THE EXTRA-TERRITORIAL EFFECT OF THE EU GENERAL DATA PROTECTION REGULATION: THERE’S NO GETTING AWAY FROM IT
One term on everyone’s lips these days is ‘GDPR’. It seems you cannot get away from it even if you are outside the European Union (‘EU’) or European Economic Area (‘EEA’).
The EU General Data Protection Regulation 2016/679 (‘GDPR’) replaced the EU Data Protection Directive (95/46/EC) (‘EU Directive’) and local implementing laws on 25 May 2018. It has caused some commotion as a result of the extra-territorial effect and scope of EU data protection law. By virtue of Article 3 of the GDPR, the scope of the law now extends and applies to the following:
- the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (the ’Establishment Provision’);
- the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
2.1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or,
2.2. the monitoring of their behaviour as far as their behaviour takes place within the Union (together the ‘Outsider Provision’).
The international scope of the GDPR is therefore contained in these provisions and specifically by virtue of these phrases: “the activities of an establishment of a controller or a processor… regardless of whether the processing takes place in the Union or not” and “by a controller or processor not established in the Union”.
Whilst there were existing restrictions on international data transfers in the EU Directive, the provisions introduced by the GDPR are more extensive. For one thing, they take into account rapidly evolving technologies, such as cloud storage services, where processing equipment is located outside the EU and would therefore be caught by the Establishment Provision. For another, they bring the focus back to the individual - the EU resident – caught by the Outsider Provision.
So, what if the GDPR does apply as a result of your processing activities? What then?
Stiff penalties introduced
The penalties that may be imposed under the GDPR have been significantly increased and certain violations of the GDPR can lead to fines of up to EUR 20,000 (twenty thousand Euros) or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher.
In addition to the monetary penalties are the corrective powers bestowed on supervisory authorities (essentially, the data protection regulator appointed in each EU member state). These powers include the ability to issue warnings to data controllers or data processors, impose a ban on processing, and even suspend data flows to a recipient in a third country or to an international organisation. 
This leads to a flurry of self-analysis – an internal audit, if you will – to determine whether or not you are caught by the international scope of the GDPR.
First, there is the question of what an ‘establishment’ is.
The GDPR states that an establishment implies the effective and real exercise of activity through ‘stable arrangements’. However, stable arrangements in terms of a legal entity, for example a branch or a subsidiary located in an EU member state, will not be a determining factor. More crucial in clarifying the situation, perhaps, is the existence of an ’inextricable link’ between the processing activities and the EU establishment. This has been discussed in various rulings by the Court of Justice of the European Union, which had already extended the territorial reach of EU data protection law prior to implementation of the GDPR.
For simplicity’s sake, let us look only from the perspective of non-EU based data controllers and data processors, where the processing takes place outside the EU, and the non-EU data controller or data processor has an establishment in the EU (through a subsidiary or branch, for example). In this case, the GPDR will apply to the non-EU data controller or processor if there is an inextricable link between the processing activities and the EU establishment.
An inextricable link may exist where there is an economic dependency on the part of the non-EU entity on the EU activities carried out through a third party or a related corporate entity. It should be stressed however that each situation will need to be considered on its own; there is no single and absolute ‘establishment’ test.
To avoid facing the crippling GDPR penalties, companies need to make sure that they are not caught by the Establishment Provision. They should analyse and consider the extent to which their EU business activities are carried out through third parties – i.e. service providers, cloud providers or related corporate entities. Companies should also consider whether or not the relationships between the company (as the non-EU entity) and the third party (as the EU entity) represent an economic dependency as a result of the activities being conducted through that EU entity.
Lack of an EU presence is not a loophole
Having done this internal audit, you realise that your processing activities are in fact caught by the Outsider Provision. What next? After all, one would think that an entity without a presence in the EU could not be penalised. In fact, it can.
If you are caught by this Outsider Provision, the requirement is that a controller or processor located outside the EU, processing the personal data of EU data subjects, must designate a representative in the EU.
According to the legislation, this requirement does not however apply if the processing is (i) occasional and does not include large-scale processing of sensitive personal data; (ii) it relates to processing of personal data on criminal offences and convictions, and is unlikely to result in a risk to the data subjects’ rights; or (iii) the controller is a public authority or body. 
The appointed EU representative will be subject to the jurisdiction of the supervisory authority established in the country where the representative is located. The appointment of the EU representative does not mean that the data controller or processor is exempted from any provisions of the GDPR, but the legislation does explicitly clarify that the EU representative will be subject to enforcement proceedings in the event of non-compliance by the controller or processor. The appointment of the EU representative will be without prejudice to legal actions, which could be initiated against the non-EU controller or processor.
Whether or not you manage to avoid the jurisdiction of the relevant supervisory authority, the protection, security and integrity of personal data is on top of every individual’s and every corporation’s list of priorities. Where there is any failure to comply with the GDPR or in the event of any data breach, we have seen various instances in these past 12 months where the reputational damage has been significant, irrespective of whether or not a breach actually occurred.
This should be enough of a deterrent for any person thinking that they can sidestep the data protection laws, wherever they are in the world. If this is a grey area and you are simply not sure whether or not you fall under the Establishment Provision or the Outsider Provision, it is better to follow best practice. It is important to ensure that internal audits of all processing activities and arrangements, as well as data flow audits, are carried out. This may just help you sleep better at night!