Chapter 5 - Territorial & Material Scope of the GDPR Flashcards
What is the territorial scope of the GDPR?
-Applies to organisations established in the European Union and also on an extraterritorial basis to organizations that offer goods or services to, or monitor individuals in, the European Union.
- EDPB issued detailed guidance on the territorial scope of the GDPR in Guidelines 3/2018, adopted on 12 November 2019.
-Article 3 of the GDPR aims to determine whether a processing activity falls within the scope of the GDPR, meaning the application should be assessed per data processing activity.
-The fact that certain processing activities fall within the scope of the GDPR does not mean that all processing activities of that organisation are subject to the GDPR.
What does Article 3(1) state about EU-established controllers and processors?
-States that it applies to the processing of PD in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
-Establishment implies the effective and real exercise of activity through stable arrangements, as explained in Recital 22.
-The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor.
-CJEU decision in Weltimmo v. NAIH illustrates this broad concept.
-Weltimmo, incorporated in Slovakia, was considered established in Hungary because its website targeted the Hungarian market, had a representative in Hungary, opened a bank account in Hungary, and used a letterbox in Hungary.
-The nationality of the data subjects was irrelevant. Importantly, appointing a processor in the EU does not alone mean the controller is subject to the GDPR.
What does ‘in the context of the activities’ mean?
-GDPR applies when the processing of PD carried out in the context of the activities of an establishment in the EU.
-This test is met when there is an inextricable link between the activities of an EU establishment and the processing of data by a non-EU controller.
-For example, in Google Spain SL v. AEPD, the activities of Google Spain SL in promoting and selling advertising space in Spain were linked to the search engine’s data processing activities, making the GDPR applicable.
-The connection between the activities of the EU establishment and the non-EU controller’s data processing must be sufficient to trigger the application of the GDPR.
Does nationality and residence matter for GDPR application?
-According to EDPB notes Article 3(1) of the GDPR does not restrict its application to the processing of personal data of individuals who are in the Union.
-Recital 14 supports this view, stating that the protection afforded by the GDPR applies to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
-For example, if a French controller has a car-sharing application available only in Morocco, Algeria, and Tunisia, but the data processing activities are carried out by the controller in France, the GDPR will apply to the processing of personal data.
What is Article 3(2) state about non-EU established organisations?
-Applies to processing of PD of data subjects who are in Union by controller or processor not established in Union
-Processing activities related to offering of goods and services to such data subjects in Union / monitoring their behaviour as far as their behaviour takes place in Union.
-NOT clear how data subjects who are in the Union will be interpreted & EU residency should not be assumed as prerequisite
What does targeting EU data subjects mean?
Under Article 3(2)(a), non-EU established organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with the offer of goods or services to EU data subjects.
-Payment by the data subject is not required.
Recital 23 provides that, in determining whether an organization is offering goods or services to data subjects in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
-The EDPB clarifies that an organization which inadvertently sells to an individual in the Union will not necessarily be subject to the GDPR.
-Relevant factors include naming EU or member states in reference to goods or services, using an EU language, having marketing campaigns directed at EU audiences, and using a top-level EU domain.
What does monitoring of behaviour mean?
Non-EU organisations that monitor the behavior of EU individuals will be subject to the GDPR provided the behavior being monitored occurs within the Union.
-Recital 24 specifies that monitoring includes tracking individuals online to create profiles, including for analyzing or predicting personal preferences, behaviors, and attitudes.
-Examples of monitoring include behavioral advertising, geolocation, online tracking through cookies, CCTV, market surveys, and health monitoring.
-Offline monitoring is also within the scope of Article 3(2)(b).
What does the GDPR state in relation to public international law?
-Article 3(3) states GDPR will apply where processing of PD by a controller not established in EU takes place in location where MS law applies by virtue of public international law.
-Includes embassies/ consulates of EU MS / ships registered to MS
-EDPB Guidelines give example of ships registered to a MS where MS laws apply when ship is in international waters
How does Brexit affect GDPR application?
-UK enacted identical provisions/ references to the MS are replaced with references to the UK.
-A controller or processor with establishments in both an EU MS member state and the UK will be subject to both EU and UK data protection laws when processing personal data in the context of those establishments.
-Similarly, a controller or processor established in the EU but offering goods or services to individuals in the UK or monitoring their behavior will be subject to both EU and UK data protection laws.
What is the material scope of the GDPR?
-Certain activities fall entirely outside the GDPR’s scope.
-Article 2(2)(a) states that the GDPR does not apply to the processing of PD in the course of an activity that falls outside the scope of EU law -> such as public security, defense, and national security.
-Article 2(2)(b) states that the GDPR does not apply to the processing of PD by MS when carrying out activities within the scope of Chapter 2 of Title V of the TFEU -> including activities related to the common foreign and security policy of the EU.
What is the household exemption?
-Article 2(2)(c) exempts data processing by a natural person in the course of a purely personal or household activity.
-Includes correspondence and holding address books, provided their use is for personal purposes and not connected to professional or business activities.
-GDPR will apply to controllers or processors that provide the means for processing PD for such personal or household activities.
-Recital 18 notes that social networking and online activities used for social and domestic purposes are also covered by this exemption.
What is the prevention, detection, and prosecution of criminal penalties exemption?
-Article 2(2)(d) of the GDPR exempts processing of PD by competent authorities for the purposes of
-prevention
-investigation
-detection,
-prosecution of criminal offenses
-the execution of criminal penalties
-including safeguarding against and preventing threats to public security.
-LED fills the legislative gap arising from this exemption and applies to entities competent for criminal justice activities, such as police, prosecution authorities, and courts.
Does GDPR apply to EU institutions?
-Article 2(3) states that the GDPR does not apply to EU institutions, bodies, offices, and agencies.
-Regulation 2018/1725, which replaced Regulation 45/2001/EC, applies to the processing of personal data by EU institutions and bodies.
What is the relationship between GDPR and ePrivacy Directive?
-Article 95 of the GDPR states that the GDPR shall not impose additional obligations on natural/legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in EU.
-ePrivacy Directive defines consent by reference to the GDPR
-meaning consent for direct marketing activities under the ePrivacy Directive must comply with the GDPR’s more stringent consent requirements.
-The EDPB’s Opinion 5/2019 clarifies the interplay between the ePrivacy Directive and GDPR.
What is the relationship between GDPR and E-Commerce Directive?
-GDPR stated to be without prejudice to the rules in the E-Commerce Directive 2000/31/EC
-Particularly those concerning the liability of intermediary service providers.
-E-Commerce Directive excludes issues related to the processing of PD from its scope
-Meaning these issues are solely governed by relevant DP legislation.
-GDPR and E-Commerce Directive can be read consistently if one assumes that the liability of internet service providers (ISPs) for the actions of users will be determined by the E-Commerce Directive
-This point remains unclear
-While other matters, such as obligations to erase or rectify data, will be governed by the GDPR.
Overview of the scope of the GDPR
-GDPR has broad territorial and material scope.
-Many organisations that may not have fallen under the jurisdiction of the Directive will find their processing activities trigger the application of the GDPR
-Especially if they offer goods or services to EU data subjects.
-Although the GDPR attempts to limit its material scope with more clarity than the Directive did, a great deal of processing activities fall under the GDPR.
What does Article 3(1) of the GDPR state about processors?
-Article 3(1) of the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union.
-However EDPB has clarified that only the provisions of the GDPR which apply to processors will be relevant here.
-A non-EU controller will not become subject to the GDPR merely because it is using a processor in the European Union.
What was the Lindqvist case and its importance?
-CJEU considered whether publication by Mrs. Lindqvist on her personal website of information relating to individuals she worked with on a voluntary basis in her parish church fell within the household exemption.
-The CJEU held that Mrs. Lindqvist could not rely on Article 3(2) of the previous Directive because the exemption was confined to activities carried out in the course of a private or family life of individuals.
-The processing consisted of publication on the Internet, making the data accessible to an indefinite number of people.
-This restricted interpretation of the household exemption has been criticised by the WP29 as unrealistically narrow, given the changes in technology.
What was the Rynes case and its importance?
-CJEU held that the household exemption in Article 3(2) of the previous Directive should be narrowly construed.
-The case involved the use of a security camera for a private residence that captured images of a public footpath outside the home.
-CJEU ruled that the processing of personal data for the purposes of domestic CCTV was not a purely personal or household activity, in contrast with correspondence and the keeping of an address book.
-Case highlights the limitations of the household exemption when personal data is made accessible to the public.
What is a competent authority?
-Any public authority responsible for preventing, investigating, detecting, or prosecuting criminal offences or executing criminal penalties, including safeguarding against and preventing threats to public security.
-Any other body or entity entrusted by Member State law to exercise public authority and public powers for the same purposes.
Examples:
Police
Prosecution authorities
Courts
Offender support services
Key Point: Competent authorities can be subject to both the GDPR and the LED, depending on the purpose of data processing.
What is the Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II) case about?
-Judgement: The CJEU held that the transfer of personal data between two commercial parties (e.g., Facebook Ireland to Facebook Inc.) for commercial purposes cannot be excluded from the scope of the GDPR, even if the data might later be processed for public security, defence, or state security by authorities in a third country.
-Importance: This judgement clarifies that the GDPR applies to data transfers between commercial entities, regardless of potential future processing by public authorities for national security purposes.
What is the guidance on the ePrivacy Directive and GDPR?
Guidance: The European Data Protection Board (EDPB) issued Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.
Key Points:
-Overlap: There is an overlap in material scope between the ePrivacy Directive and the GDPR, but this does not lead to a conflict.
-Complementary: Article 1(2) of the ePrivacy Directive states that its provisions particularise and complement the GDPR.
-Specific Rules: The ePrivacy Directive provides more specific rules in certain areas, such as telecommunications traffic data and storing information on an end user’s device.
-Precedence: In cases where the ePrivacy Directive has specific provisions, these take precedence over the more general provisions of the GDPR.
-Remaining Subject: Any processing of personal data not specifically governed by the ePrivacy Directive remains subject to the GDPR.
-Importance: The EDPB guidance clarifies how the ePrivacy Directive and GDPR work together, ensuring consistency and avoiding conflicts between the two regulations.