The new General Data Protection Regulation (GDPR) strictly regulates the collection, use and storage of personal data, but does the long arm of the law stretch beyond the EU borders more than anyone could have anticipated?
If you are surfing the web to see who the GDPR applies to, you could come to the conclusion that it is in place to protect EU citizens. This is a very common misunderstanding. Actually, Art. 3 para. 2 GDPR states:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
This means that the GDPR stretches beyond the borders of the EU to protect data subjects in the EU (even if they are not EU citizens) by being applicable to any entity processing the data of data subjects in the EU when the conditions under Art. 3 para 2 lit. a and b GDPR are satisfied. Companies throughout the world are now working on compliance not only with local laws, but, because they want to do business in the EU, they are also trying to be compliant with the GDPR.
However, this is not the only way that the GDPR reaches beyond the borders of the EU. Art. 3 para. 1 GDPR establishes that:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Which means that the regulation also covers the processing of personal data by any entity, located in the EU, which is processing such personal data, whether as a controller or a processor, and whether or not the data is being processed in the EU. This has significant implications worldwide. The impact can be seen through a simple example:
Company A, located in Australia with no offices or locations in Europe, processes data of its own customers who are also located in Australia. Company A, however, uses a service provider in Germany to store the concerned personal data on German servers.
The international data transfer from Australia to Germany must be permitted according to Australian law, which for our example we will assume permissibility to transfer the data. The interesting part is now the transfer of the data back to Company A in Australia. Even though the data belongs to an Australian company processing the data of Australian citizens the data is now in the EU and the GDPR applies. Hence, there must be a legal basis for processing according to Art. 6 GDPR, data subjects must be informed of their rights according to Art. 13 GDPR and the international data transfer must be based on the requirements set out in Art. 44 GDPR.
This means that at the very least data subjects who have no link to the EU are granted rights merely because the company which they are doing business with is using a service provider in the EU. In more extreme cases, however, it means that it is very difficult for Company A to receive the data back from their service provider in Germany because they do not comply with the standards of data protection set out in the GDPR. And even if all the conditions of the GDPR are met and all other applicable laws respected, one can’t deny that the new scheme makes personal data transfers like the one exemplified above, far more expensive than they were in the pre-GDPR era.
Were the writers of the GDPR truly attempting to make the regulation applicable in so many instances or is this an unintended consequence of how the regulation was written? This is a difficult question to answer, since the supervisory authorities are not in agreement on this issue. While researching for this article we contacted multiple authorities within Germany and received multiple different responses regarding the applicability of the GDPR in the situation described. This is made even more difficult when multiple EU countries are involved in the data flow.
The European Data Protection Board (EDPB), which provides guidance on how to comply with the GDPR, is currently working on guidance that will provide a clearer picture of how far the GDPR reach was intended to be. However, due to the current uncertainty of how the GDPR pertains to such international transfers, if companies who transfers personal data into and out of the EU want to be compliant, they will need to:
- establish a legal basis for the processing in accordance with Art. 6 GDPR,
- have agreements be in place in accordance with Art. 26 or 28 GDPR,
- provide data subjects with information in accordance with Art. 13 or 14 GDPR, and
- put in place provisions to assure an adequate level of protection in accordance with Art. 44 GDPR.