In a judgment handed down by the UK Court of Appeal on 21 December 2021 ([2021] EWCA Civ 1952, available here), Walter Soriano, the claimant, was granted his cross-appeal, giving him permission to serve Forensic News LLC and four other defendants in the United States with proceedings under the General Data Protection Regulation (GDPR). The appeal came from the High Court, which had previously refused such permission on the basis that the claimant could not demonstrate that the claim satisfied the test for serving claims outside the jurisdiction. The reason given by the High Court was that the processing of the claimant’s personal data did not fall within the territorial scope of the GDPR. The Court of Appeal therefore revisited the GDPR’s territorial scope as part of this appeal and decided the claimant had an arguable case and could therefore serve the claim outside the jurisdiction.
Continue Reading UK’s Court of Appeal assesses territorial scope of GDPR

On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation.

We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of the GDPR (here), and the second blog post considered the need for non-European Union (EU) controllers to designate a representative located in the EU (here).

The guidelines seek to provide a common interpretation of the GDPR Article 3 for data protection authorities when assessing whether processing by a controller or a processor falls within the territorial scope of the GDPR. The final guidelines maintain the interpretation adopted in the first draft of the guidelines but now include further explanations from the EDPB addressing comments received during the public consultation. Below, we consider some of the EDPB’s new additions in the final version of the guidelines available here.

Continue Reading EDPB adopts final version of guidelines on the territorial scope of the GDPR

On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).

Last week we published a blog on these guidelines, focusing on when the GDPR applies to non-European Union (EU) controllers and processors. This week, we focus on when non-EU controllers and processors who come within the scope of the GDPR must appoint an EU representative.

GDPR requires that non-EU controllers or processors of personal data of individuals located in the EU appoint EU-based representatives (EU representative), unless they are exempt. The guidelines divide this requirement into four distinct sections.

Continue Reading Does GDPR require non-EU companies to nominate EU representatives? EDPB issues guidance

On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).

This is the first of two blogs on the guidelines. This blog considers the extra-territorial scope of the GDPR. Next week, we will consider the need for non-European Union (EU) controllers to designate a representative located in the EU.

Territorial scope

The GDPR has extra-territorial effect. This means it can apply to companies based outside of the EU.

GDPR applies to a non-EU-based company where that company:

  1. Processes personal data in the context of the activities of an EU establishment (the establishment criterion);
  2. Processes personal data of an individual in the EU, for the purposes of either: (i) offering goods or services to that individual in the EU, or (ii) monitoring the behaviour of that individual in the EU (the targeting criterion); or
  3. Is subject to EU Member State law by virtue of public international law.  This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.

This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.

Continue Reading EDPB issues much-awaited guidance on GDPR’s territorial scope