One of the more complex issues that will have to be resolved with the new Data Protection Regulation (DPR) is what’s being called “extraterritoriality.” As proposed by EU Parliament, the DPR will apply to any data transferred outside the EU zone.
So under these new rules, if a US company collects data from someone in the EU (not just citizens!), it would be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there!
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Legal experts note this may not be that easy to enforce, but if a large enough multinational breaks one of the rules — such as the DPR’s new strict breach notification requirement — my guesstimate is that the EU regulators will likely target it.
Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc.
You can map these to your own favorite app to figure out who would be affected.
Under the old rules in the Data Protection Directive (DPD), there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU.
The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply.
Companies such as Google, Facebook, and other social networking companies were following this approach.
Not so fast! Google was famously making this argument when a Spanish DPA asked it to remove a listing in a search result. The case eventually made its way to the EU’s highest court, the ECJ, which ruled against Google last year.
The long arm of EU law prevailed: the specific search listing was removed.
Virtual Location, Virtual Location, Virtual Location.
Even though the Google subsidiary in Spain was just selling advertising to local customers, the court said it was enough of a connection between the subsidiary and the main mothership for Google to effectively have a presence—in other words, the servers might as well have been in Seville even though they really were in, say, Sausalito.
Back to the Data Protection Regulation. The EU Parliament removed the loopholes from the old law. Legal eagles can read their proposed Article 3, but it says the DPR applies when the “controller or processor not established in the Union” has EU data that “relates to offering of good and services” or even just behaviors — that is, monitoring clicks and URLs.
Where do we stand now?
Last month, the equivalent of the EU’s executive branch, the EU Council, released its version of the DPR. Extraterritoriality remains intact. As Parliament and Council hash out the final draft there will likely be more changes as the law is finalized. The EU DPR is expected to go into effect in 2017.
The new law will have huge implications. And even if extraterritoriality is watered down or enforcement issues can’t be completely worked out between the EU and non-EU regulators, the concept of having some strong virtual presence in a country, will likely be important in deciding whether the DPR would apply.
My thoughts: if you’re a company with a large web foothold and process EU personal data in offshore servers, I would implement data security as if those servers were in Frankfurt.
You just need to put in place common sense data governance practices that we talk about all the time in the Metadata Era, including data minimization, data retention limits, role-based data permissions, and data classification to identify personal and other sensitive data at risk.
And of course, always be monitoring!
Want to learn more about the GDPR?
Check out our free 6-part email course (and earn CPE credits!)