6 July 2020
The GDPR may apply to processing activities happening outside of Europe, commonly referred to as the GDPR’s “extraterritorial effect”. Reflecting the latest guidance on the subject from the European Data Protection Board (EDPB), this brief should be considered an update to an earlier brief on the GDPR’s territorial scope.
The GDPR applies to processing activities rather than to individuals or organizations. This means that researchers and their institutions cannot accurately say that the “GDPR does not apply to us”. Rather, there are two principal criteria by which the GDPR may apply to the processing of personal data by organizations outside of the European Economic Area (EEA): the “establishment” criterion and the “targeting” criterion.
The GDPR applies to data processing activities occurring outside of the EEA that have a link to the activities of an establishment in the EEA. The notion of an “establishment” encompasses “any real and effective activity – even a minimal one – exercised through stable arrangements”. This may encompass processing activities carried out by a controller outside of the EEA but have a connection to an establishment within the EEA. For example, this would be the case where a pharmaceutical company based in the EEA has its research arm in Canada carry out its personal data processing activities related to genomics. While the Canadian office would not normally be within the territorial scope of the GDPR, the activities of the EEA establishment and their connection to the research arm draw the Canadian office into the establishment criterion.
Perhaps more far-reaching than the establishment criterion is the targeting criterion. Organizations should first ask themselves if the processing activities relate to the personal data of individuals in the EEA. Then if so, they should further ask whether processing relates to (1) the offering of goods and services or (2) the monitoring of behaviour of individuals in the EEA.
Offering goods and services may catch certain research projects depending on the circumstances: no payment is required and the return of results, for example, may qualify as a service. Monitoring the behaviour of EEA-based research participants may be more relevant for longitudinal studies or other research projects that are built upon participants habitually reporting their health status. Thus, for example, a research project based in Australia with a mobile app offered in the Benelux countries’ “app stores” that asks participants to periodically input their dietary and fitness information would be caught by the GDPR.
An analysis of the GDPR’s applicability is a determination to be made on a case-by-case basis. Guidelines indicate that, for example, the merely incidental (non-intentional) processing of personal data of individuals in the EEA on its own is insufficient to trigger the GDPR’s application. Moreover, the mere selection of an EEA-based processor by a controller outside of the EEA, without other factors present, will not subject that controller to the GDPR. Frequently, however, the surrounding circumstances of personal data processing are not so simple and a determination may be difficult to make. Consequently, the EDPB’s guidelines on this subject are a “must read”. Finally, it should be noted that the European Commission has signalled its intention to further clarify the relationship between the GDPR’s territorial scope and its rules on data transfers outside of the EEA.
Relevant GDPR Provisions
Michael Beauvais works at McGill University’s Centre of Genomics and Policy.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.