BRUSSELS PRIVACY HUB
Implementation of the GDPR: Territorial Scope1
Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB
On 8 March 2016 the Brussels Privacy Hub launched a series of Workshops that identify a number of issues pertinent to the Implementation of the GDPR. The series aims at providing a platform for a diverse group of stakeholders to discuss practical and theoretical challenges brought by the General Data Protection Regulation (GDPR). The first workshop took place at the Institute of European Studies, the Vrije Universiteit Brussel. The workshop considered the territorial scope of the updated EU data protection framework as foreseen in Article 3 of the GDPR.
The territorial scope of the GDPR has been extended in comparison to the repealed Data Protection Directive. It now applies to personal data processing operations of EU based controllers and processors and non-EU based controllers and processors, if they (a) offer any goods or services to data subjects in the Union and (b) monitor data subjects’ behaviour as far as their behaviour takes place within the Union. Taking into consideration the text of a new provision, the invited data protection experts and practitioners identified the following challenges:
Enforcement: Participants recognised that the provision of the territorial scope and its consistent enforcement are at the core of the GDPR success. It was suggested that the EU jurisdiction will overlap with other jurisdictions and the actual global reach of the GDPR may depend on teeth of data protection authorities (DPAs). While enforcement actions of some DPAs are constrained by available resources, it can be anticipated that a few DPAs will initiate actions outside their primary jurisdiction. It was noted that even though the current provision entails challenges for consistent enforcement, the legislator considered the GDPR to be a standard setter for the companies targeting EU market and citizens.
International cooperation: Some participants pointed out that while GDPR protects EU fundamental rights to protection of personal data and privacy, it should entail certain limits. Perhaps, the boundaries could be defined by the CJEU case law or data protection regulators in the near future. Finally, some participants observed that Article 3.2 overcomes thinking in terms of “cables” provided in Article 4.1(c) of the Data Protection Directive. Indeed, maybe Article 3 of the GDPR should be regarded as an enabler for international cooperation of data protection authorities across the globe.
Participants also contemplated about the way the GDPR builds on the CJEU case law and further explains the notions of “establishment”, the impact of wording “in the EU” and monitoring of the data subject behaviour. Some speakers recognised that complexity embedded in the provision of the provision on territorial scope may prevent companies from engaging in business the EU. Therefore, it is important to provide more guidance on the way this provision should be implemented.
The report is based on the notes of participants, Lina Jasmontaite did not take part in the workshop.