A personal opinion by Paul Gillingwater @ Chaucer, MBA, CISM, CISSPThe table below presents personal views on the scope of GDPR for various situations.
This opinion is based on Article 3 (Territorial Scope), Article 77, Recital 23, and many others.
|Natural Person ordinarily resident in the EEA/EU||Natural Person not ordinarily resident in the EEA/EU||Natural Person formerly resident in the EEA/EU, but presently non-resident|
|Data controller resident in the EEA/EU||Full GDPR scope. Data subject has fill rights. Data Controller has full obligations||Limited GDPR scope. Data subject has limited rights.||Limited GDPR scope. Data subject has limited rights.|
|Data controller not resident in the EEA/EU||Full GDPR scope. Data subject has fill rights. Data Controller has full obligations||No GDPR scope. Data subject has only rights of their local privacy law.||Very limited scope, only if personal data was previously collected and is maintained.|
Here are some notes for things which may not be clear. I’ve attempted to model six different situations in the relationship between Data Controllers and Data Subjects.
Limited rights for certain circumstances
The big issue for many will be why are rights limited for data subjects under certain circumstances?
Here’s my reasoning. If a data subject is not ordinarily resident within the EEA/EU, but they have personal data being processed by a Data Controller that is based in the EEA/EU, then they do not have the full rights of a data subject who is resident.
Why not? Because of the fact that by not being resident in the EEA/EU, they don’t have a locally-accessible Data Protection or Supervisory Authority to whom they can address complaints.
Specifically, they can not invoke Articles 77, 78, 79 and 80, which relate to their ability to lodge a complaint or obtain a judicial remedy.
Article 77 states: “Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.”
The first part of Article 77 strongly implies this right is restricted to a resident in an EEA/EU Member state – although the latter part suggests that the country of infringement may be sufficient.
I think this will be finally decided when some test cases are lodged, but suspect they will fall at the first hurdle, i.e. lack of jurisdiction.
Courts are likely to argue that non-EEA/EU residents should in the first instance seek redress from their local privacy laws. Courts are even less likely to support judicial remedies against supervisory authorities or data controllers or data processors (Arts. 78, 79). Recital 141 also supports this view, since it excludes the country of infringement.
Resident or non-resident
Regardless of whether these rights are exercisable by a non-EEA/EU resident, it seems unlikely that Data Controllers will discriminate between customers who are (or have been) resident in the EEA/EU, and those who are not, as it’s easier to provide a single unified process for customers wishing to exercise their rights under Articles 15-22.
So I would argue that the rights of the non-EEA/EU resident are limited, but the obligations of the Data Controller to document and protect the personal data of the data subject remain unchanged compared to that of residents.
I’ve also considered the situation where a resident changes to a non-resident. If the Data Controller holds any personal data on a data subject, that was collected while the person was resident in the EEA/EU, then those rights do not change when the data subject becomes a non-resident. In effect, they’ve left behind a data ghost (in the machine), which acts as a placeholder for their exercise of rights.
Of course, the simple case where the data subject is resident, but the Data Controller is not resident, is covered by Article 3(2), and specifically Recital 23.
Extract from Recital 23: “In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
“Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
Is enforcement possible?
Regarding enforcement, there are are a number of options to go after non-EEA/EU businesses, even if they don’t have a subsidiary in the EEA/EU, according to Linda V. Priebe, a partner at Culhane Meadows, and former deputy legal counsel at the Office of Drug Policy at the White House.
“For U.S. companies that have a physical presence (establishment) in the EU, which increasingly they do, the GDPR can be enforced directly against them by EU member state authorities,” Priebe says. “EU authorities have been aggressively pursuing data protection enforcement actions against U.S. companies with locations in the EU for a number of years.”
But things get a little murkier for U.S. companies without a physical presence in the EU. According to Priebe, GDPR addresses this issue “by requiring companies without an establishment in the EU … to designate a ‘representative’ located in the EU.”
“This won’t apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance. So, in some cases, the inadvertent collection of personal data will be forgiven if it is found to have been occasional and “unlikely to result in a risk to the rights and freedoms of natural persons.”
She continues: “While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years.”
The bottom line
The bottom line is that Data Controllers should by default offer the same rights to non-residents as they offer to residents, however some judicial remedies may not be available to EEA/EU non-residents.
Furthermore, Data Controllers who are themselves non-resident should carefully consider the reach of supervisory authorities, especially in an enforcement situation. And finally, international legal agreements mean that US courts will be likely to help to enforce judgements against US companies found to be violating GDPR after 25th May 2018.
Are you willing to take the risk to not be compliant?