Post on 22-May-2020
www.iapp.org
GDPR Triggers —
Exploring Jurisdictional Scope
September 14, 2017Time: 11:00 a.m. – 12:30 p.m. ET, 3:00 – 4:30 p.m. UTC
www.iapp.org2
Program Outline
I. Welcome and IntroductionsII. Context: Where We Currently Stand with the DirectiveIII. Context: What’s New Under the GDPRIV. Hypothetical Scenarios
I. Scenario 1: Non-EU based company, online sales, small incidental sales to EU customersII. Scenario 2: Non-EU based company with retail stores outside the EU, small incidental sales to EU
customersIII. Scenario 3: Non-EU based company, online sales, EU based processorIV. Scenario 4: HR data processed outside of the EU, with EU employees potentially in the system
V. Summary RemarksVI. Resources – Links for More InformationVII. Questions from the AudienceVIII. Closing Remarks
www.iapp.org
Welcome & Introductions
Phil Lee, CIPP/E, CIPM, FIPPartner
Privacy, Security and Information PracticeFieldfisher, London
Ruth BoardmanCo-head
International Data Protection PracticeBird & Bird LLP, London
Panelists:Host:
Dave Cohen, CIPP/E, CIPP/USKnowledge Manager
IAPP
3
www.iapp.org4
Context:
Where We Currently Stand with the Directive
www.iapp.org5
Quick recap: Legal applicability rules under the Directive (1)
• Law in effect until 25 May 2018 = Data Protection Directive (95/46/EC)
• Law in effect from 25 May 2018 = General Data Protection Regulation (2016/679)
• Each has rules determining when they apply – note: these are not the same!
• Directive focuses on establishment and equipment.
• GDPR focuses on establishment, offering goods and services, and monitoring.
RIPData Protection Directive
1995 -2018
www.iapp.org6
Quick recap: Legal applicability rules under the Directive (2)
• The establishment test (Art 4(1)(a):
• Applies where “processing is carried out in the context of the activities of anestablishment of the controller on the territory of the Member State”
• i.e. if EU-based subsidiary or branch has decision-making power over data,then Directive applies.
• The equipment test (Art 4(1)(c):
• Applies where “the controller is not established on Community territory and,for purposes of processing personal data makes use of equipment,automated or otherwise, situated on the territory of the said Member State”
• i.e. if business is outside the EU but uses EU-based data processingequipment, then Directive applies.
www.iapp.org7
FAQs about applicability under the Directive
• Question: Does the Directive apply to an EU business which only processes dataabout non-EU data subjects?
• Answer: Yes!
• Question: Does the Directive apply to a non-EU business which only processesdata about non-EU data subjects but which uses EU servers to do so?
• Answer: Yes!
• Question: Does the Directive apply to a non-EU business which only processesdata about non-EU data subjects but which uses an EU processor to do so?
• Answer: Yes! (Probably.)
• Question: Does the Directive apply to a non-EU business which only uses non-EUequipment to process data about EU data subjects?
• Answer: No! (But beware of cookies?)
www.iapp.org8
Context:
What’s New Under the GDPR
www.iapp.org
1. Processing in the context of EU establishments
ProcessorController
US INDIA
Wide concept of establishment; 'in the context of' –See Google Spain
9
www.iapp.org
2. Processing personal data of data subjects who are in the Union
Offering goods/services to DS in the EU
• No need for payment• Is it 'apparent' that the controller 'envisages'
doing this
Monitoring behaviour of DS in the EU
• Tracking on the internet • Processing to take decisions concerning DS
including re: personal preferences
10
www.iapp.org11
Hypothetical Scenarios
Scenario 1: Non-EU based company, online sales, small incidental sales to EU customers
www.iapp.org12
Audience polling question
You are the CPO for a US-based online store which attracts onlyincidental EU customers (<1% of sales).
Your CEO has asked you if the business needs to get “GDPR-ready”. Doesthe GDPR apply to you?
(A) Yes(B) No(C) Don’t know
www.iapp.org13
You are the CPO for a US-based online store -what if you have incidental EU sales? (1)
Applicability criteria Analysis
Limb 1: Is the processing “in the context of theactivities” of an establishment of a controller orprocessor in the European Union?(Art 3(1), Recital 22)
• No.
Limb 2: Are you offering goods and services to datasubjects in the European Union?(Art 3(2)(a), Recital 23)
• Website localisation? (Domain names, language, other?)• Acceptance of EU currencies?• Delivery to EU addresses?• E-mail registrants – service v marketing e-mails?
Limb 3: Are you monitoring the behaviour of datasubjects in the European Union?(Art 3(2)(b), Recital 24)
• Use of targeting / retargeting platforms?
www.iapp.org14
You are the CPO for a US-based online store -what if you have incidental EU sales? (2)
• Conclusion: Maybe!
• Many different factual considerations to take into account. “Mere accessibility” notenough - consider other “nexus” to European data subjects.
• Even if technically subject to GDPR, may be low risk to proceed as if GDPR does notapply (at least until EU sales become more substantial or other risk triggers, e.g.complaints)
• Risk-based decisions need to be weighed up against likelihood of risk crystallizing vscompliance overheads – e.g. appointment of EU representative, compliance withGDPR fair processing requirements, vendor terms, data export rules etc.
• What did you think?
www.iapp.org15
Audience polling question – RESULTS!
You are the CPO for a US-based online store which attracts only incidental EUcustomers (<1% of sales).
Your CEO has asked you if the business needs to get “GDPR-ready”.What did you answer?
www.iapp.org16
Hypothetical Scenarios
Scenario 2: Non-EU based company with
retail stores outside of EU, small incidental sales to EU customers
www.iapp.org
You are the CPO for a chain of stores in the US – what if EU nationals shop in store?
• You have no EU establishment – limb one does not apply
• Limb two:
• Processing personal data of data subjects in the EU – your shoppers are not in the EU
• What about when they return to the EU? Is it 'apparent' that you 'envisage' processing their data
• What if you ask for the customers' email addresses to send invoices?
• Same analysis
• What if you also send promotional follow ups?
• Is it apparent that you intend to sell to individuals in the EU?
• Do you send EU-focussed marketing – currency/ language/ references to EU customers?
• Do you monitor their behaviour (email opening analysis…)
17
www.iapp.org18
Hypothetical Scenarios
Scenario 3: Non-EU based company, online sales,
EU based processor
www.iapp.org19
Audience polling question
Back to scenario 1 (US online store with incidental EU business), you took a risk-baseddecision that GDPR compliance was not necessary. Almost all of your data comes fromthe US, with very few EU sales.
However, you’ve just learned that for cost reasons the business now wants to host alldata collected through the site on an instance with Awesome Web Services in Ireland.Your CEO asks if this will make you subject to the GDPR. What do you answer?
(A) Yes(B) No(C) Don’t know
www.iapp.org20
You are the CPO for a US-based online store -what if you host the data in the EU? (1)
Applicability criteria Analysis
Limb 1: Is the processing “in the context of theactivities” of an establishment of a controller orprocessor in the European Union?(Art 3(1), Recital 22)
• Unclear. Is the processing “in the context of theactivities” of the US controller (i.e. this limb does notapply) or the EU processor (i.e. this limb does apply)?
• Even if the controller not directly subject, processor willbe – with indirect compliance consequences for thecontroller.
Limb 2: Are you offering goods and services to datasubjects in the European Union?(Art 3(2)(a), Recital 23)
• See previous analysis
Limb 3: Are you monitoring the behaviour of datasubjects in the European Union?(Art 3(2)(b), Recital 24)
• See previous analysis.
www.iapp.org21
You are the CPO for a US-based online store -what if you host the data in the EU? (2)
• Conclusion: Maybe!
• Unclear legal test re whose “activities” we refer. Need guidance from the DPAs.
• Even if technically subject to GDPR, may be low risk to proceed as if GDPR does notapply. Note, though, that EU-based processor may try to “flow up” some complianceresponsibilities through Art 28 vendor terms.
• What did you think?
www.iapp.org22
Audience polling question – RESULTS!
Back to scenario 1 (US online store with incidental EU business), you took a risk-baseddecision that GDPR compliance was not necessary. Almost all of your data comes fromthe US, with very few EU sales.
However, you’ve just learned that for cost reasons the business now wants to host alldata collected through the site on an instance with Awesome Web Services in Ireland.Your CEO asks if this will make you subject to the GDPR. What do you answer?
www.iapp.org23
Hypothetical Scenarios
Scenario 4: HR data processed outside of the EU,
with EU employees potentially in the system
www.iapp.org
You are the CPO for a financial services company with EU staff
• You are about to move to a centralized HR system, giving your HQ more access to EU staff data –will GDPR apply directly to head-office?
• You have an establishment in the EU
• Google Spain: the data is likely being processed in the context of the activities of the EU establishment, rules apply directly
• Data transfer rules: your EU entities will require you to agree to agree to follow EU rules in any event
• You have a central IT function, which i.a. provides security services including for your EU entities
• Some information security activities (e.g. DLP) will be considered to be monitoring of behaviour triggering GDPR
24
www.iapp.org25
Summary Remarks
www.iapp.org26
When the GDPR definitely applies
• Hypotheticals give the more challenging examples.
• In many (most?) cases, will be much clearer if GDPR applies.
• GDPR will always apply if:
• You are a business established in the EU.
• You are (intentionally) offering goods and services into EU markets.
• You are using ad tech to run targeted advertising campaigns in the EU.
www.iapp.org27
Resources
Bird & Bird GDPR Guide
Bird & Bird GDPR Tracker
Fieldfisher Privacy, Security and Information law blog
Fieldfisher iOS app (Android version coming soon)
Fieldfisher “Everything you need to know about the GDPR in Under 60 Minutes” video
•
•
•
•
•
www.iapp.org
Questions & Answers
Phil Lee, CIPP/E, CIPM, FIPPartner
Privacy, Security and Information PracticeFieldfisher, London
Phil.Lee@fieldfisher.com
Ruth BoardmanCo-head
International Data Protection PracticeBird & Bird LLP, London
Ruth.Boardman@twobirds.com
Panelists:Host:
Dave Cohen, CIPP/E, CIPP/USKnowledge Manager
IAPPdave@iapp.org
28
www.iapp.org29
THANK YOU!
To our speakers, and to all of you in the virtual audience.
www.iapp.org30
Web ConferenceParticipant Feedback Survey
Please take this quick (2 minute) survey to let us know how satisfied you were with this program and to provide us with suggestions for future improvement.
Click here:http://www.questionpro.com/t/AL2CRZaktH
Thank you in advance!
For more information: www.iapp.org
www.iapp.org
Attention IAPP Certified Privacy Professionals:
This IAPP web conference may be applied toward the continuing privacy education
(CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM
credential worth 1.0 credit hour. IAPP-certified professionals who are the named
participant of the registration will automatically receive credit. If another certified
professional has participated in the program but is not the named participant then
the individual may submit for credit by submitting the continuing education
application form at submit CPE credits.
Continuing Legal Education Credits:
The IAPP provides certificates of attendance to web conference attendees.
Certificates must be self-submitted to the appropriate jurisdiction for
continuing education credits. Please consult your specific governing body’s
rules and regulations to confirm if a web conference is an eligible format
for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of
programming.
31
www.iapp.org32
For questions on this or other IAPP Web Conferences or recordings
please contact:
Dave Cohen, CIPP/E, CIPP/USKnowledge Manager
International Association of Privacy Professionals (IAPP)dave@iapp.org
603.427.9221