On the application of the GDPR to online organisations
I am not a lawyer, I am most certainly not your lawyer, and this is not legal advice.1
In a recent discussion in /r/AustraliaSim, an online community I am involved in, the question came up of whether the European Union's General Data Protection Regulation (GDPR) applies to AustraliaSim. In a 2-page discussion, I expressed my opinion that it does not, and I outline below the general considerations I believe are relevant to this question, and may be relevant to any organisation in a similar position.
Article 3 of the GDPR outlines 4 circumstances in which the GDPR applies, each discussed below.
Article 3(1) provides that the GDPR applies ‘in the context of the activities of an establishment of a controller or a processor in the Union’. In the context of the GDPR, the organisation considering its position under the GDPR is likely to be a data controller.
The European Data Protection Board (EDPB) has offered guidance on this matter in its Guidelines 3/2018 on the territorial scope of the GDPR. Per the EDPB, an ‘establishment extends to any real and effective activity – even a minimal one – exercised through stable arrangements’. To determine the application of this provision, one must consider ‘the degree of stability of the arrangements and the effective exercise of activities in [a] Member State … in the light of the specific nature of the economic activities and the provision of services concerned’, noting that ‘in some circumstances, the presence of one single employee or agent … may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability’.
In the case of AustraliaSim, it was unnecessary to consider these factors, as AustraliaSim does not have any discernable connections with the EU.
Note that article 3(1) also applies to data processors, in addition to data controllers. The question was raised of whether, if AustraliaSim uses data processors with establishments in the EU (and therefore subject to the GDPR), that also brings AustraliaSim under the GDPR. Per the EDPB, the answer to that question is no:
[W]hen it comes to the identification of the different obligations triggered by the applicability of the GDPR, the processing by each entity must be considered separately.
The EDPB specifically notes that:
in the case of a data processor established in the Union and carrying out processing on behalf of a data controller established outside the Union and not subject to the GDPR … the processing activities of the data controller would not be deemed as falling under the … GDPR merely because it is processed on its behalf by a processor established in the Union. (emphasis added)
Example 7 of the EDPB guidance provides an informative example in this respect.
In relation to AustraliaSim, my opinion was therefore that as AustraliaSim does not have an establishment in the EU, it does not attract the operation of article 3(1) of the GDPR.
Article 3(2)(a) provides that the GDPR applies ‘to the processing of personal data of data subjects who are in the Union … related to … the offering of goods or services … to … data subjects in the Union’. This involves two considerations: (1) Are there ‘goods or services’? (2) Are they ‘offered’ to data subjects in the EU?
Meaning of ‘goods or services’
The meaning of ‘goods or services’ in article 3(2)(a) is unclear and not defined, and it is conceivable that ‘service’ could have its broad dictionary meaning, encompassing the activities of an organisation like AustraliaSim. However, it is my opinion that, in the context of the phrase ‘goods or services’, the term should be understood in an economic sense – like when we say that a market is where producers and consumers meet to exchange goods and services, or when we call a value-added tax a ‘goods and services tax’.
This interpretation is indirectly supported by the EDPB guidance, which refers in passing to services ‘normally provided for remuneration’. Similarly, provisions such as article 50 of the Treaty Establishing the European Community define ‘services’ as those ‘normally provided for remuneration’. While these do not have direct application to the GDPR, I believe they are compelling and support the more natural interpretation of ‘goods or services’ – in its economic sense.
In relation to AustraliaSim, my opinion was therefore that, as participating in a discussion board is not an economic service ‘normally provided for remuneration’, AustraliaSim is not a ‘service’ within the meaning of article 3(2)(a) – noting that the construction of the term is unclear, but see also the discussion below.
Meaning of ‘offering’
The term ‘offering’ in article 3(2)(a) is easily misread in its broad sense of ‘being available’ to EU data subjects – but the EDPB guidance makes it crystal clear that this is not the correct interpretation.
Recital 23 of the GDPR clarifies that ‘the mere accessibility of the controller's … website in the Union … is insufficient’ to engage this provision.
Rather, the EDPB guidance states that the key element is ‘whether the offer of goods or services is directed at a person in the Union’ (emphasis added), and provides a 9-point list of potentially-relevant considerations:
- Reference by name to the EU or a member state
- Paid search engine advertisements in the EU, or marketing and advertising campaigns directed at an EU country audience
- Activities that are international by nature, e.g. tourism
- Dedicated addresses or phone numbers to be reached from an EU country
- The use of a foreign top-level domain, e.g. ‘.de’ or ‘.eu’
- Travel instructions from EU member states
- Mention of international clientele domiciled in EU member states, such as testimonials
- Use of foreign language or currency
- Delivery of goods in EU member states
Example 14 of the guidance provides an informative example, describing a Swiss University launching a Master degree, open to any student with sufficient background. In particular, ‘[t]he University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency’ (emphasis added).
The EDPB concludes that in that example:
[a]s there is no distinction or specification for students from the Union in the application and selection process … it cannot be established that the Swiss University has the intention to target students from … particular EU member states. … Without other factors to indicate the specific targeting of students in EU member states, it therefore cannot be established that the processing … relates to the offer of an education service to data subject[s] in the Union, and such processing will therefore not be subject to the GDPR provisions.
In relation to AustraliaSim, my opinion was therefore that, as membership is equally open to all countries, and AustraliaSim advertises exclusively to Australian audiences, does not advertise to EU audiences, and does not hold itself out as being directed at the EU, it is not ‘offered’ to EU data subjects within the meaning of article 3(2)(a).
The question arose of comparison with VATSIM, another online community, which has conversely determined that it is subject to the GDPR. Noting that VATSIM's self-assessment is not legally binding, there is nevertheless a clear difference to be noted. The VATSIM website makes extensive reference to Europe, EU member states and members in these regions (example). VATSIM, unlike AustraliaSim, therefore does meet one of the 9 considerations described by the EDPB, and may be subject to the GDPR.
In relation to AustraliaSim, my opinion was therefore that AustraliaSim is likely not a ‘service’ within the meaning of article 3(2)(a), but in any case clearly does not ‘offer’ itself to EU data subjects, and therefore does not attract the operation of article 3(2)(a) of the GDPR.
Article 3(2)(b) of the GDPR provides that the GDPR applies ‘to the processing of personal data of data subjects who are in the Union … related to … the monitoring of their behaviour’. Recital 24 expands on this, describing monitoring of behaviour in relation to ‘profiling a natural person’, particularly ‘in order to take decisions … or for analysing or predicting … personal preferences, behaviours and attitudes’.
In relation to AustraliaSim, my opinion was therefore that, as it does not utilise any analytics techniques, and does not track the behaviour of users per se, it does not attract the operation of article 3(2)(b) of the GDPR.
Article 3(3) of the GDPR provides that the GDPR applies ‘in a place where Member State law applies by virtue of public international law’, such as an embassy. It is highly unlikely that this would apply to any ordinary online organisation.
Synthesising all these points, it was therefore my conclusion that AustraliaSim is not subject to the GDPR. This was the source of some surprise from many, given the somewhat misguided public impression that the GDPR is some wide-reaching panacea for everyone's online privacy woes. While the GDPR does indeed have significant scope, it must be remembered that the law says what it says, not what you think it says! In my view, in this case, the text of the GDPR, as interpreted with the help of guidance from the EDPB, clearly confers a smaller scope than may otherwise be believed.
The practising of law by unqualified persons is prohibited in Australia under section 10 of the Legal Profession Uniform Law, as set out in Schedule 1 to the Legal Profession Uniform Law Application Act 2014 (Vic). ↩