The General Data Protection Regulation (GDPR) does not just impact companies located in the European Economic Area (EEA). It has a “long-arm” provision which may subject foreign companies to its jurisdiction. There is a fair amount of uncertainty regarding how this provision may be applied. The European Data Protection Board (EDPB) has recently issued updated guidelines that shed some light on how national Supervisory Authorities are expected to interpret the extra-territorial reach of the GDPR (guidelines).[1] This article focuses on one aspect of the guidelines that may negatively affect vendors located outside the EEA.

  1. Is the Application of the GDPR Stretched to the Maximum?

The GDPR applies to controllers as well as processors that are located outside the EEA and process the personal data in the context of the offering of goods or services in the EEA. It also applies to controllers and processors that “monitor the behaviour of data subjects in the EEA.”[2] According to the guidelines, however, non-EEA based processors are also subject to the GDPR if their operations “are related to[3] the targeting activity of a non-EEA based controller that  offers goods or services or monitors individuals’ behaviour in the EEA.

In other words, the applicability of GDPR is not limited to processors that target individuals in the EEA. A processor that helps a non-EEA based controller target individuals in the EEA is also directly subject to the GDPR. For instance, a service provider that offers software solutions to business customers that use the solution to target individuals in the EEA would be subject to the GDPR, simply by virtue of supporting the controller’s processing operations relating to targeting of customers in the EEA.

The EDPB provides some examples of this application of GDPR, including one where a U.S.-based health and lifestyle service provider is using a U.S.-based cloud provider as a processor to store the data collected through its apps, including data from EEA citizens.[4] In this example, the EDPB states that the processor is carrying out a processing activity relating to the targeting of EEA individuals that the controller conducts. As such, the GDPR’s extra-territorial application kicks in for the processor as well.

  1. What Does This Mean for Vendors in the U.S. (and in Other Non-EEA Countries)?

The consequences of the EDPB’s extra-territorial interpretation may be significant. It will likely increase liability exposure for non-EEA based processors who never intended to target or monitor individuals in the EEA, or that—more generally—never intended to conduct business in the EEA. Such vendors’ risk of exposure becomes dependent on their customers’ data practices in the EEA. The EDPB’s example is a case in point: a U.S.-based hosting provider is not aware, and often does not care, about the data that its clients upload on the cloud.

Subjecting the hosting service to the GDPR simply because the client is subject to the GDPR is potentially problematic for various reasons:

The EDPB’s interpretation may favor large businesses. This broad interpretation of Article 3(2) GDPR may favor large data processors that have experience dealing with the EEA data privacy regime. Data controllers are expected to be selective and to retain processors that have taken measures to comply with the GDPR in light of the guidelines. Smaller market players may simply not have the compliance stature and means to deal with the GDPR and may lose market opportunities as a result.

Processors may not be able to control their customers’ actions. Vendors could, in theory, try to prohibit their customers from targeting/monitoring individuals in the EEA. This would almost certainly not be a workable solution in practice. Their customers would either push back on such a restriction or simply look for a competing vendor that is more flexible. By default, this would create a competitive advantage to EEA-based vendors who are already subject to the GDPR.

Processors will often be left in the twilight zone of legal uncertainty. Whether non-EEA based controllers are subject to the GDPR’s long-arm provisions is not clear-cut. Non-EEA based controllers may conclude that GDPR does not apply to them, whereas Supervisory Authorities or national courts may disagree. In such cases, all non-EEA based processors with whom the controller has contracted would potentially be operating in violation of the GDPR. More broadly, processors may become dependent on the controller’s actions; controllers may change their information or marketing practices, and therefore, become subject to the GDPR for certain data processing operations. Processors that support such operations may be unaware of this, but still find themselves subject to the GDPR.

Contractual clauses will not necessarily fix the problem. Non-EEA processors can try to stipulate in their contract with controllers that they are not subject to the GDPR; however, Supervisory Authorities are not obligated to accept this. The Supervisory Authorities can find that the non-EEA processor is subject to the GDPR irrespective of the processor’s intention.

Increasing complexity means increasing uncertainty. Foreign data protection laws are increasingly crafted with the GDPR in mind and may therefore extend similar extra-territorial application to processors around the globe. This dystopian scenario could leave processors liable under a multitude of national foreign data protection laws, resulting in exponentially increasing compliance costs.

Inconsistent rules may violate World Trade Organization (WTO) law. To assess whether companies located in a non-EEA-territory are subject to the GDPR, the EDPB’s guidelines opine that the assessment should be conducted independently for the controller and the processor.[5] Specifically, the EDPB states that a non-EEA based processor is not automatically deemed subject to the GDPR simply because it is contracting with a controller which is subject to the GDPR’s territorial application.[6] This is intuitive, yet contradictive to subjecting the same non-EEA based processors to the GDPR when they provide similar services to a non-EEA based controller that is caught by the GDPR’s long-arm provisions. As such, the EDPB’s Guidelines potentially constitute a prohibited discrimination under WTO rules relevant to trade in services (GATS). GATS prohibits countries from adopting trade restrictive measures that directly discriminate against companies based on their location. However, according to the EDPB’s Guidelines: i) EEA-based processors have a competitive advantage since non-EEA based controllers may prefer them over non-EEA based processors as the latter may view themselves as outside the GDPR’s scope and thus not comply with GDPR requirements; and ii) non-EEA based processors would not be subject to the GDPR if they contract with an EEA-based controller, whereas they would if they do with a non-EEA based controller, which appears inconsistent.

  1. Conclusion

The EDPB’s interpretation does not appear to further protect EEA individuals since data controllers that are already subject to the GDPR must hold their processors accountable based on Article 28 agreements, which provide data adequate safeguards for the processing of individuals’ data.

Arguably, the EDPB’s position stretches the GDPR to its limits and creates an uneven playing field for non-EEA processors. Processors may take stock of this somewhat surprising extra-territoriality interpretation and assess whether they consider themselves to be subject to the GDPR or not. Irrespective of this self-assessment, the market may push them towards a “comply with the GDPR or perish” approach, in which case processors may find themselves prioritizing certain GDPR compliance items that they will follow. If nothing else, the extra-territorial applicability debate is far from settled.

[1] Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.0, adopted on November 12, 2019, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en.

[2] Article 3(2)(b) GDPR.

[3] Ibid, p. 21.

[4] Ibid, p. 21.

[5] Ibid., p. 10.

[6] Ibid., p.10: “The existence of a relationship between a controller and a processor does not necessarily trigger the application of the GDPR to both, should one of these two entities not be established in the Union.”