GDPR: Territorial Scope. Why the Regulation Applies Even If Your Company Is Not Based in the EU

Lawyers typically start their data protection compliance assessments by asking 2 simple questions: what data and where? The next step then flows logically to define which laws apply, depending upon where the data collection and processing operations take place. From there, a gap analysis is undertaken to detail a risk estimation related to data usage and possibly remedial measures.

That worked well for a while, as long as these rules were clear and everybody stayed on their own turf: companies using data to improve internal processes, the data which those processes might be about, ideally surrounded by data protection responsibilities if “personal data” was involved. However, this logic was established back in 1995, and evolution has taken its toll since then.

Not only have storage costs crumbled from around 10k to just a few cents with the advent of cloud computing and our favorite yellow elephant called Hadoop. We’ve also come a long way since the crunching of the Internet’s digital exhaust called log files to beacons that can pick up our mobile signals when we move around in the offline world, a.k.a. real life.

The current compliance debates around consent within the GDPR framework and self-determination about one’s data have not materialized out of thin air in an attempt by EU Regulators to annoy CEOs and whine about Privacy Rights.

Historical underpinnings of the GDPR

They’re the fruit of evolution that also dated back to Alan Westin’s “informational self-determination” defined as “the claim of individuals, groups and institutions to determine for themselves when, how and to what extent information about themselves is communicated to others” from the era of the 1st mainframes.

In Europe, Convention 108 ratified in Strasburg in 1981 also recognizes the fact that data protection is context-specific and began establishing the link between consent and control. From there emanate the legal grounds for consent, which becomes an instrument to negotiate economic value.

And while the World Economic Forum recognized Personal Data as a new Asset Class, under EU law data never becomes a tradable good. While consent is given for storage and usage of personal data, control is kept and never “handed over”.

European Values Behind the GDPR

This fundamentally European stance, supported by articles: 7 – on the Respect for Private and Family Life, 8 – on the Respect for Private and Family Life, and 1 – on the Protection of Personal Data and Human Dignity of the Charter of Fundamental Rights of the European Union, serves as a basis for European institutions today to state the following:

“There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction.”

(see: the source )

If anything, this shows that while some might consider the endpoint to be compliance with the upcoming GDPR, it is in fact only the beginning of reflections on how digitization and the information society will influence our lives and those of future generations.

That starting point, in our globalized world, is to recognize that data protection is not about companies having the tools to collect and use data on a data market or through a combination of tools. It is about the fundamental rights of those whose data is collected and used.

GDPR: Territorial scope

The GDPR’s Territorial Scope under Article 3 sets this logic out clearly by stating:

“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union”

Notice the reference to “free” services and in plain jargon: if you’re addressing citizens within the EU, the GDPR applies.

The initial question asked by lawyers when performing Data Protection Impact Assessments (DPIA) or Privacy Impact Assessments (PIAs) therefore evolves from Where is your data? to Who is your data addressing? (Note that it will be much harder and complicated to determine that your data does not constitute PII, which will be addressed in a future blog post.)

Legal counsels in data-intensive companies are now trying to translate this obligation into technical and engineering logics to better understand when the GDPR and its hefty fines might become a risk factor.

More specifically, for companies directly targeting (such an ugly word!) citizens within the EU, they often have a good idea whether the “old continent” is within their target audience. Typically, this class of data-intensive companies, called Data Controllers, will possibly provide language translations of their website for languages like German and Catalan, or provide shipping features and bill in Euros as clear signals that the EU is one of the markets they operate in, irrespective of whether they actually have any legal presence there.

Data intermediaries

The GDPR equation becomes slightly more complex for data intermediaries, also called Data Processors, as their GDPR obligations will kick in through a sort of chain effect once they address citizens within the EU on behalf of their clients.

Should they develop different sets of functionalities to allow their clients to be compliant with their obligations, and if so, which ones?

For starters, how can they detect that the EU market is effectively being addressed through the use of their tools? The classical engineering answer is that our domain would probably be an IP address. Yet the IP address is increasingly being recognized as personal data, bringing about a fascinating chicken and egg conundrum.

GDPR – territorial scope – final remarks

Technology is said to be neutral.

Should data intermediaries therefore fork their developments, to make one set GDPR compliant and another not? Or wouldn’t it be easier to embrace a longer-term view that, as our societies are become increasingly digitized and our activities gamified, embraces rules, standards and codes of conduct to assure a balanced and a dignified society for us and the generations to come? I’ll leave the answer to you.