Key Takeaways From the European Data Protection Board’s New Guidance
In November 2019, the European Data Protection Board (EDPB) issued its final guidance on territorial scope of the General Data Protection Regulation (GDPR), following release of the draft guidelines in November 2018 and a lengthy public consultation period. Comparing the final and draft versions provides critical insight into the EDPB’s current stance on territorial scope and how its position has changed over the past year. In most cases, the final guidelines clarify a more measured approach to territorial scope, which suggests the EDPB has accepted certain legal and practical limits to the GDPR’s extraterritorial scope. But in some cases, such as how the targeting prong pulls processors not established in the EU into the GDPR’s scope, the guidelines take a more expansive view of the GDPR’s territorial reach.
In a new client alert, I explore key takeaways and recommendations from the final guidance, citing new language in the final guidance that clarifies the EDPB’s position on several important topics. Here are some highlights:
- Focus on processing activities, not companies. The EDPB reinforced that the GDPR applies to processing activities, not organizations. Therefore, it is critical to examine the nuances of a particular processing activity when considering whether it falls within the GDPR’s scope under Article 3(1) or 3(2).
- The EDPB clarifies important limits to the GDPR’s extraterritorial scope. The EDPB added language and examples to clarify and emphasize limitations on the regulation’s extraterritorial scope. Perhaps most important, the EDPB clarified that offers for goods or services are not within scope if they are inadvertent or incidental. They must “intentionally” target individuals in the EU.
- But non-EU processors may now be directly within the GDPR’s scope based on their own “targeting” activities, when acting on a controller’s behalf. The EDPB has clarified an expansive view of the GDPR’s scope with respect to processors not established in the EU. The final guidance states that processing by a data processor not established in the EU may be subject to the GDPR under Article 3(2) if the processing activities “are related” to the targeting activities of the controller. This interpretation exposes more processors to the GDPR’s processor requirements.
- Data transfer rules remain unclear. The EDPB failed to clarify the relationship between Article 3’s provision on territorial scope and Chapter V’s provisions on international data transfers. This adds to the current uncertainty on international transfer mechanisms raised by the Schrems II decision, now working its way through the Court of Justice of the European Union.
- Enforcement options against non-EU entities remain murky. The EDPB clarified in the final guidance that supervisory authorities may not take enforcement action for a controller’s or processor’s violations directly against the controller’s or processor’s Article 27 representative. This is a reversal from the draft guidance and leaves open the question of how exactly European regulators plan to take enforcement action against non-EU controllers or processors. The EDPB says it’s considering options.