On 23 November 2018, the European Data Protection Board published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing personal data either:
- in the context of an establishment of a controller or a processor in the EU; or
- relating to the offer of goods or services to individuals in the EU; or
- relating to the monitoring of the behaviour of individuals as far as their behaviour takes place in the EU.
The emphasis highlighted above demonstrates the broad drafting of the legislation and potentially extremely wide application of the GDPR to organisations located outside of the EU. This has left many organisations worldwide in a state of uncertainty as to the fundamental application of this important legislation to their activities. Guidance on Article 3 is therefore long overdue.
The draft guidelines published on 23 November 2018 are open for consultation, with interested parties being given until 18 January 2019 to provide comments. However, even in their current draft state, the guidelines give invaluable insight into the European regulators’ view on interpretation of Article 3 and go some way to clarifying key questions regarding the application of the GDPR.
For further details, see our Data Protection Update here.