www.iapp.org

GDPR Triggers —

Exploring Jurisdictional Scope

September 14, 2017Time: 11:00 a.m. – 12:30 p.m. ET, 3:00 – 4:30 p.m. UTC

www.iapp.org2

Program Outline

I. Welcome and IntroductionsII. Context: Where We Currently Stand with the DirectiveIII. Context: What’s New Under the GDPRIV. Hypothetical Scenarios

I. Scenario 1: Non-EU based company, online sales, small incidental sales to EU customersII. Scenario 2: Non-EU based company with retail stores outside the EU, small incidental sales to EU

customersIII. Scenario 3: Non-EU based company, online sales, EU based processorIV. Scenario 4: HR data processed outside of the EU, with EU employees potentially in the system

V. Summary RemarksVI. Resources – Links for More InformationVII. Questions from the AudienceVIII. Closing Remarks

www.iapp.org

Welcome & Introductions

Phil Lee, CIPP/E, CIPM, FIPPartner

Privacy, Security and Information PracticeFieldfisher, London

Ruth BoardmanCo-head

International Data Protection PracticeBird & Bird LLP, London

Panelists:Host:

Dave Cohen, CIPP/E, CIPP/USKnowledge Manager

IAPP

3

www.iapp.org4

Context:

Where We Currently Stand with the Directive

www.iapp.org5

Quick recap: Legal applicability rules under the Directive (1)

• Law in effect until 25 May 2018 = Data Protection Directive (95/46/EC)

• Law in effect from 25 May 2018 = General Data Protection Regulation (2016/679)

• Each has rules determining when they apply – note: these are not the same!

• Directive focuses on establishment and equipment.

• GDPR focuses on establishment, offering goods and services, and monitoring.

RIPData Protection Directive

1995 -2018

www.iapp.org6

Quick recap: Legal applicability rules under the Directive (2)

• The establishment test (Art 4(1)(a):

• Applies where “processing is carried out in the context of the activities of anestablishment of the controller on the territory of the Member State”

• i.e. if EU-based subsidiary or branch has decision-making power over data,then Directive applies.

• The equipment test (Art 4(1)(c):

• Applies where “the controller is not established on Community territory and,for purposes of processing personal data makes use of equipment,automated or otherwise, situated on the territory of the said Member State”

• i.e. if business is outside the EU but uses EU-based data processingequipment, then Directive applies.

www.iapp.org7

FAQs about applicability under the Directive

• Question: Does the Directive apply to an EU business which only processes dataabout non-EU data subjects?

• Answer: Yes!

• Question: Does the Directive apply to a non-EU business which only processesdata about non-EU data subjects but which uses EU servers to do so?

• Answer: Yes!

• Question: Does the Directive apply to a non-EU business which only processesdata about non-EU data subjects but which uses an EU processor to do so?

• Answer: Yes! (Probably.)

• Question: Does the Directive apply to a non-EU business which only uses non-EUequipment to process data about EU data subjects?

• Answer: No! (But beware of cookies?)

www.iapp.org8

Context:

What’s New Under the GDPR

www.iapp.org

1. Processing in the context of EU establishments

ProcessorController

US INDIA

Wide concept of establishment; 'in the context of' –See Google Spain

9

www.iapp.org

2. Processing personal data of data subjects who are in the Union

Offering goods/services to DS in the EU

• No need for payment• Is it 'apparent' that the controller 'envisages'

doing this

Monitoring behaviour of DS in the EU

• Tracking on the internet • Processing to take decisions concerning DS

including re: personal preferences

10

www.iapp.org11

Hypothetical Scenarios

Scenario 1: Non-EU based company, online sales, small incidental sales to EU customers

www.iapp.org12

Audience polling question

You are the CPO for a US-based online store which attracts onlyincidental EU customers (<1% of sales).

Your CEO has asked you if the business needs to get “GDPR-ready”. Doesthe GDPR apply to you?

(A) Yes(B) No(C) Don’t know

www.iapp.org13

You are the CPO for a US-based online store -what if you have incidental EU sales? (1)

Applicability criteria Analysis

Limb 1: Is the processing “in the context of theactivities” of an establishment of a controller orprocessor in the European Union?(Art 3(1), Recital 22)

• No.

Limb 2: Are you offering goods and services to datasubjects in the European Union?(Art 3(2)(a), Recital 23)

• Website localisation? (Domain names, language, other?)• Acceptance of EU currencies?• Delivery to EU addresses?• E-mail registrants – service v marketing e-mails?

Limb 3: Are you monitoring the behaviour of datasubjects in the European Union?(Art 3(2)(b), Recital 24)

• Use of targeting / retargeting platforms?

www.iapp.org14

You are the CPO for a US-based online store -what if you have incidental EU sales? (2)

• Conclusion: Maybe!

• Many different factual considerations to take into account. “Mere accessibility” notenough - consider other “nexus” to European data subjects.

• Even if technically subject to GDPR, may be low risk to proceed as if GDPR does notapply (at least until EU sales become more substantial or other risk triggers, e.g.complaints)

• Risk-based decisions need to be weighed up against likelihood of risk crystallizing vscompliance overheads – e.g. appointment of EU representative, compliance withGDPR fair processing requirements, vendor terms, data export rules etc.

• What did you think?

www.iapp.org15

Audience polling question – RESULTS!

You are the CPO for a US-based online store which attracts only incidental EUcustomers (<1% of sales).

Your CEO has asked you if the business needs to get “GDPR-ready”.What did you answer?

www.iapp.org16

Hypothetical Scenarios

Scenario 2: Non-EU based company with

retail stores outside of EU, small incidental sales to EU customers

www.iapp.org

You are the CPO for a chain of stores in the US – what if EU nationals shop in store?

• You have no EU establishment – limb one does not apply

• Limb two:

• Processing personal data of data subjects in the EU – your shoppers are not in the EU

• What about when they return to the EU? Is it 'apparent' that you 'envisage' processing their data

• What if you ask for the customers' email addresses to send invoices?

• Same analysis

• What if you also send promotional follow ups?

• Is it apparent that you intend to sell to individuals in the EU?

• Do you send EU-focussed marketing – currency/ language/ references to EU customers?

• Do you monitor their behaviour (email opening analysis…)

17

www.iapp.org18

Hypothetical Scenarios

Scenario 3: Non-EU based company, online sales,

EU based processor

www.iapp.org19

Audience polling question

Back to scenario 1 (US online store with incidental EU business), you took a risk-baseddecision that GDPR compliance was not necessary. Almost all of your data comes fromthe US, with very few EU sales.

However, you’ve just learned that for cost reasons the business now wants to host alldata collected through the site on an instance with Awesome Web Services in Ireland.Your CEO asks if this will make you subject to the GDPR. What do you answer?

(A) Yes(B) No(C) Don’t know

www.iapp.org20

You are the CPO for a US-based online store -what if you host the data in the EU? (1)

Applicability criteria Analysis

Limb 1: Is the processing “in the context of theactivities” of an establishment of a controller orprocessor in the European Union?(Art 3(1), Recital 22)

• Unclear. Is the processing “in the context of theactivities” of the US controller (i.e. this limb does notapply) or the EU processor (i.e. this limb does apply)?

• Even if the controller not directly subject, processor willbe – with indirect compliance consequences for thecontroller.

Limb 2: Are you offering goods and services to datasubjects in the European Union?(Art 3(2)(a), Recital 23)

• See previous analysis

Limb 3: Are you monitoring the behaviour of datasubjects in the European Union?(Art 3(2)(b), Recital 24)

• See previous analysis.

www.iapp.org21

You are the CPO for a US-based online store -what if you host the data in the EU? (2)

• Conclusion: Maybe!

• Unclear legal test re whose “activities” we refer. Need guidance from the DPAs.

• Even if technically subject to GDPR, may be low risk to proceed as if GDPR does notapply. Note, though, that EU-based processor may try to “flow up” some complianceresponsibilities through Art 28 vendor terms.

• What did you think?

www.iapp.org22

Audience polling question – RESULTS!

Back to scenario 1 (US online store with incidental EU business), you took a risk-baseddecision that GDPR compliance was not necessary. Almost all of your data comes fromthe US, with very few EU sales.

However, you’ve just learned that for cost reasons the business now wants to host alldata collected through the site on an instance with Awesome Web Services in Ireland.Your CEO asks if this will make you subject to the GDPR. What do you answer?

www.iapp.org23

Hypothetical Scenarios

Scenario 4: HR data processed outside of the EU,

with EU employees potentially in the system

www.iapp.org

You are the CPO for a financial services company with EU staff

• You are about to move to a centralized HR system, giving your HQ more access to EU staff data –will GDPR apply directly to head-office?

• You have an establishment in the EU

• Google Spain: the data is likely being processed in the context of the activities of the EU establishment, rules apply directly

• Data transfer rules: your EU entities will require you to agree to agree to follow EU rules in any event

• You have a central IT function, which i.a. provides security services including for your EU entities

• Some information security activities (e.g. DLP) will be considered to be monitoring of behaviour triggering GDPR

24

www.iapp.org25

Summary Remarks

www.iapp.org26

When the GDPR definitely applies

• Hypotheticals give the more challenging examples.

• In many (most?) cases, will be much clearer if GDPR applies.

• GDPR will always apply if:

• You are a business established in the EU.

• You are (intentionally) offering goods and services into EU markets.

• You are using ad tech to run targeted advertising campaigns in the EU.

www.iapp.org27

Resources

Bird & Bird GDPR Guide

Bird & Bird GDPR Tracker

Fieldfisher Privacy, Security and Information law blog

Fieldfisher iOS app (Android version coming soon)

Fieldfisher “Everything you need to know about the GDPR in Under 60 Minutes” video

•

•

•

•

•

www.iapp.org

Questions & Answers

Phil Lee, CIPP/E, CIPM, FIPPartner

Privacy, Security and Information PracticeFieldfisher, London

Phil.Lee@fieldfisher.com

Ruth BoardmanCo-head

International Data Protection PracticeBird & Bird LLP, London

Ruth.Boardman@twobirds.com

Panelists:Host:

Dave Cohen, CIPP/E, CIPP/USKnowledge Manager

IAPPdave@iapp.org

28

www.iapp.org29

THANK YOU!

To our speakers, and to all of you in the virtual audience.

www.iapp.org30

Web ConferenceParticipant Feedback Survey

Please take this quick (2 minute) survey to let us know how satisfied you were with this program and to provide us with suggestions for future improvement.

Click here:http://www.questionpro.com/t/AL2CRZaktH

Thank you in advance!

For more information: www.iapp.org

www.iapp.org

Attention IAPP Certified Privacy Professionals:

This IAPP web conference may be applied toward the continuing privacy education

(CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM

credential worth 1.0 credit hour. IAPP-certified professionals who are the named

participant of the registration will automatically receive credit. If another certified

professional has participated in the program but is not the named participant then

the individual may submit for credit by submitting the continuing education

application form at submit CPE credits.

Continuing Legal Education Credits:

The IAPP provides certificates of attendance to web conference attendees.

Certificates must be self-submitted to the appropriate jurisdiction for

continuing education credits. Please consult your specific governing body’s

rules and regulations to confirm if a web conference is an eligible format

for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of

programming.

31

www.iapp.org32

For questions on this or other IAPP Web Conferences or recordings

please contact:

Dave Cohen, CIPP/E, CIPP/USKnowledge Manager

International Association of Privacy Professionals (IAPP)dave@iapp.org

603.427.9221