The need of the hour for the businesses today is data and regular data analysis for enhancement of their product or services. Companies monitor the user activities, store the information, and process personal information to other jurisdictions as per the mode of business and requirement. Data plays a crucial role in businesses and is one of the key ingredients which helps in building marketing strategies, competitive analysis, enhancing user interface, etc.

Something of importance needs protection, hence every country features a data protection regulation and standards to which they need to be compliant. Similarly, the European Union (EU) to secure the personal & sensitive personal information of the users of EU citizens & residents introduced Global Data Protection Regulations (GDPR) on May 25, 2018.

The GDPR is meant to grant more control over how data is collected, used, and guarded online. It also binds organizations to strict rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and better legal thresholds to justify data collection. Organizations that do not comply face heavy penalties of up to 4 percent of their annual revenue or €20 million, whichever is higher.

GDPR applies to each concern that is established in the EU or has even a small relation with the information of the EU citizens or residents in any part of the planet. The entire point of the GDPR is to safeguard data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether or not they are EU-based organizations referred to as extra-territorial effect.

Article 3 of the GDPR talks about the Territorial scope of processing of personal data within the EU and outside.

1. The regulation applies to the processing of non-public data within the context of the activities of an establishment of a controller or a processor within the Union, whether the processing takes place within the Union or not.
   
   Article 3(1) states that the GDPR applies to organizations that are established within the EU whether or not the data is being stored or used outside of the EU.
   The concept of 'establishment' under the EU data protection law must be interpreted as explained in Article 4 of Directive 95/44/EC of the European parliament, however, GDPR does not provide a definition of establishment.
   
   The concept of establishment can be understood by Weltimmo v. NAIH case, where Weltimmo, incorporated in Slovakia had an institution in Hungary by the employment of the website. Weltimoo was advertising properties in Hungary with the help of an area agent, and use of Hungarian postal address and checking account. The case is essential as it allows data protection legislation of one state to be applied to an organization established in a foreign land.
   
   This judgment impacted the organizations with multi-jurisdictional headquarters particularly in European countries with the understanding that they would only be subject to the data protection laws of that country. The companies will also be answerable to the authorities of other states in which they operate and will accordingly have an establishment in that territory.
   
   In Google Inc. v. AEPD, (known as the right to be forgotten decision), where the U.S. incorporated Google Inc. established within the EU with its search activities sufficiently linked to the advertising sales generated by Google Spain, a neighborhood subsidiary. In the case, the data processing was related to the search business and the sale of online advertising helped finances. It absolutely was found that the data processing was disbursed in the context of the activities of the Spanish establishment.
    
2. This Regulation applies to the processing of personal data of data subjects who are within the Union by a controller or processor not established within the Union, where the processing activities are related to:
   
   • the offering of products or services, regardless of whether a payment of the data subject is required, to such data subjects within the Union; or
   • monitoring of their behavior as far as it takes place within the Union.
      
3. This Regulation applies to the processing of personal data by a controller who is not established within the Union but is established in a place where member state law applies by public jurisprudence.
   
   Global data protection regulation outside the EU
   The scenarios as per Article 3(2) where a non-EU organization must be compliant with GDPR are:
   
   • Offering goods and services - GDPR applies to the organizations which are offering goods and services to people within the EU.
   • Monitoring the behavior as far as it takes place within the Union– If a corporation is monitoring, tracking the IP address or cookies on their website of the EU citizens or residents or from EU countries, then the organization falls under the scope of the GDPR.

However, within the above scenarios, it is important to grasp that GDPR doesn't apply to occasional instances nor if someone from an EU country accidentally or unknowingly visited your site and also the data get stored. There is an enormous grey area around the occasional instances and technical grounds to be GDPR compliant and non-compliant, so it is better to consult an expert as well.

In Pammer v. Schulter ([2010] EUECJ C-144/09), the court found that it absolutely was necessary to point out that the trader has manifested its intention to determine commercial relations with consumers from one or more other the Member States.

Based on the guidance by the court within the above case, the subsequent factors are also strong indications that a non-EU business is offering goods or services to data subjects within the EU and should, therefore, be subject to the GDPR:

1. Use of the language of a Member State (if the language is different than the language of the house state);
2. Use of the currency of a Member State (if the currency is different than the currency of the house state);
3. Use of a top-level domain name of a Member State;
4. Mentions of customers based in a Member State; or
5. Targeted advertising to consumers in an exceedingly Member State.

When GDPR isn't applicable

1. GDPR doesn't apply to personal & household activities.
2. small- and medium-sized enterprises are not completely exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases.

Article 30(5) must be referred with recital 13 of GDPR which is within the case of organizations with fewer than 250 employees to possess a higher understanding and more clarity on how regulation-free the SMEs from record-keeping and exemptions.

The presence within the EU of a branch or subsidiary, or perhaps a single individual, may bring all the data processing activity within the scope of the GDPR. Global businesses will have to show that there's no commercial connection between a local operation and a non-EU company to avoid the application of EU data protection laws to data processing by the non-EU company. Companies have to ensure a check on the traffic of the users who are visiting on their sites, commercial connections, and also understand the territorial jurisdiction from where the user is and update their Privacy Policy & Terms of use on their website accordingly.

If a company is not collecting any information or has no business dealing which has any relevance to the EU or its citizens or residents then such companies do not have to be GDPR compliant and can opt for GDPR shields to block the data from EU countries. However, consult an expert before blocking the European visitors completely and one must also have sound data governance practices in place and should stay updated about the grey areas of GDPR.

End-Notes:

• https://swarb.co.uk/peter-pammer-v-reederei-karl-schluter-gmbh-and-co-kg-etc-ecj-7-dec-2010/
• https://gdpr.eu; https://gdpr-info.eu; https://www.wiley.law; https://medium.com/golden-data/weltimmo-and-the-concept-of-establishment-under-eu-data-protection-law-1b48fb78938d

Award Winning Article Is Written By: Mr.Praful Shukla

Authentication No: NV31928438000-17-1120