On January 18, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on the territorial scope of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on November 16, 2018, for public consultation.
CIPL appreciates many of the clarifications and concrete examples provide by the EDPB in the Guidelines with respect to the extraterritorial reach and application of the GDPR. Such clarity is critical for the consistent application and interpretation of Article 3 by organizations and data protection authorities (“DPAs”). At the same time, however, CIPL identified several instances where the Guidelines appear to stretch the criteria triggering the application of the GDPR too far and believes that such scenarios would benefit from further clarification or adjustment.
In its comments to the Guidelines, CIPL recommends several changes or clarifications the EDPB should incorporate in its final Guidelines.
Some key recommendations include:
- Providing detailed examples and further clarity regarding several aspects of the establishment criterion under Article 3(1) of the GDPR, including instances where the establishment threshold would not be met;
- Clarifying several examples in the Guidelines with respect to the offering of goods and services to individuals in the EU under Article 3(2)(a) of the GDPR and adding CIPL’s proposed additional examples;
- Providing more detail around what types of activities fall and do not fall under the definition of “monitoring” under Article 3(2)(b) of the GDPR, particularly with respect to monitoring in the employment and security contexts;
- Further clarifying the role, responsibilities and liability of the Article 27 representative; and
- Explaining the relationship between Article 3 on the territorial scope of the GDPR and Chapter V of the GDPR on international data transfers.
CIPL also includes, in an annex to its comments, a chart designed to illustrate the GDPR’s territorial scope at a glance. This intends to assist organizations and DPAs to quickly assess whether and to what extent an organization is subject to the GDPR. CIPL recommends the EDPB include this illustration in the final version of the Guidelines.
To read the above recommendations in more detail, along with CIPL’s other recommendations on the territorial scope of the GDPR, view the full paper.
CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 92 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics prioritized by the EDPB.