European Data Protection Board Issues Guidelines on GDPR’s Territorial Scope

The European Data Protection Board (EDPB) has issued guidelines—for pubic consultation—regarding the territorial scope of the General Data Protection Regulation (GDPR). The GDPR imposes requirements on data controllers and processors regarding the processing of personal data. A controller is a person or entity who, alone or jointly with others, determines the purposes and means of processing personal data. A processor is a person or entity who processes personal data on behalf of a data controller. Two main criteria determine territorial application of the GDPR. Under the establishment criterion, the GDPR applies to data controllers and processors with an establishment in the European Economic Area (EEA), whether or not they are processing data in the EEA. The GDPR also applies extraterritorially—under the targeting criterion—to an entity established outside the EEA that processes data related to (a) the offering of goods or services to data subjects located in the EEA, regardless of whether payment is required, or (b) the monitoring of data subjects’ behavior in the EEA.

The guidelines elaborate on the GDPR through textual analysis and a series of examples. In an example addressing the establishment criterion, a company headquartered in the U.S. maintains a wholly owned branch in the European Union (EU) overseeing its European operations, including marketing and advertising. The guidelines conclude that the branch could be considered an establishment in the EU, since it is a stable arrangement carrying out real and effective economic activity on behalf of the company. The guidelines also emphasize that under the targeting criterion, a data controller or data processor is not necessarily outside the GDPR’s scope merely because it lacks an establishment in the EU. Although this criterion focuses on the location of a data subject within the EU—regardless of the individual’s citizenship, residence, or other legal status—the element of targeting (either by offering goods or services, or monitoring behavior) must also be present. In one example, a U.S. citizen traveling in Europe downloads and uses a news app exclusively directed at the U.S. market; collection of the individual’s personal data by the U.S. company is not subject to the GDPR. In another example, a company located outside the EU is not considered to be targeting data subjects in the EU when it processes personal data to pay the salaries of its employees who reside in EU countries, because human resource management—including salary payments—is not considered an offer of services within the meaning of the GDPR (but the example cautions that the analysis is without prejudice to the applicable law of the country where the company is located).

EBIA Comment: The GDPR created a stir when it took effect in 2018, and uncertainty remains as to its application to U.S. employers with offices or employees in Europe. Employers seeking to understand their obligations will welcome any guidance, and may want to discuss these guidelines with their legal counsel. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.I (“Transferring PHI Outside the United States”) and XXXIV.K (“European Economic Area’s General Data Protection Regulation (GDPR)”) and EBIA’s Self-Insured Health Plans manual at Section V.F (“European Economic Area’s General Data Protection Regulation (GDPR)”). See also EBIA’s Cafeteria Plans manual at Section XVII.K (“European Economic Area’s General Data Protection Regulation (GDPR)”) and EBIA’s Consumer-Driven Health Care manual at Section XXV.H.3 (“European Economic Area’s General Data Protection Regulation (GDPR)”). You may also be interested in our upcoming webinar “What Is GDPR and How Does It Impact U.S. Health Plans?” (live on 1/17/19).

Contributing Editors: EBIA Staff.