Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
This is the third update in our Privacy 2.0 series.
The territorial scope of privacy and data protection can be fundamental. When does one jurisdiction’s legal reach extend to the actions of organisations beyond its geographical borders?
Late last year, the European Data Protection Board (EDPD) published its final guidance on the territorial scope of the European Union’s General Data Protection Regulation (GDPR). If you haven’t been sleeping, you’ll be aware the GDPR is the landmark privacy upgrade that applies to citizens of all European Union countries. It aims primarily to give individuals control over their personal information. One consequence of this is that organisations and businesses outside Europe now need to comply with the GDPR if they handle the personal information of European citizens.
The GDPR came into effect in May 2018 and the rest of the world has had to take notice, if it continues to trade with the European Union and process the personal information of EU citizens.
GDPR Article 3
The guidance from the EDPB on the territorial scope traverses Article 3 of the GDPR. This article reflects the EU’s intention to ensure comprehensive protection of the privacy rights of EU citizens within the EU, and when data is sent outside the EU.
Article 3(1) affirms that the GDPR applies to the activities of data processors and controllers relating to an establishment in the EU, but regardless of where the data processing actually takes place.
The EDPB recommends that non-EU organisations undertake an assessment of their processing activities, firstly by determining whether personal data is being processed, and secondly by identifying potential links between the activity for which the data is being processed and their activities in the EU.
Even if there is no EU establishment, Article 3(2) (“targeting”) says the GDPR applies to non-EU controllers or processors in two situations - those that offer goods or services to individuals in the EU and those who monitor the behaviour of individuals in the EU.
The EDPB recommends a twofold approach to targeting – firstly, whether the organisation is processing the personal data of data subjects who are in the EU, and secondly, whether the processing relates to offering goods or services or monitoring data subjects’ behaviour in the EU, including behavioural advertising and online tracking. Note that data controllers or processors subject to the GDPR on this basis are required to appoint a representative in the EU, and the EDPB has included guidance about this requirement.
If you want to know more about whether your organisation is affected, these FAQs may be helpful.
New Zealand Privacy Bill
The New Zealand Privacy Bill, as reported back by the Justice Committee includes an express provision about its application – see clause 3A. The Justice Committee recommended adding the new clause to make clear who the Bill would apply to.
The Committee recommended the Privacy Bill apply to:
The Bill also clarifies that an overseas agency is to be treated as “carrying on business” here even if it does not have a physical place of business here or charge for goods or services or make a profit from its business here.
The “carrying on business” test is not limited to commercial organisations but extends to non-commercial organisations like clubs, trusts, churches and charities, if their activities in New Zealand bring the organisation within the scope of New Zealand’s privacy legislation.
This approach is consistent with Australia’s Privacy Act, which applies if an organisation has an “Australian link”, including carrying on business in Australia.
Similarly, in Canada, the common law principle of “a real and substantial connection” was applied in a federal court finding against a Romanian website in 2017.
Read our other Privacy 2.0 blog posts here.
Back