The European Data Protection Board (EDPB) has released draft Guidelines on the territorial scope of the General Data Protection Regulation (GDPR). The consultation period closes on January 18, 2019. Even though the Guidelines are not final, there are several very helpful principles and examples to guide Canadian businesses. The bad news is that the variety of possible situations in which Canadian companies could be subject to the GDPR may come as a surprise for businesses (particularly small to medium-sized businesses that may not have the GDPR on their compliance radar).
I thought it would be interesting to work through a few examples of how the EDPB Guidelines might apply to Canadian businesses. Keep in mind that I am not an EU qualified lawyer, so don’t take this as gospel (much less legal advice). If you disagree with my application of the EDPB Guidelines, I’d be very interested in hearing your views. Feel free to reach out and let me know where I got it wrong.
First, let’s level-set. Article 3 of the GDPR sets out three independent situations in which the GDPR could apply to Canadian businesses.
- Establishment in the EU: The GDPR applies to processing activities of a controller or processor (regardless of whether the processing takes place in the EU) if the processing is in the context of the activities of an establishment in the EU.
- Targeting goods and services to data subjects in the EU: The GDPR applies to processing activities of a controller or processor not established in the EU if the processing activities are related to the offering of goods or services to data subjects in the EU.
- Monitoring behaviour of data subjects taking place in the EU: The GDPR applies to processing activities of a controller or processor not established in the EU if the processing activities are related to the monitoring of behaviour of a data subject in the EU.
Let’s examine how these might apply to different scenarios for Canadian businesses.
Scenario 1: a Canadian business has a branch that meets with suppliers and provides marketing support
According to the Guidance, the GDPR likely applies based on the establishment test. The GDPR would apply to the processing of personal data of EU data subjects even if the processing is conducted by the Canadian business in Canada.
The EDPB takes a non-formalistic approach to the question of whether a business has an establishment in the EU. As the Guidance acknowledges, there is no definition of “establishment” in the GDPR. However, based on the recitals and previous jurisprudence and guidance under the former European Data Protection Directive 95/36/EC, the EDPB concludes that all that is required is a real and effective activity in the EU based on stable arrangements. The test is very low. It does not require a formal subsidiary in the EU. Rather, the EDPB cautions that even a single employee or agent may meet the test.
However, the EDPB also says that there must be some link between the establishment and the processing activities. Group enterprises are particularly vulnerable to the application of the GDPR. In scenario 1, the branch office’s activities are inextricably linked to the overall activities of the Canadian business’s sales activities. The fact that the Canadian business does not itself market to the EU data subjects is not determinative.
Scenario 2: a Canadian business uses an EU-based cloud service provider to store data about Canadians
According to the Guidance, the establishment test would not be met for the Canadian business. The mere fact that the Canadian business is using an EU-based processor is not sufficient to bring the Canadian business within the scope of the GDPR. The fact that an independent processor is in the EU will not result in the Canadian business having an establishment in the EU.
However, one interesting twist is that the GDPR does not just apply to EU data subjects. So, the EDPB advises that if the processing activity is happening in the EU, it does not matter whether the data subjects are in the EU. The processor has an establishment in the EU and will be subject to the GDPR even when it is processing data about non-EU data subjects.
Note to cloud service providers: that is not how most of your data processing agreements currently read!
Scenario 3: an EU business uses an independent Canadian processor of non-EU data subjects
This scenario is based on example 6 in the Guidance. According to the Guidance, the Canadian processor is not subject to the GDPR directly (assuming that it has no establishment in the EU). The establishment test would not be met. However, the EU business is subject to the GDPR even with respect to non-EU data subjects. According to the Guidance, the EU controller must enter into a data processing agreement with the Canadian processor that provides sufficient guarantees to meet the requirements of the GDPR.
Scenario 4: a Canadian company offers a news app that is downloaded by a Canadian traveling in Europe
This scenario is based on example 9 in the Guidance. In this scenario, the establishment test is not met. The EDPB also says that so long as the app is being directed at the Canadian market (or at least the non-EU market), then the Canadian company would not be subject to the EU. The targeting goods and services test would not be met.
Scenario 5: a Canadian company offers an interactive tourist map that provides information and in-app offers for cities in Europe and elsewhere
This scenario is based on example 8 in the Guidance. According to the Guidance, the Canadian company could be subject to the GDPR with respect to personal information collected by data subjects. The EDPB made the scenario in example 8 a bit too easy because the app tracked the location of the individuals and made targeted offers. Both the targeting goods and services and monitoring of behaviour tests would be met.
A more difficult scenario would be if the app only tracked location in order to function and was not targeted to residents of the EU. For example, what if the app were an app developed by a Quebec company that provided information in Canadian French? It is not clear if the mere fact of tracking the location of Canadians in Europe would be sufficient to result in the application of the GDPR. What do you think?
Scenario 6: a Canadian property insurer collects information about an EU citizen
This scenario is similar to example 10 in the Guidance. The EDPB says that the GDPR would not apply if the EU citizen was resident in Canada. The mere fact that the person is an EU citizen does not trigger the application of the GDPR. The establishment test is not met. The targeting goods and services and monitoring behaviour tests are not met.
What if the EU citizen was not resident but was seeking to insure a vacation property in Canada? The EDPB does not provide particular guidance, but it appears that the GDPR would not apply, provided that the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of the person’s behaviour in the EU.
Scenario 7: a Canadian music festival pays a search engine to target advertisements to data subjects in the EU
According to the Guidance, it is possible that the targeting of goods and services test would be met. The EDPB says that several factors would need to be assessed. However, the fact that the music festival is specifically seeking to reach the EU audience would weigh heavily, as would the fact that the music festival might be connected to tourism, and, therefore, the EU audience is being encouraged to visit Canada.
Scenario 8: a Canadian company offers its “.CA” website in English, French, German and Italian with flags of those countries representing the language choices
Unfortunately, the EDPB is also fixated on language as a possible element for consideration (see example 12 of the Guidance). The EDPB doesn’t seem to appreciate that countries like Canada might be more heterogenous than many European nations. However, the fact that the website is a “.CA” website would be taken into consideration. The mere fact that a Canadian website were offering multilingual services would not be sufficient to meet the test. See, for example, example 14 of the Guidance. However, other factors could change the analysis, such as if the company provided pricing in Euros, the ability to pay in Euros and shipping to EU member states.
Scenario 9: a Canadian app developer with no establishment in Europe develops a French gaming app that is not targeted to Europeans but that residents of France use; the app collects usage information that is used by the developer to improve the game
This scenario is a variation of example 16 in the Guidance. The data subjects are in EU and the Canadian app developer is monitoring behaviour taking place in the EU. So, the two conditions for the application of the monitoring behaviour branch of the extraterritorial application of the GDPR would be met according to the Guidance. The app developer would be considered to be a controller under the GDPR.
Scenario 10: the Canadian app developer in scenario 9 uses a cloud service provider located in the United States to store the usage data.
According to the Guidance example 16, the Canadian app developer, as controller, must have an appropriate data processing agreement in place with the US cloud service provider. The data processing agreement must comply with the GDPR and, in particular, Article 28 of the GDPR.
Note to cloud service providers: Stop fighting Canadian companies on this point.