SaleCycle Legal Counsel Emma Stubbs offers her insights into GDPR, looking at the personal data it covers, and how it might affect businesses based outside the EU.
Ah 1995, do you remember it? This was the year when we excitedly swapped our video collections for DVDs, cried when Robbie left Take That, and our US friends started to buy things from Amazon.com (cautiously of course as this internet thing was still a bit new fangled).
1995 also saw the EU adopt the Data Protection Directive, with its sweeping reforms on the way personal data is handled and processed.
Fast forward 20 odd years: Robbie rejoined Take That – hooray! (well just for one show) Amazon sells over half a billion products (wow!) and the EU published the General Data Protection Regulation (GDPR) to deal with monumental shift in the scale of processing of personal data.
The GDPR is a fundamental piece of legislation which will repeal the Data Protection Directive and affect businesses processing personal data established in the EU or any non-EU businesses offering goods and services or monitoring behaviour of people in the EU. It will take effect from 25 May 2018.
Who does GDPR apply to?
If a business is based in and operates in the EU then the GDPR will apply. If a business is not based in the EU, it will be subject to GDPR if the personal data processing activities relate to:
- The offering of goods and services to data subjects in the EU; or
- The monitoring of their behaviour as far as their behaviour takes place within the EU.
There has been lots of commentary on GDPR stating that it only affects EU residents and EU Citizens. Whilst it is true that the personal data of EU residents and citizens is protected, the actual wording of GDPR is wider than this as it does not actually make any reference to citizenship – it applies to any ‘data subject’ in the EU, i.e. a living person in the EU.
Let’s illustrate this with a couple of examples:
- If a US tourist on holiday in Spain logs onto www.dominospizza.es to order a pizza to their holiday villa, that tourist’s data must be processed in accordance with GDPR, even though they are not a citizen of an EU country.
- If that same tourist (whilst in Spain) logs onto their usual US grocery store (and the store does not deliver or market its goods or services to the EU) to order an online grocery delivery to arrive on their return from holiday, that processing of personal data will not be subject to GDPR.
What does ‘offering goods and services’ mean?
Basically, if a business is trying to target its goods and services for sale within the EU, it will be caught by GDPR.
Just because a non-EU business has a website which is available to people in the EU isn’t enough on its own.
However, if there are other factors, such as the website being in a European language (not used in the business’s home jurisdiction), offering payment in an EU currency, offering delivery to the EU, targeted advertising to individuals in the EU or perhaps using an EU domain name e.g. .es, .de .fr etc then this will point towards the goods and services being offered to people in the EU and GDPR will apply.
What constitutes ‘monitoring behaviour’?
Organisations which track people on the internet and use processing techniques which consist of profiling, i.e. evaluating certain personal aspects concerning their personal preferences, interests, behaviour, location or movements will also be caught by GDPR.
At the moment, it’s not completely clear how detailed this monitoring of behaviour has to be for GDPR to apply.
If it’s incidental collection only by the non-EU business and no profiling decisions are actually taken using that data, it remains to be seen what (if any) action a European Data Protection Authority (DPA) would actually take given the inevitable challenges with cross border enforcement.
How will GDPR be enforced outside of the EU?
If a business is based outside the EU, and inadvertently fell foul of GDPR, can the ICO or other European Data Protection Authority go after them?
It remains to be seen how the extended territorial reach of GDPR will be enforced by the DPAs in each of the EU member states.
How would an EU DPA go about serving a formal enforcement notice on a US company? At present, there is no clear guidance on this but it is plausible that DPAs could seek a court injunction to block a service if personal data is being unlawfully processed.
Equally, if the personal data is processed in relation to the sale of physical goods, it’s not impossible that these goods could be seized by trading standards or customs unions at the border.
Businesses outside the EU will also need to designate a representative who will “act on behalf of the controller or processor and may be addressed by any DPA”. The representative can be subject to enforcement proceedings in the event of non-compliance by a non-EU controller or processor but this does not affect the primary liability of the processor or controller.
One thing is for sure, no non-EU business will want to be the test case so best to tackle the requirements of the GDPR head on and develop a compliant strategy for dealing with the personal data that you process.