The European Union’s General Data Protection Regulation (the “GDPR”) will be coming into force on May 25 of this year. While the GDPR has been a hot topic for some time in Europe, it has only recently begun to hit the radar of Canadian companies.
While there are many questions around the GDPR, one key question that organizations outside of the European Union (the “EU”) are asking is whether they are required to comply with the GDPR, even if they do not have a physical presence within the EU. While the answer will largely depend on the specific activities of each organization, there are good reasons to believe that in many instances, compliance with the GDPR may be required.
Territorial Scope of GDPR
Article 3(1) of the GDPR applies to EU-based organizations engaged in the processing of personal data (i.e., any information relating to an identified or identifiable natural person) belonging to EU data subjects. Put simply, if an organization has a physical presence in the EU and is engaged in the processing of personal data belonging to EU data subjects, it must comply with the GDPR.
However, Article 3(2) goes a step further by extending the territorial scope of GDPR to organizations that are not physically established in the EU. The GDPR states that it will apply to a “controller” or “processor” who is not established in the EU and is engaged in processing of personal data of EU data. Specifically, the GDPR will apply:
- where the processing relates to the offering of goods or services to them (whether or not payment is required), or
- where their behavior within the EU is monitored.
There is no clear guidance as to what constitutes an offering of goods or services under Article 3 of the GDPR. According to Recital 23, a case-by-case analysis must be conducted in order to determine whether a given activity can be deemed to be an “offering of goods or services.” Ultimately, the key is to determine whether the data controller or the processor intends to offer goods or services in the EU.
With respect to the second part of the test, behavior monitoring occurs when a natural person is “tracked on the internet,” including the use of personal data to profile a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.
Where an organization not based in the EU – acting either as a data controller or processor – is subject to the GDPR, it will be required under Article 27 to designate a European representative. This representative is meant to receive communications addressed to the controller by the EU data protection supervisory authorities and by data subjects.
It is noteworthy that Article 25 exempts controllers from this obligation if the processing is occasional, does not include the large-scale processing of “special categories of data,” and is “unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of processing.” Special categories of data are sensitive data that reveal racial or ethnic origin, political or religious beliefs, as well as genetic, biometric and health data.
These territorial provisions were designed to limit the opportunity for law-shopping and were introduced as a means to allow a more level playing field for European companies in the face of global competitors in the borderless world of the internet.
The GDPR was intentionally drafted in a manner to ensure that it applies not only to EU-based organizations, but also to those organizations based outside of the EU that handle personal data belonging to EU data subjects. Given the ubiquitous nature of digital commerce, many Canadian organizations – acting as a data controller or processor – are likely subject to the GDPR as a result of the expanded territorial scope under Article 3.
If they have not already done so, Canadian organizations should review their digital activities in order to determine whether they are actually subject to the GDPR and if so, develop and begin the implementation of a GDPR compliance roadmap. For more information about the requirements under the GDPR, please see our July 28, 2017 post.
 We note that a “Controller” is an entity that, alone or jointly with others, determines the purposes and means for the processing of personal data. On the other hand, a “Processor” is an entity that processes personal data on behalf of the Controller. Canadian privacy laws do not make the same distinction between a “Controller” and “Processor”.