or establishment in the EU, but provides a city-mapping application for tourists in various cities around the world, including New York, San Francisco, Toronto, London, Paris, and Rome. The application processes personal data concerning the location of customers using the app—that is, the data subjects—once they start using the application in the city they visit, to offer targeted advertisement for places to visit, restaurants, bars, and hotels.

The EDPB explains that the U.S. start-up, via its city mapping application, is offering services to individuals in the EU—specifically, tourists in London, Paris, and Rome—regardless of their usual residence or nationality. It concludes that the processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of Article 3(2) of the GDPR.

As an alternative, a non-EU company also may fall within the territorial scope of the GDPR when it “monitors” the conduct of data subjects in the EU, as indicated in Recital 24 of Article 3(2). Whether monitoring occurs requires a cumulative examination of whether the natural person located in the EU is tracked on the internet including for future use of personal data, especially to make decisions concerning the individual’s preferences and past behavior for the purpose of providing individualized internet content, advertisements, or other links. Moreover, while the GDPR discusses only online content, the EDPB posits that it should apply to all monitoring regardless of the technology employed.

Importantly, the EDPB emphasizes that the fact that personal data of an individual in the EU is processed is not sufficient on its own to trigger the application of the GDPR to the processing activities of the data controller that is not established in the EU. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behavior, always must be present in addition.

In support of that principle, the EDPB cites as an example a U.S. citizen traveling through Europe who downloads and uses a news app offered by a U.S. company. The EDPB posits that the app is exclusively directed at the U.S. market. It concludes that the collection of the U.S. tourist’s personal data via the app by the U.S. company, while the tourist is visiting the EU, is not subject to the GDPR.

By contrast, another example discusses a marketing company established in the United States that provides advice on retail layout to a shopping center in France, based on an analysis of customers’ movements throughout the center collected through Wi-Fi tracking. According to the EDPB, the analysis of customers’ movements within the center through Wi-Fi tracking amounts to the monitoring of individuals’ behavior and because it takes place in the EU, the marketing company, as a data controller, is subject to the GDPR in respect of the processing of this data for this purpose under Article 3(2).

The EDPB’s guidelines also indicate that the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR under Article 3(2) so long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the EU. For example, a business that is active only in the United States and that does not direct its activities at the EU market but that has customers residing in the United States who are EU citizens is not subject to the GDPR when it processes the personal data of its EU customers.

Conclusion

New York companies that have not yet concluded whether they are subject to the GDPR should do so as quickly as possible. The new EDPB guidelines can greatly assist in that determination. A company that realizes that it is subject to the GDPR then must take the next steps to become compliant, or risk the possibility of significant fines.

Reprinted with permission from the December 18, 2018 issue of the New York Law Journal. © ALM Media Properties, LLC.  Further duplication without permission is prohibited.  All rights reserved.