ITsecurity
twitter facebook rss

GDPR Material and Territorial Scopes

Posted by on February 8, 2018.

GDPR Mindmap

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 that needed an update taking account of the evolution pf new technologies such as social media. The regulation has lately created a big buzz due to much higher financial sanctions. Many whom heard of, have been shaken by the perspective of the high fines of 20 Million € or 4% global turnover, whichever higher. I still meet many who ignore who actually is concerned by this. So I am offering here a close look at the text of the regulation to look at the material and territorial scope of the Regulation, directly applicable into the national EU legislations. Non EU entities are as well concerned as long as they access or monitor EU residents data. That is not exclusively EU citizens.

As stressed in Article 1(1) GDPR.

  • Art. 1 GDPR Subject-matter and objectives

1.This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2.This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3.The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

=> Recital: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13                                                                                                                                                                                                                                                                                                                                                                                                                                               

Article 1(2) GDPR provides that the GDPR seeks to protect fundamental rights and freedoms of natural persons and, more specifically, their right to the protection of personal data. It means that, as such, the Regulation does not deal with the rights and freedoms of legal persons, such as companies.

Rec.27, 158, 160; Art.1(1)-(2), 4(1) The law protects the personal data of natural persons, but does not apply to data of deceased persons. However, Member States may provide for rules regarding the processing of data of deceased persons.

Article 8 of the EU Charter of Fundamental Rights – Protection of Personal data :

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

 

Therefore, are excluded legal persons, deceased unless member state ruling otherwise. I have seen many confusion between the US concept of Personal Information Identifier (PII) and the EU concept of Personal data.

 

  • Art. 2 GDPR Material scope

1.This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

EXCLUSIONS :

2. This Regulation does not apply to the processing of personal data:

  1. in the course of an activity which falls outside the scope of Union law;

    2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

   3. by a natural person in the course of a purely personal or household activity;

   4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

=> Recital: 14, 15, 16, 17, 18, 19, 20, 21

The Directive applies to the processing of personal data:

•by automatic means (e.g., a computerised system or database); and

•by other (non-automated) means that form part of a relevant filing system.

The protection of individuals should be technologically neutral and should not depend on the techniques used.

Therefore, in principal, any information relating to an identified or identifiable natural person wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system falls into the material scope of the GDPR.

What about the territorial scope? Previously, under the Data Protection Directive, some foreign companies, mainly US entities, showed reluctance to apply EU data protection rules. Some had argued they could escape EU laws by storing the data in servers based outside the EU. The Safe Harbour Agreement regulating the flew of data between EU and the US was invalidated. A new series of negotiations were run to achieve the Privacy Shield. The new regulation has clarified the situation.

  • Art. 3 GDPR Territorial scope
  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

   2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

=> Recital: 22, 23, 24, 25

An EU-based entity that does not carry out data processing but performs an activity which can be considered inextricably linked to data processing will fall under the GDPR : in Google Spain case (C-131/12), the CJEU ruled that “processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.”

The definition of ‘Personal Data’ is given in Article 4:

“‘personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
=> Recital: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13

  • UK ICO : What is Personal data ?

Personal data are defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Does this includes IP addresses? In a groundbreaking decision on October 19th, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses could be considered as personal data. Under GDPR, clearly, the IP address, an ‘identification number’, can be personal data.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised  can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Widening the scope of personal data from the Data Protection Directive, the GDPR applies to :

•EU based controllers and processors when personal data is processed “in the context of its activities”.

•In addition, GDPR will apply to controllers and processors established in the European Economic Area (EEA) member states Iceland, Norway and Liechtenstein.

•The GDPR may also apply to those established outside the European Union that target, by offering goods or services to data subjects in the EU/EEA, or that monitor the behaviour of such data subjects. The use of an EU language/currency, the ability to place orders in that other language and references to EU users or customers will be relevant. (Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases(C-585/08) and (C-144/09))

•Non-EU/EEA controllers established in a place where EU/EEA law applies by virtue of public international law.

Would the GDPR apply to non EU controllers established within the EEA but exclusively processing data of non EU/EEA residents?

The long-arm of EU jurisdiction is translated by the requirement for controllers falling into these categories to appoint an EU-based representative. Falling ‘outside the scope of Union law’ ?

The GDPR should not apply to the processing of the personal data of EU/EEA citizens, when collected outside the EU by non EU controllers based outside the EU/EEA. For instance data collected from an EU citizen when traveling abroad outside the EU.

As for the situation of the UK, the Information Commissionner has clearly stated that GDPR will be applied. As long as the United Kingdom remains in the European Union. However, the EU Commission official communication warned that UK will become a country of non adequate data protection following Brexit. The Data Protection Bill, which has now completed its passage through the Lords and is now awaiting its second reading in the House of Commons, makes provision for that judicial remedy.  The courts of the United Kingdom are to have the power to make compliance orders under clause 165 and award compensation under clause 166 and clause 167. Jane Lambert, UK IP and IT Barrister blog is a good resource to follow the Bill.

Are you ready to demonstrate compliance?

GDPR Mindmap

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, News_privacy, Tara Taubman-Barissian, Uncategorized | Tags: , ,