Almost exactly a year after publishing its draft version, the EDPB has adopted its final guidelines on Article 3 of the GDPR and the extra-territorial scope of the legislation. The adopted guidelines don’t differ substantially from the consultation draft but include a number of clarifications and new examples. Some of the key takeaways are:
- Article 3 aims to determine whether a particular processing activity is within the scope of the GDPR and not whether an entity is within the scope of the GDPR (i.e. a non-EU controller can be caught with respect to some data and processing but that does not necessarily mean the entire organisation and all its data is subject to the GDPR);
- Article 3(2) only covers processing where the controller or processor is intentionally targeting individuals; inadvertent or incidental contact with data subjects within the European Union is not enough to trigger this Article (i.e. confirmation that the capture of non-EU people’s data whilst they happen to be on holiday in the EU is probably not going to trigger Article 3(2)); and
- A new section of guidance concludes that where a controller is consider under Article 3(2) to be “targeting” data subjects in the European Union, that any processor engaged by the controller in respect of such processing will also be caught by Article 3(2) and therefore subject to the GDPR (i.e. one of the few examples of when a processor can be caught by Article 3(2)).
Whilst helpful to have the final guidance, it is important to note that further clarity is still required in some areas, in particular the interplay between international data transfers and the scope of Article 3. Continue reading
The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK.
The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the EU’s new strict data protection law, the General Data Protection Regulation (679/2016/EU) (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU.
Not only is it the first extra-territorial notice issued by the ICO under the GDPR, but it is the first action ever taken by the ICO against an entity outside the UK. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR.
Click here for the full article.
We are living in an increasingly inter-connected digital society where the services of many organisations are global in nature, and yet internet activities are still being tackled by national laws and regulations. The online world does not respect physical or geographical boundaries, often giving rise to the question of which law is applicable in the case of online activities. In the data protection and privacy space, the new General Data Protection Regulation (“GDPR“) seeks to tackle this online transnational data and privacy issue through its extra-territorial application.
Click here for the full briefing.