As is well known, the European Union is currently seeking to reform its data protection framework through the introduction of a Regulation to replace the 1995 Directive. The Regulation has come under significant scrutiny from various quarters. However, one Article – Article 3 determining the proposed Regulation’s territorial scope – has received limited attention. This is surprising since, for any non-EU party, Article 3 is the single most important provision in the entire proposed Regulation; after all, nothing can be of a more fundamental importance than a provision that determines whether the substantive rules of the Regulation apply or not. This fact could scarcely have escaped the attention of the drafters.
In its current form, Article 3 reads as follows:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behaviour.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law. (emphasis added)
Anyone attempting to get clarification as to the exact meaning of this Article, and the underlying principles that has guided the drafters, will logically turn to the Explanatory Memorandum. Unfortunately, doing so is an utter waste of time. Depending on one’s personal disposition one will be either amused, dumbfounded or feel great despair in finding that under the heading “3.4 Detailed explanation of the proposal”, all that the Explanatory Memorandum states about Article 3 is that: “Article 3 determines the territorial scope of the Regulation.” If this is the “detailed explanation of the proposal” we need the drafters to provide a ‘super-extended director’s cut’ version as well.
This lacking attention to a key provision, that more than any other needs to be discussed in detail, is puzzling. What is worse, even on a charitable interpretation of the situation, the failure to provide reasonable guidance as to Article 3 is negligent, arguably suggesting that inadequate attention has been given to the territorial scope of the Regulation. At worst, it seems the drafters are seeking to avoid attention being directed at the enormously important effect of Article 3.
Interestingly, and no doubt controversially, whichever version of Article 3 is finally entering into force, this provision seems likely to bring all providers of Internet services such as websites, social networking services and app providers under the scope of the EU Regulation as soon as they interact with data subjects residing in the European Union. While this can be said to be the case already under the current EU approach to extraterritoriality, it is submitted that the new approach, as found in the proposed Regulation, goes even further.
In more detail, the rule articulated in Article 3(2)(a) contains a double requirement; that is, (1) the data subject must reside in the European Union (similar to passive nationality), and (2) the conduct must take place in the EU (similar to objective territoriality). However, Article 3(2)(b), which must be read independent from Article 3(2)(a), only contains the first requirement – it only focuses on whether the data subject resides in the European Union.
If this is correct, then Article 3(2)(b) suggests that EU residents enjoy the protection of the Regulation simply by residing in the European Union. In the absence of further restrictions, this protection would then seem to attach to the very person of EU residents so as to enable them to rely on this protection also when travelling outside the EU. For example, an EU resident on holiday in New York would be protected by the EU data protection Regulation by virtue of the EU residence if a US controller, not established in the Union, processes personal data of the EU resident as part of monitoring the EU resident’s behaviour in New York.
This result is so absurd, and so clearly inappropriate, that it cannot have been the drafters’ intention. Thus, the proposed Regulation must be amended to address this issue, and indeed, all that is required to depart from this unfortunate situation is to include, in Article 3(2)(b), the words “in the Union” in the manner done in Article 3(2)(a).
Indeed, some experts seem to take such an amendment to Article 3(2)(b) for granted. In expressing his views on the proposed Regulation, the European Data Protection Supervisor stated that:
“He considers that the offering of goods and services or the monitoring of the behaviour of data subjects in the Union makes much more sense and is more in line with the reality of global exchanges of information than the existing criterion of the use of equipment in the EU, under Article 4(1)(c) of Directive 95/46/EC.” (emphasis added) (Opinion of the European Data Protection Supervisor on the data protection reform package, 7 March 2012, at 17.)
While this interpretation is sensible, it would be much more comfortable to have the text of Article 3(2)(b) amended so as to cement this interpretation beyond any doubt.