Article 3(2) of the GDPR and the second criterion: Targeting criterion
Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”.
Two Types of Targeting Activities Relating to Data Subjects in the EU
Under this criterion, the GDPR applies to two distinct and alternative types of activities, provided that these processing activities relate to data subjects that are in the Union.
Article 3(2) (a) Offering Goods or Services to Data Subjects in the EU, Irrespective of Whether a Payment of the Data Subject is Required
There are two important issues in this respect:
- Article 3 (2) (as) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether payment is made in exchange for the goods or services provided.
- It has to be determined on a case-by-case basis whether the offer of goods or services is directed at persons in the Union.
As per Recital 23 of the GDPR, “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union[…]”. To this effect, the EDPB lists a number of factors that can be taken into account based on CJEU case law (not restricted to data protection regulation). This includes, for instance, specifying the name of one or several EU country by name, use of language, use certain top-level domain name, use currency, place where goods can be delivered, advertisement and paying search engines.
The recital specifies, however, that “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.”
Article 3 (2) (b) Monitor EU-based Data Subjects’ Behaviours Within the EU
There are some important issues in this respect:
- For Article 3 (2)(b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.
- The use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. Recital 24 indicates that, to determine whether processing involves monitoring of a data subject behaviour, the tracking “of natural persons on the Internet, including the potential subsequent use of profiling techniques particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.
- The final Guidelines offer more examples of what falls under this criterion. Behavioural advertisement is one of them.
Data Subjects Who Are in the Union
The wording of Article 3 (2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is, therefore, not limited by the citizenship, residence or other type of legal status of the data subject whose personal data is being processed.
Article 3 (2) Applying to Processors
Some organisations tend to forget that these criteria apply not only to the non-EU controller that offers online services or monitors EU-based data subjects, but also to their processor not established in the EU. EDPB considers that “where processing activities by a controller relates to the offering of goods or services or to the monitoring of individuals’ behaviour in the Union (‘targeting’), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Art 3 (2) in respect of that processing.”
Particularities of This Criterion
It is important to note that the GDPR applies only to the relevant activity and not globally to all activities of the organisation.
The EDPB confirms that, in the absence of an establishment in the Union, a controller or processor cannot benefit from the one-stop shop mechanism.
The EDPB also reminds organisations that, even though the GDPR is intended to harmonise data protection across the EU, controllers and processors will also need to take into account other applicable texts, such as, for instance, EU or member states’ sectorial legislation and national laws.
Appointing a Representative in the EU
The final version of the Guidelines provides more details on the appointment of a representative and instances whenever organisations are exempted from appointing one. The EDPB also confirms that a representative cannot, at the same time, act as DPO of the same organisation.
The good news in the final version of the Guidelines is that the interpretation of the role and, more importantly, the responsibility of the representatives has changed.
In line with Recital 80 and Article 27(5), the designation of a representative in the EU does not affect the responsibility and liability of the controller or of the processor under the GDPR, and shall be without prejudice to legal actions that could be initiated against the controller or the processor themselves.
The EDPB emphasises that the concept of the representative was introduced with the aim of ensuring both (i) facilitating the liaison with non-EU controllers or processors and (ii) enforcement of the GDPR against non-EU controllers or processors. The representative is no longer liable with the processor or controller that has appointed it, nor can sanctions and other measures be imposed on the representative for breaches by such controller or processor. The ability to hold a representative directly liable is limited to its direct obligations, referred to in articles 30 and 58(1) a of the GDPR. The appointment of the representative is intended to enable enforcers to initiate enforcement actions “through” the representative designated by controllers or processors not established in the Union. This includes the possibility to “address” to the representative any administrative fines and penalties imposed on the controller or processor not established in the Union.
This will make it much easier to find organisations willing to take on the role of representative and the associated risk.
Given that it is no longer possible to sanction the representative for breach by the non-EU controller or processors, the EDPB has indicated that it will be necessary to further develop international cooperation mechanisms to allow for effective enforcement of sanctions.
International Transfer of Data
Chapter V of the GDPR provides that personal data can only be transferred to recipients outside of the European Economic Area, except to countries benefiting from an adequacy decision by the EU commission or US companies that are Privacy Shield certified, when certain safeguards are in place. Such safeguards include, amongst others, transfers to a group that has EU Binding Corporate Rules or Standard Contractual Clauses signed between a EU company exporting data and a non-EU company importing data. If such safeguard cannot be implemented, the transfer can possibly be based on derogations set out in article 49 of the GDPR, but each derogation has restriction or constrains.
Some of these tools are not suited to all situations and, notably, not for companies that are not established in the EU. For example, BCRs can only be implemented in a group which has at least one establishment in the EU that will take on the responsibility for noncompliance of the other affiliate. With whom should a company established outside of the EU offering online services directly to data subjects based in the EU enter into standard contractual clauses? None of the derogation of article 49 seems to provide an appropriate alternative.
There has been much debate among stakeholders on whether or not processors or controllers established outside the EU and falling under the scope of article 3 (2) of the GDPR would need to implement the measures provided for in Chapter V in relation to the data they are collecting on data subjects in the EU. Some consider that, as the GDPR already applies to such controllers or processors, this would not require any additional measures for the data flow from the EU (given that compliance with GDPR offers all the protection that is needed).
The EDPB acknowledges that further guidance will be required on international transfers.
The EDPB further indicates “Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of the rights of data subjects in the EU and to establish, in terms of data protection requirement, a level playing field for companies active on the EU markets, in a context of worldwide data flows”. This can be quite a challenge for organisations based outside of the EU which have to assess carefully whether GDPR applies to them or not.