Extraterritorial Scope of GDPR: The effects of the Regulation on non-EU businesses


By Ioanna Michalopoulou, Lawyer LLM*
The EU General Data Protection Regulation (GDPR) is not explicitly a global law, but it might be on the way to becoming a de facto law beyond the boundaries of Europe, at least for a number of businesses.
GDPR, which was enforced on the 25th of May 2018, affects all businesses based in EU territory acting as data controllers or data processors of personal data of data subjects who are located within the Union, similar to the previous European data protection law (Directive 95/46/EC). An important question, then, arises as to whether businesses that are based outside the European Union and process personal data, fall under the GDPR’s scope.
The European legislature, in an effort to protect data subjects from the arbitrary processing of their personal information by non-EU businesses, expanded the territorial scope of the Regulation. Article 3 GDPR states that the “GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union” if one of the following criteria is fulfilled:
The processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
Key to determine whether criterion (a) is met by a non-EU business, according to Recital 23 (offering of goods or services, to such data subjects in the Union) is the business’ intention, and whether it is apparent that an offer to an EU-based data subject was “envisaged”. More specifically, the mere provision of information about the offering of good or services on the business’ website does not sufficiently establish its intention to offer such services to European data subjects.
However, the website’s availability in an EU language which is outside the Controller’s jurisdiction, the offering goods/services in an EU currency or, unsurprisingly, the explicit targeting of EU citizens, could provide sufficient proof of intent and pull the business within the GDPR’s scope.
For example, if non-EU businesses meet at least one of the following criteria, then GDPR is applicable:
-International telephone numbers are mentioned on their website for contact purposes;
-Top level domains of an EU Member State (i.e. .eu, .ie, .de) are used;
-Options to translate the contents of the website to an EU language are provided;
-Options to convert any amount of money to EU; and,
-Advertising to attract EU users (leveraging existing EU clients or users as advertising material).
To exemplify the above, if a Thai company with no EU subsidiaries has an e-shop in Dutch on which it offers goods with the possibility to order it using Dutch language and pay in EUR, accepts the offers of EU citizens and deliver its goods to them, then one could safely say that the Thai company targets Dutch consumers (and therefore EU citizens). Due to this, the Thai company is subject to GDPR. Similarly, an American company offers a mobile phone application to American users, and the application collects location data. Then, an American tourist uses the application while travelling in Spain. GDPR still applies to these data and the company must comply with the Regulation for the duration of that tourist’s holiday in Spain.
Obligation-Designation of a Representative
The GDPR requires overseas Data Controllers and Processors falling within its scope (and whose processing is not occasional) to designate an EU-based representative (Article 27) who will act on their behalf as well as the point of contact for the relevant DPA, and who are also subjected to certain record keeping requirements as well as receiving enquiries and complaints. The designation of such a representative does not affect the responsibility or liability of the Controller or of the Processor under this Regulation. The designated representative should also be subjected to enforcement proceedings in the event of non-compliance by the Controller or Processor. However, the GDPR fails to include an appropriate enforcement mechanism within the text itself, only declaring that the designation of the representative should be subject without prejudice to enforcement proceedings against him in case of non-compliance of the Controller or the Processor. Τo this end and given the new fines foreseen by GDPR (Article 83 par 4. a), DPAs have to continue to apply pressure indirectly to Data Controllers and Processors through EU-based representatives.
Our law firm’s comment οn this topic:
 Due to the extraterritorial scope of the GDPR set by article 3, the Regulation will be applicable irrespective of whether the actual data processing takes place within the EU or not. Whether this goal will be achieved or not, one thing is certain; the GDPR will undoubtedly change how multinational organizations operate globally regarding the collection, use and protection of personal data of all citizens within the EU.
-------------------------------------------------
* Ioanna Michalopoulou LL.M. |CIPP/E , Managing Partner Michalopoulou & Associates
40, Ag. Konstantinou st. | “Aithrio” Business Center (Α 16-18), 15 124 Marousi | Athens | Greece, T: 210 330 52 30 | F: 210 330 52 32, imicha@lawgroup.gr | www.lawgroup.gr

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

Image
Obligation on publisher of the Daily Mail to pay substantial “success fees" in defamation and breach of privacy cases was excessive. The case Associated Newspapers Limited v. the United Kingdom (application no. 37398/21) concerned the fact that Associated Newspapers Limited the publisher of the Daily Mail and the Mail on Sunday had been obliged to pay extensive costs incurred by claimants who had successfully sued it in privacy and/or defamation proceedings following articles it had published in print or online in 2017 and 2019.  Since one of the claimants had entered into a conditional fee arrangement (CFA) with his legal representative, and both had taken out “after-the-event” (ATE) insurance, Associated Newspapers Limited had been liable not only for their base costs, but also for fee uplifts including the “success fee” in the CFA and for their ATE insurance premiums.  In Chamber judgment (12.11.2024) in the case, the European Court of Human Rights held, unanimously, that t...
Read more

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Image
The European Court of Human Rights has elected on 23.9.2024 a new Vice-President of the Court – Judge Ivana Jelić (elected in respect of Montenegro). She will take up her duties on 1 November 2024.  The Court has also elected at the same date two new Section Presidents – Judges Lado Chanturia (elected in respect of Georgia) and Ioannis Ktistakis (elected in respect of Greece). They will also take up their duties on 1 November 2024. Ivana Jelić was born on 17 March 1975 in Podgorica, Montenegro and was elected Judge of the European Court of Human Rights on 12 July 2018. Lado Chanturia was born on 14 April 1963 in Tsalenjikha, Georgia, was elected Judge of the European Court of Human Rights on 8 January 2018 and is Vice-President of Section since 18 May 2023. Ioannis Ktistakis was born on 3 January 1971 in Thebes, Greece and was elected Judge of the European Court of Human Rights on 8 March 2021. (source/photo: echr.coe.int) Read more here
Read more

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

Image
In its Judgment in Case T-82/24 (Administration of the State Border Guard Service of Ukraine v EUIPO) (RUSSIAN WARSHIP, GO F**K YOURSELF) the General Court ruled that the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark. That phrase, which has become a symbol of Ukraine’s fight against Russian aggression, is not perceived as an indication of a commercial origin.  The Administration of the State Border Guard Service of Ukraine (Kyiv, Ukraine) requests the General Court of the European Union to annul the decision of the European Union Intellectual Property Office (EUIPO) of 1 st December 2023, which refused registration of the following figurative sign as an EU trade mark: ‘RUSSIAN WARSHIP, GO F* *K yourself’ That mark is a war cry uttered by the Ukrainian border guard on Snake Island on 24th February 2022, the first day of the full-scale Russian invasion of Ukraine. Registration was sou...
Read more

The banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars

Image
According to the Judgment of the General Court in Cases T-386/21 (Crédit agricole and Crédit agricole Corporate and Investment Bank v Commission) and T-406/21 (UBS Group and Credit Suisse Securities (Europe) v Commission), the banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars (‘SSA Bonds’).  The General Court of the European Union confirms the Commission’s finding of an infringement and maintains the amount of the fines imposed in 2021. In 2018, the European Commission initiated proceedings for infringement of the competition rules involving Deutsche Bank, Bank of America, Crédit agricole and Credit Suisse (now UBS Group [1] ).  In 2021, the Commission found that those banks had entered into an agreement on the secondary market for suprasovereign, sovereign and agency bonds denominated in dollars (SSA bonds). According to the Commission, traders employed by ...
Read more

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

Image
The European Ombudsman has asked the European Commission to publish details about how it has handled the planned move by a former director in its competition department to the Brussels office of a US corporate law firm as a partner. Any restrictions that have been placed on the activities of the former director to mitigate potential conflicts of interest should be made public without delay, said the Ombudsman. She noted that public information about the move came from the law firm and gives the impression that the Commission has allowed a senior official to work for a company that anticipates major benefits from their inside knowledge.  The Ombudsman also noted that the Commission declined to give details about the individual’s professional experience despite the fact that the law firm itself has put out a press release detailing it. The Ombudsman has previously criticised a tendency in the EU administration to underestimate the potential negative effects of staff moves to th...
Read more

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)

Image
In its Judgment of 26.9.2024 in Case C-792/22 (Energotehnica) the Court of Justice ruled as regards the right to an effective remedy that a national court is not required to apply a decision of its constitutional court that infringes EU law. In such a case, the national court may not be penalised.  Following the death of an electrician by electrocution during a maintenance operation, an administrative procedure was initiated against his employer. At the same time, criminal proceedings for negligence and manslaughter were initiated against the supervisor. The victim’s next of kin also became civil parties to the criminal proceedings.  The administrative court hearing the dispute concluded that the present case did not involve an ‘accident at work’. It annulled the administrative penalties imposed on the employer. According to national legislation, as interpreted by the Romanian Constitutional Court, that administrative decision prevents the criminal court from reconsidering whe...
Read more