The European Union’s General Data Protection Regulation (the “GDPR”) came into force on May 25 of this year. While the GDPR has been a hot topic for some time in Europe, it has only recently begun to hit the radar of Canadian organizations.
One key question that organizations outside of the European Union (the “EU”) grapple with is whether they are required to comply with the GDPR, even if they do not have a physical presence within the EU. While the answer will largely depend on the specific activities of each organization, there are good reasons to believe that, in many instances, compliance with the GDPR may be required, particularly where an organization has EU donors or members.
The GDPR applies to the processing of “personal data”, which is defined as “any information relating to an identified or identifiable natural person”, who is called a “data subject”. Personal data includes IP addresses, email addresses and telephone numbers.
“Processing” refers to any operation performed on personal data, including its collection, use, storage and disclosure. “Controllers” are organizations responsible for determining the purposes and means of processing personal data—why and how they intend to collect and use the personal data. Organizations that process personal data on behalf of a controller are considered to be processors.
The EU regulatory bodies that oversee the GDPR in member states are called “supervisory authorities”.
Territorial Scope of GDPR
Article 3(1) of the GDPR applies to EU-based organizations engaged in the processing of personal data (i.e., any information relating to an identified or identifiable natural person) belonging to EU data subjects. Put simply, if an organization has a physical presence in the EU and is engaged in the processing of personal data belonging to EU data subjects, it must comply with the GDPR.
However, Article 3(2) goes a step further by extending the territorial scope of GDPR to organizations that are not physically established in the EU. The GDPR states that it will apply to a “controller” or “processor” who is not established in the EU and is engaged in processing of personal data of EU data subjects. Specifically, the GDPR will apply where the processing activities relate to:
- offering of goods or services to EU domiciled individuals (whether or not payment is required), or
- monitoring the behavior of EU domiciled individuals.
There is no clear guidance as to what constitutes an offering of goods or services under Article 3 of the GDPR. According to Recital 23, a case-by-case analysis must be conducted in order to determine whether a given activity can be deemed to be an “offering of goods or services.” That said, there is a general consensus that simply having a public website that individuals in the EU can access is not enough to bring an organization under the GDPR. However, additional factors, such as using a language or currency used in the EU, or specifically mentioning customers in the EU, may demonstrate an intent to offer goods or services to individuals in the EU.
With respect to the second part of the test, behavior monitoring occurs when a natural person is “tracked on the internet,” including the use of personal data to profile a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.
The GDPR was intentionally drafted in a manner to ensure that it applies not only to EU-based organizations, but also to those organizations based outside of the EU that handle personal data belonging to EU data subjects. Given the ubiquitous nature of digital commerce, many Canadian organizations – acting as a data controller or processor – are likely subject to the GDPR as a result of the expanded territorial scope under Article 3.
If they have not already done so, Canadian organizations should review their digital activities to determine whether they are actually subject to the GDPR and, if so, develop and begin the implementation of a GDPR compliance roadmap. For more information about the requirements under the GDPR, please see our previous post.