How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

3/4/2019
Many American companies have been grappling with the question of whether they are subject to the EU’s General Data Protection Regulation (GDPR), the strict consumer data privacy regime that took effect on May 25, 2018. Retailers are no exception.

We are now starting to get a better sense for exactly who is affected, thanks to the European Data Protection Board (EDPB), the European regulator, which issued guidelines for public comment late last year on the territorial scope of GDPR.

The results may be surprising to some business leaders. Based on the guidelines, even entities with no physical presence, (or “establishment”) in the EU may be subject to some of the GDPR’s provisions if they offer products to customers in the EU or “direct” an activity to the EU market. Accepting payment for services is not required for entities to fall within the scope of the law.

The first question you may have is “What exactly does it mean to have an ‘establishment’ in the EU, and do I have one?”

The following are key takeaways on that and related questions from the EDPB guidelines.

Do you have an ‘establishment in the Union’?
• If you have a physical store selling goods in an EU country, that’s clearly an establishment. But you could be also deemed to have an establishment in the Union (and be subject to GDPR) even if you do not have a branch, or a subsidiary in an EU member state.

• Any real and effective activity, even a minimal one, could satisfy the notion of establishment for the purpose of Article 3(1) jurisdiction; even, in some cases, the presence of a single employee.

• However, just having a website accessible from Europe is not enough.

If you determine that you have an establishment in the EU, does that mean all your data processing is subject to GDPR rules? That depends on what data you are processing and how you are using it.

Is your data processing carried out ‘in the context of [the establishment’s] activities’?
• GDPR will apply to your data processing if there is an inextricable link between the activities of your EU establishment and the processing of data carried out by your non-EU entity. Example: You allow customers in the EU to enter their personal information into your company’s U.S.-based smartphone app to set up loyalty accounts in order to offer discounts at an EU-located store.

• If there is not an inextricable link, as a non-EU data controller, you will not become subject to GDPR simply because you choose to use a processor (a service provider carrying out the data controller’s instructions) located in the Union. Example: You hire a German data processor to handle online sales that are limited to customers in the U.S.

• Likewise, if you are a data controller subject to GDPR and you choose to use a processor located outside the Union and not subject to the GDPR, that will not excuse you from GDPR requirements. You will still need to ensure, by contract, that the processor processes your data in accordance with the GDPR. Example: If you market, sell and ship t-shirts to customers in the EU online, you can’t get around GDPR by hiring a data processor based in India.

If you determine that you do not have an establishment in the EU, are you off the hook? Not necessarily. You may still be subject to GDPR if you offer products or services to individuals in the EU, and process data related to those offerings or monitor data subjects’ behavior in the EU. What does that mean, exactly? It gets complicated, but details are below.

Do you process data related to offering products or services to individuals in the EU or monitoring data subjects’ behavior in the EU? (Article 3(2))?
First we need to define the phrase “Individuals in the EU.” This means people who are physically located in the EU at the time you are offering goods or services or monitoring behavior. They do not have to be citizens or even residents.

So the next question is, when it comes to processing these individuals’ data, what qualifies as (1) the offering of goods or services or (2) monitoring of data subjects’ behavior.

Do you offer Goods or Services?
• In order to fall within the scope of GDPR, you need to manifest your intention to establish commercial relations with consumers in the EU. For this, the EDPB uses the concept of “directing an activity” to the EU market — developed in case law by the Court of Justice of the EU (CJEU) — with respect to jurisdictional matters. Payment for the services, however, is not required.

• A partial list of things that could be considered “directing an activity,” taken possibly in combination with one another, include:
o mentioning dedicated addresses or phone numbers to be reached from an EU country
o marketing and advertisement campaigns directed at an EU country audience
o using an EU or member state top-level domain name
o mentioning customers domiciled in various EU member states, including client testimonials
o using an EU language or an EU currency
o offering the delivery of goods in EU member states.
(2) Do you monitor behavior of individuals in the EU?
• Monitoring can be done both on the internet and through other types of networks or technology involving personal data processing, for example through wearable and other smart devices.

• Monitoring activities include:
o geo-localization activities, in particular for a marketing purpose
o online tracking through the use of cookies or other tracking techniques such as fingerprinting
o personalized diet and health analytics services online
o CCTV
o market surveys and other behavioral studies based on individual profiles, including behavioral advertising
o monitoring or regular reporting on an individual’s health status

Do you need to appoint a representative in the Union?
Under GDPR, if you are a non-EU data controller or processor that is subject to GDPR, you are required to appoint a representative in the Union, unless an exception applies. Local representatives may be held liable for the non-EU entity’s breaches and may be subject to administrative fines and penalties.

There is an exception for public authorities, for which most retailers don’t qualify. Absent that, you are obligated to appoint a representative unless your data processing is “occasional” and “does not include, on a large scale, processing of special categories of data….or processing of personal data relating to criminal convictions and offences…”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons.” The EDPB does not elaborate on these criteria. For the definition of “large scale processing,” it refers instead to criteria listed in the EU Article 29 Working Party’s guidance on Data Protection Officers. Those criteria include factors such as the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity.

The retailer should establish the appointed representative in one of the member states where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

Odia Kagan is a partner and chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, a full-service national law firm. Odia has assisted more than 80 companies, from U.S.-based multinationals to startups, on their path to compliance with the EU General Data Protection Regulation (GDPR). Odia can be reached at [email protected].
X
This ad will auto-close in 10 seconds