Global e-commerce and EU data protection standards
*
Claes G. Granmar
• Extraterritoriality: Shall the courts and authorities
within the EU apply the GDPR with respect to acts that have allegedly taken place outside the territory of the Union?
• Article 2(2)(a) GDPR: No the regulation does not apply outside the scope of EU law. However what does that mean?
• Where does data processing take place?
• Who are the subjects of EU law?
• What are the competences of the Union?
Legal context
• Constitutional starting points:
• Articles 4(1) and 5(1-2) TEU: Conferral
• Article 16 TEU: Legal basis.
• Article 2 TEU: Values
• Article 6(1) TEU – EU Charter: Rights and freedoms
• In particular Articles 7, 8, 11, 16, 41, 47 and 52(1).
• “source code” of EU law:
• Articles 3 and 21 TEU: Objectives (realisation of values)
• Article 5(2) TEU: Teleology
• Article 13 TEU and Article 7 TFEU: Teleology and consistency.
Article 3 GDPR: “Territorial scope”
• Article 3(1) GDPR: Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union...
• Article 3(2) GDPR: Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union:
• (a) the offering of goods or services […] to such data subjects in the Union;
or
• (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
• Article 3(3) GDPR: Processing of personal data by a controller not established in the Union, but in a place where Member State
law applies by virtue of public international law .
Article 3(1) GDPR
• controller or a processor:
• Controller: Determines the purpose and means for processing (abstracted from real control in C-131/12 Google Spain).
• Processor: Processes personal data “on behalf of the controller”.
• establishment of..: (same or different legal persons)
• Ordinary definition in C-55/94 Gebhard etc. “stable
arrangement” (continuous participation in economic life of a State, not fixed period, infrastructure relevant but not
decisive).
• Infrastructure for data processing not sufficient, C-347/09 Dickinger.
• Online trade and appointed representative suffices, C-230/14 Weltimmo.
• in the context of..:
• Processing within the Union irrelevant, C-131/12 Google Spain
• Very abstract concept:
Article 3(2) GDPR
• A) Offering goods or services to data subjects in the union:
• “
Offering of goods or services”: Overall impression of website (language, currency, telephone number, top level domain etc. Not mere availability) Joined cases C-585/08 Peter Pammer and C-133/09 HotelAlpenhof.
• “In the Union”: Questionable whether the place from where an EU citizen can access the website is
decisive.
• B) Monitoring of behaviour of data subjects in the Union if the behaviour takes place within the Union.
• Overlapping jurisdictions = Private international law.
• Article 27 GDPR A representative must be appointed in the Union.
• Back to 3(1)!
Article 3(3) GDPR
• Processing of personal data by a controller (not processor) not established in the
Union.
• but in a place where Member State law applies by virtue of public international law:
• Article 351 TFEU: Prior to EEC or subsequent accession.
• Mixed agreements such as CETA: (new generation of comprehensive investment and trade
agreements).
Summary
• No extraterritoriality… but in the name of teleology…
• a very broadly defined concept of “composite establishment” in e-
commerce (stable arrangement through an independent but authorised person).
• However, normal definition of main establishment and subsidiaries if applicable.
• Very broad concept of “in the context of…” = empty notion.
• Relevance of the place where an EU citizen accesses a website is questionable.
• GDPR applies as national law also in the legal context of international law.
• Is there a need for a global e-commerce regime including data protection?
Thank you for your time!