Author: Gerrit Hornung 

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

• (a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
• (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

 

I. Aim and function of the provision

Art. 3 determines the territorial scope of the GDPR. The provision introduces three different approaches, namely the principle of establishment (para. 1), the marketplace principle (para. 2) and the principle of application by virtue of public international law (para. 3). The aim is to cover all circumstances relating to the Union and – particularly through the market place principle – to establish uniform rules in the internal market for suppliers within and outside the Union.[1] The provision does not contain any (explicit) regulation regarding the scope of application of the national law of the Member States, which is adopted through the exercise of opening clauses.[2] The GDPR is silent on this point with the exception of recital 153 sentence 6 (→ mn. 9 et seq.).

The fact that the provision is consistently linked to the concept of establishment and therefore does not regulate the territorial scope for data processing by public authorities of the Member States is hardly ever addressed. For those, the applicability is rather caused by the general and direct application (Art. 288 para. 2 TFEU) and the principle of rule of law, i.e., the administration’s obligation to comply with the law. In the absence of an explicit provision, it should be permissible for the Member States to capture this in a provision in a declaratory manner (see e.g. § 1 para. 1 sentence 1, para. 4 sentence 1 of the German Federal Data Protection Act). Authorities of third countries are not covered by Art. 288 para. 2 TFEU. In this respect, the concept of establishment in para. 2 is to be understood broadly and also covers these authorities, because otherwise the exception from the obligation to designate a representative in Art. 27 para. 2 lit. b would make no sense.[3] However, it is hardly to be expected that the applicability will be accepted by third countries (in particular the USA) in this case.

The main problems of the provision lie, for several reasons, in its application to controllers and processors in third countries (para. 2). Firstly, considering the GDPR’s protective purpose, an extension beyond the territory of the Union is almost imperative because personal data flows do not stop at national borders in times of globalisation and, especially on the Internet, data processing is often carried out by global oligopolies which have their (main) headquarters in the USA. Secondly, the extension to such providers is a fundamental problem, also under international law, because the associated “export” of European data protection standards is reasonable from a European perspective, but at the same time carries the danger of imposing legal standards on partners, in particular those that are weaker than the US.[4] Thirdly, fundamental problems arise in the area of enforcement, because the monitoring of the standards applicable under Art. 3 is not possible (or at least not to the same extent) in third countries by means of usual mechanisms (rights of data subjects, judicial remedies, supervisory measures).

Para. 2 attempts to solve these problems, at least in part, by extending the territorial scope of the GDPR to controllers and processors in third countries through the marketplace principle. The CJEU had already taken a step in this direction by interpreting the wording “in the context of the activities of an establishment” in Art. 4 para. 1 lit. a DPD very broadly, using marketplace-oriented criteria (→ mn. 22 et seq.).[5] Para. 2 goes even further because it clearly stipulates that providers who address the European internal market without (any) establishment in the Union must also comply with European data protection law. This confirmation and extension of the CJEU’s case law is one of the most important substantive changes of the data protection reform.[6] In the reform process, this aroused clear scepticism abroad, often rooted in self-interests: providers from third countries wanted to avoid being bound by European data protection law even though they are economically active in the internal market. Despite the problems described below, especially regarding enforcement in third countries,[7] the marketplace principle is the proper approach for regulating the territorial scope.[8] It assumes that those actors doing business in the Union should also comply with the rules of the internal market and should not have an advantage over actors established in that market. This understandable idea is also the reason why the marketplace principle applies in many other areas of law, as well as in US data protection law.[9]

II. Legislative history and predecessor provisions

The provision has a predecessor in Art. 4 para. 1 DPD (see also recitals 18-21 DPD).[10] However, unlike Art. 3, this provision also regulated the territorial scope of the national law of the Member States in relation to each other. Art. 4 para. 1 DPD required the Member States to apply their national data protection law in three cases of processing, namely to processing of personal data

• in the context of activities of an establishment on its own territory (Art. 4 para. 1 lit. a DPD; now with slight modifications para. 1; → mn. 14 et seq.),
• by controllers with establishments in locations outside of this territory, where national law was applicable by virtue of international law (Art. 4 para. 1 lit. b DPD; now essentially identically regulated para. 3, but formulated grossly misleading in the German version of the GDPR → mn. 59), as well as
• by controllers in third countries if, for the purpose of processing personal data, they used automated or non-automated means located in the territory of the Member State, unless this was done solely for the purpose of transit (Art. 4 para. 1 lit. c DPD; now replaced by the marketplace principle in para. 2 → mn. 32 et seq.).

 

[…]

 

 

[1]Albrecht, CR 2016, p. 88 (p. 90); EDPB, Guidelines 3/2018, p. 4.

[2]Cf. Laue, ZD 2016, p. 463; Laue/Kremer, § 1 mn. 98 et seq.; v. Lewinski in Auernhammer, DSGVO Art. 3 mn. 28.

[3]The Comm also assumes that para. 2 is applicable when authorities from third countries offer services in the Union, see the Comm’s answer in Council document 8004/13, 50 (59); in reference to this Piltz in Gola/Heckmann Art. 3 mn. 32.

[4]Extensive on the international legal perspective Uecker, Extraterritoriale Regelungshoheit im Datenschutzrecht, 2017, in particular pp. 41 et seq. (necessity for regulation), pp. 49 et seq. (possible elements for extraterritorial regulation), pp. 98 et seq. (comparative law analysis) and pp. 176 et seq. (international law perspective), see further Svantesson, Stan. J. Int’l L. 50 (2014), p. 53 (pp. 76 et seq.).

[5]CJEU C-131/12, mn. 45 et seq. – Google Spain; see e.g. Kühling, EuZW 2014, 527; Spiecker gen. Döhmann, CML Rev. 2015, p. 1033 (pp. 1041 et seq.).

[6] Albrecht, CR 2016, p. 88 (p. 90); Schantz, NJW 2016, p. 1841 (pp. 1842); Kühling/Martini, EuZW 2016, p. 448 (p. 450); Plath in Plath Art. 3 mn. 11; Piltz in Gola/Heckmann Art. 3 mn. 1; Klar in Kühling/Buchner Art. 3 mn. 1, 8; see also Svantesson, Stan. J. Int’l L. 50 (2014), p. 53 (p. 78); EDPB, Guidelines 3/2018, p. 4.

[7]See e.g. Uecker, Extraterritoriale Regelungshoheit im Datenschutzrecht, 2017, pp. 76 et seq.; v. Lewinski in Auernhammer, DSGVO Art. 3 mn. 4; Klar in Kühling/Buchner Art. 3 mn. 26 et seq.; see also → Art. 27 mn. 32 et seq.

[8]Klar in Kühling/Buchner Art. 3 mn. 18 et seq.; Ernst in Paal/Pauly, Art. 3 mn. 13, each with further references; the problems potentially associated with the marketplace principle due to an excessive economic perspective (Uecker, Extraterritoriale Regelungshoheit im Datenschutzrecht, 2017, pp. 208 et seq.) need to be considered, but should be manageable; generally critically Svantesson, Stan. J. Int’l L. 50 (2014), p. 53; Svantesson, International Data Privacy Law 2015, p. 230); somewhat critically Svantesson in Kuner et al. Art. 3, p. 76.

[9] Klar in Kühling/Buchner Art. 3 mn. 6 et seq.; detailed Uecker, Extraterritoriale Regelungshoheit im Datenschutzrecht, 2017, pp. 147 et seq., who essentially confirms consistency with the GDPR (pp. 159 et seq.).

[10] For the interpretation see CJEU C-131/12 – Google Spain; C-230/14 – Weltimmo; C-191/15 – Amazon; Art. 29 WP, WP 56; Art. 29 WP, WP 179; see also Bygrave, CLSR 2000, p. 252 and the literature cited below.