The European Data Protection Board adopted a final version of the Guidelines on Territorial Scope (Guidelines) on 12 November 2019. The Guidelines are intended to set out a common interpretation of the EU General Data Protection Regulation (GDPR) for data protection authorities in the EU when determining whether or not processing of personal data by companies or organisations outside the EU falls within the scope of the GDPR.
As a recap, the GDPR applies to the processing of personal data by an organisation that is outside of the EU where:
- They process personal data in the context of an "establishment" in the EU. This means that an organisation will be subject to the GDPR if it has a stable presence in the EU over which it has real and effective control, and processes personal data in the context of that stable presence. The threshold here can be quite low - a single employee in the EU could be enough to constitute an establishment and it is irrelevant whether the processing takes place in the EU or not (although see our comments below regarding employees and establishments)
- They process personal data of individuals within the EU and that processing relates to offering goods or services to those individuals or monitoring the behavior of those individuals in the EU.
The Guidelines are generally consistent with the draft version that we have commented on before. However, the Guidelines provide a few additional examples and clarifications. Of particular note:
- While the presence of a single employee in the EU could be enough to constitute an establishment, the relevant processing needs to be carried out in the context of that employee's activities (ie where processing relates to activities outside of the EU, the presence alone of an employee within the EU doesn’t necessarily mean that the GDPR applies to that processing). This means that, for example, an employee working remotely for a New Zealand organisation while on holiday in Spain, won't be enough for the GDPR to apply
- If some aspects of an organisation's processing activities fall within the scope of the GDPR, that doesn’t mean that all of the organisation's processing activities are subject to the GDPR. The Guidelines stress that the GDPR's territorial reach needs to be considered in the context of each particular processing activity. So, for example, the Guidelines indicate that, if a New Zealand organisation targets customers in the EU, then the GDPR may apply in relation to the relevant EU customer data, but the GDPR doesn’t necessarily apply to the organisation's New Zealand-based employees' data. However, this distinction is only likely to be useful to organisations to the extent that they can actually isolate certain sets of data
- The GDPR applies to the intentional targeting of individuals in the EU, and not where an organisation is inadvertently or incidentally offering goods or services to individuals in the EU. The Guidelines state that this means that if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when those individuals enter the EU, the related processing will not be subject to the GDPR. For example, the Guidelines suggest that, if a New Zealand based energy company has a customer that moves to France, but that customer maintains their energy account in New Zealand so that they can rent out their house on Airbnb, then the GDPR doesn’t necessarily apply to that customer's personal data.
The extra-territorial reach of the GDPR has always been one of its more vexing and vague aspects, so the further clarity and examples provided by the final version of these Guidelines is helpful – though there will remain several judgment calls for New Zealand organisations to make. While of course there may be some practical limitations to enforcing the GDPR in New Zealand, there are nevertheless both legal and reputational risks relating to non-compliance. To the extent they have not already done so, organisations that believe that they may hold any personal data of an EU citizen would be wise to carefully consider (and to take legal advice) whether they are caught by the GDPR in respect of any aspects of their uses of personal data.