Still Confused About GDPR? The EU Thought So

In late November, the European Data Protection Board (EDPB) issued draft guidelines to help -- at least a bit -- entities outside the EU define their responsibilities and obligations under the EU’s General Data Protection Rule (GDPR). Since GDPR took effect in May, enterprises worldwide that held or hold private information belonging to EU citizens (yes, I know that based on the day, who is and isn’t an EU citizen is a bit of a moving target) and visitors (known as "data subjects") have had to either take prescribed steps to avoid rules violations or simply be nervous that they might be caught non-compliant and forced into massive penalties and subsequent costly remediation.

The new guidelines are divided into four dryly-written sections. The new document provides guidance Articles 3(1), 3(2) and 3(3) of the GDPR itself, while the final section adds clarification about non-EU entities’ need to appoint a representative within the EU for those controllers and processors (both terms of art, as I explain in a previous No Jitter post, “Get Ready for GDPR”) that aren’t EU-based. To its credit, however, it does provide real and practical examples throughout.

Specifically, Article 3(2) addresses the application of GDPR to entities that don’t have an EU “establishment.” These guidelines emphasize the consideration of whether the targeted individuals are physically within the EU (regardless of nationality, residency, or legal status), and whether the processing relates to offers made to these EU-tied parties within the EU. But what’s most critical in the guidance document is how the collected, stored, or processed data is to be used. The intended use, in fact, will be the triggering event for the imposition of weighty (some might say “burdensome”) GDPR regulation and scrutiny.

The critical information in these guidelines for the purpose of non-EU entities concerned about GDPR compliance is this: not all online collection or analysis of personal data of individuals in the EU counts as “monitoring.” Why an entity is collecting information determines whether the controller’s purpose in processing the data triggers more rigorous GDPR compliance.

The guidelines offer two critical definitions: “targeting by offering goods and services” and “targeting by monitoring behavior.” The guidance document indicates that a controller or processor with no establishment in the EU must show a clear intention of doing business with EU customers to be considered “targeting” individuals in the EU with goods or services.

According to the original guidance, “a controller or processor is ’targeting‘ individuals in the EU by monitoring their behavior(s) if the monitored behavior (i) relates to an individual in the EU and (ii) takes place in the EU.” The EDPB offers several criteria to consider when making this determination (e.g., behavioral advertising, geo-localization activities, online tracking using cookies, CCTV, and so forth). However, the EDPB does not hold that all online collection or analysis of personal data of individuals in the EU counts as “monitoring.” Rather, it is necessary to consider the controller’s purpose in processing the data, and particularly any behavioral analysis or profiling techniques used.

One additional element of interest. The last section (Article 3(4)) addresses those circumstances that require the presence of an EU-based representative who isn’t the entity’s data protection officer. For more information on these requirements, visit the guidance document.

One final note. The EDPB is soliciting comments on the draft guidelines through Jan. 18, 2019. You can direct yours to [email protected].