Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Today’s Speakers
David KeatingCo-Chair,Privacy & DataSecurity Practice
Moderator
Peter SwireSenior Counsel, AtlantaAlston & Bird
Jan DhontChair,EU Privacy & DataSecurity Practice
Parker MillerPartner,Technology & Telecommunications Litigation
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Agenda
Introduction
The new regime in perspective
Discussion | Practical Impact & Enforcement Risks
Q&A
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
The Current Regime
Framework Directive applies to:
Controllers in the EU, regardless of physical location of processing (Art. 4(1)(a) Dir.)
Controller outside the EU, making use of “equipment” in the EU (Art. 4 (1)(c ) Dir.) Rationale: prevent companies from positioning business seat outside EU to avoid Directive
In Practice: broad interpretation / nationality of data subjects is irrelevant
Examples: cloud-vendor in the EU, tracking devices deployed in the EU (cookies, Javascript banners, etc.), EU-based CROs for pharma research. Potential competitive disadvantage for EU-based vendors!
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
The Current Regime
Extra-territorial application:
In theory, non-EU based controller must comply with ALL requirements of the Directive
In practice,
“Mission Impossible” - Requirements differ between EU Member States
Often just compliance with data transfer requirements / appointment of a representative (at best)
Working Party: “the criterion of Article 4(1)(c ) results in the principles of the Directive being applicable to the controller as such, for all the stages of the processing, even those taking place in a third country.” (Advice 8/2010).
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
GDPR Regime | Territorial Application
The GDPR applies to processing “in the context of activities of an establishment” of a controller or a processor in the EU, regardless of physical location of processing (Art. 3 (1) GDPR) Controller or processor must be located in the EU
Establishment can be a subsidiary or a branch (legal form is irrelevant) / “Effective and real exercise of activity through stable arrangements”
Nationality of data subjects is irrelevant
Examples:- HR processing by Luxembourg-based subsidiary of a UK company- Belgian and Luxembourg branch offices of a company established in France- Swedish-based subsidiary of a Brussels-based data processor stores data in the US
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7
GDPR Regime | Extraterritorial Application
The GDPR applies to controllers and processors outside the EU that process personal data in connection with (Art. 3 (2) GDPR):
The offering of goods or services to individuals in the EU
- Offering must be intended, not coincidental
- Language (Weltimmo C-230/14) and currency are important indicators
- B2C / B2B ?
- Irrespective of payment by individual
Monitoring of behavior of individuals in the EU
- All types of internet tracking and profiling (recital 24)
- Arguably, “active tracking” required
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8
The New Regime Applied
Framework Directive GDPR
US Controller using a cloud provider in the EU for data warehousing purposes
YES – use of equipment in the EU NO – however, cloud vendor is directly liable
US Controller placing tracking technology on hard-drives in the EU
YES – use of equipment in the EU YES – considered monitoring of behavior in the EU
US Controller targeting EU customers via website (sales in EURO)
NO – unless site hosted in the EU/using equipment in EU
YES
US Controller using US based vendor to build profiles on EU data subjects
NO – unless controller uses equipment in EU
NO – unless tracking technology used to monitor EU data subjects
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9
Representative
Requirement (Art. 27 GDPR) Applies to Controllers or Processors outside EU
Unless processing is occasional and not large scale processing of sensitive data and unlikely to result in risk (association to risk)
Appointment in writing
Only one representative required
Legal / natural person established in the EU
In EU member state where data subjects are located
- In case of extra-territoriality, companies cannot benefit from one-stop-shop mechanism
- Appointment representative does not exempt controller/processor to appoint a DPO
Tasks & Liability
Interface with SA and data subjects (representative must be identified in notices)
Record-keeping (Art. 30 GDPR) and cooperate in SA investigations (Art. 58 GDPR)
Liability of representative remains unclear, but does not create immunity for controller or processor
“[S]hould be subject to enforcement proceedings”
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10
Jurisdiction Supervisory Authorities and Enforcement
SAs only have competence within their country (territoriality principle)
SAs may take action against EU-based representative (Recital 80) and not against the controller/processor in third country, BUT SAs may order suspension of data flows, for instance, by local telecoms providers
Representatives may be sued and held accountable – market will require non-EU controller/processor to accept liability
Companies may just decide to cooperate to mitigate reputational risk
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11
Jurisdiction Supervisory Authorities and Enforcement
Data subjects / consumer organizations may bring proceedings in national courts where data subject has habitual residence (Arts. 79 and 80 GDPR)
Civil/Criminal court rulings require execution in the U.S.
Obtain local DPA/court findings for use in proceedings overseas
Non-EU based controllers / processors may nonetheless appear in court, for instance, to avoid unwanted results
In case of “inappropriate” SA decision, companies may sue SAs before the national courts (Art. 78 GDPR)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12
Discussion | Practical Impact & Enforcement Risks
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13
Case Studies
Does the GDPR apply and why? How can companies manage associated risks?
A US company sends employees to the EU on an ad-hoc basis, to make calls or for other activities
EU data subjects visit the US corporate website and occasionally buy products
A US company operates predominantly outside of the EU, but may have a parent, sub, affiliate or joint venture that does business in the EU
A US company has (independent) contracting relationships with businesses that operate in the EU. The company’s employees and activities are in the US.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14
Case Studies
If a SA commences an enforcement action against a US-based company, what are the jurisdictional defenses available to the company if it has no assets or employees in the EU?
If the SA levies a fine, would it be enforceable in the US?
Any different if an EU court enters a judgment against the US-based company?
How, if at all, does the possibility of private rights of action under the GDPR affect the analysis?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15
Case Studies
Suppose the company is primarily in the US, but with some of the business connections just discussed (employees, customers, corporate relationships, contracts) in the EU. What is the risk of enforcement action by the SA?
What realistically might trigger an enforcement action?
Is it safe for the company to “hide in the weeds” and assume that the SA will not enforce?
What are the risks associated with this strategy?
How does the answer change if the company does significant business in the EU, but is not a high-profile company that SAs are known to be monitoring/targeting?