The General Data Protection Regulation (EU regulation 2016/679) comes into force on May 25, 2018. It applies to all processing, whether automated or not. The most extraordinary part of the regulation, however, is its territorial field of application. Many believed that the virtual world had wiped out borders with the biggest players in the internet world having developed a quantity of arguments, in particular in tax matters, to escape from local legislation. Europe therefore decided to set the record straight. The message is clear, whether you are in America, in Asia or elsewhere, you must comply with the rules when processing the personal data of European residents. The high cost of the sanctions mean that this new legal framework must be taken very seriously. The maximum fine has been fixed at 4% of turnover for the preceding year, which is 2017 for any businesses that are sentenced in 2018. For example, the maximum risk for the GAFAs, if they do not comply with the Regulation, could be estimated as follows: for Amazon 7.1 billion for turnover of around 178 billion (higher than the profit…); for Apple, 5.6 billion for a turnover of around 141 billion; for Google, 4 billion for a turnover of around 100 billion and for Facebook, 1.28 billion for a turnover of around 32 billion (in dollars).
The limited territorial field of application of the preceding directive
European directive 95/46EC of October 24, 1995, transposed in France by law n° 2004-801 of August 6, 2004, updated the French data protection act (loi Informatique et Libertés) 78-17 of January 6, 1978.
The Directive may of course apply to Data Controllers who are not established on the territory of the European Union, but it obliges them to use a means of processing situated in the territory of the European Union.
It came to light that many processors were managing to avoid the European data protection regulations on the basis of the extraterritoriality of their processing.
For many years Google claimed that the data it collected in France and in Europe were not governed by French regulations but by Californian regulations since the company and its servers were based in California.
As the aim of the European Commission is to protect personal data, the new Regulation should rectify this shortcoming.
The extraterritorial field of application of the Regulation
Starting from May 25, 2018, the European Regulation will be applicable to all processing of personal data for which the Data Controller or the Data Processor (in general the IT service provider) is established in the European Union, irrespective of whether or not the processing itself takes place within the European Union.
The Regulation also provides for its application in cases where the Controller or Processor are not established in the European Union when the processing targets a data subject situated in the European Union, irrespective of the nationality of the person concerned.
Controllers or Processors established in the European Union
The notion of establishment is not defined in the Regulation. It has been interpreted extensively by the French and European courts, which give priority to a functional analysis based on the effective and real exercise of activity through a stable arrangement.
Establishment has already been judged to exist through the presence in the Member State concerned of a representative, a bank account and a letter box (CJEU October 1, 2015, Weltimmo).
Furthermore, the legal form of such an establishment is not decisive. Consequently, the processing of personal data carried out by a simple branch, which has no legal personality, by a non-European Controller, must be carried out in accordance with the Regulation.
Controllers or Processors not established in the European Union
When the Controller or Processor is not established in the European Union and has no establishment there, the Regulation applies when the processing relates to persons situated in the European Union and when the processing activities are linked to an offering or the monitoring of internet users in the 28 countries making up the European Union, comprising 520 million inhabitants.
- (i) To the offering of goods or services destined to these persons, whether these services are free or paying services
The Regulation does not contain any definition of the offering of goods and services but it provides indications making it possible to characterise such an offering (whereas clause n°23), such as the use of the language or currency generally used in one or more Member States with the possibility of ordering goods and services in this language or even the mention of clients or users situated in the European Union.
However, the mere accessibility of a website, e-mail address or other contact details is insufficient to ascertain this intention.
In other words, it is necessary to check the intention of the Data Controller with regard to the persons concerned. Did he intend to offer goods or services to the persons concerned in the European Union or not?
- (ii) To the monitoring of the behaviour of these persons, if this behaviour takes place in the European Union.
In particular, the Regulation provides for the profiling of a natural person in order to make decisions concerning him/her or to analyse or predict his/her personal preferences, behaviour and attitudes.
These two conditions (i) and (ii) are alterative and not cumulative.
What about the transfer of the personal data outside the European Union?
In principle, the transfer of personal data outside the European Union is prohibited. The aim is to protect personal data against data havens which apply more flexible regulations in this respect.
There are many exceptions to the principle:
- Transfer of data towards countries belonging to the European Economic Area
These countries have signed an agreement with the European Union through which they have adopted personal data protection regulations.
- Transfer of data towards countries with an adequacy agreement
Certain countries are recognised by the European Union as having regulations on the protection of personal data that are equivalent to European regulations.
- The transfer of data towards countries that have signed standard contractual clauses or BCR (“Binding Corporate Rules”)
These are countries for which no adequacy decision has been made or which have no personal data protection regulations. The idea is therefore to establish contractual rather than legal protection for data through standard clauses or an agreement within a group of companies.
Standard contractual clauses
Standard clauses have been drafted by the European Commission and are accessible via its website. These are agreements concluded between the Data Controller and the Processor established abroad either in the framework of an IT service agreement or in the context of the sending of personal data to a group subsidiary or entity.
Currently, the Data Controller may obtain authorisation from the national regulatory authority (CNIL in France) before using these clauses. This request for authorisation will be discontinued as of May 25, 2018.
Binding Corporate Rules (BCR)
BCR concern groups of companies exclusively. A charter is adopted within the group under the terms of which all the group subsidiaries and entities undertake to comply with the European data protection regulations.
Once the charter has been drafted, it is submitted for authorisation to the European data protection authorities via a mutual recognition system.
This request for authorisation will be maintained after May 25, 2018.
- Transfer of personal data towards the USA: the “Privacy Shield” system
This is an international agreement between the European Union and the American Federal Trade Commission (FTC) which American companies are free to adhere to. Under the terms of this agreement, the FTC undertakes to ensure that the companies that sign up to this system comply with the data protection rules contained in this international agreement.
To conclude, the aim of the European Regulation on the protection of personal data is to apply to companies all around the world which process the personal data of European residents.
It puts an end to the hide-and-seek of forum shopping which, for all services supplied on-line, made it possible to choose the most favourable and least strict country to develop a company’s economic model.
The level of sanctions removes any doubt as to the firmness with which this new framework is going to be implemented. It generates risks that can hardly be considered as minor.
It requires an in-depth thought process and the implementation of a compliance project for any company that uses the personal data of persons situated in one of the 28 European Union countries comprising 520 million inhabitants.
The author of this post is Thierry Aballéa.