Читать книгу International Data Protection Laws - Amit Luhach - Страница 9

2

Material and Territorial Scope

Material Scope

The GDPR applies to the processing of personal data by automated means, wholly or partly, and where the processing is not by automated means if it forms part or intends to form part of a filing system.¹

Exemptions

The GDPR provides for several exemptions all of which are to be interpreted narrowly:

 Public security, national security and defence2 as well as common foreign policy and security policy under Chapter 2 of Title V of the Treaty on the EU.3 Personal data collected for commercial purposes and later on used for security purposes may be covered by these exemptions.4

 The data processing by a natural person for purely personal or household activity like keeping of an address book, correspondence not related to a business or professional activity as well as online activity and social networking for a domestic and social purpose.5 It is a probable extension of the CJEU´s narrow interpretation in Bodil Lindqvist, where the court held that the “exception must be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”.6 WP29 states that the publication of information to the world, by comparison to a limited friends group, maybe a deciding factor in applying for the exemption.7 In another narrowly interpreted case, the CJEU held that the “video surveillance [...] covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46/EC”.8

 The GDPR exempts competent authorities9 i.e. police, prosecution, courts, etc. who process personal data for the matters covered by the Law Enforcement Directive (LED) such as prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including safeguarding against and prevention of threats to public security.10

 It also excludes personal data processing by EU institutions, bodies, offices and agencies that are subject to the Regulation (EU) 2018/1725.11 The GDPR is not prejudicial to the E-Commerce Directive 2000/31/EC12, especially internet service provider liability rules under Article 12 to 15.13

Territorial Scope

The GDPR protects natural persons concerning the processing of their personal data in the EU regardless of their nationality or residence.¹⁴ The criteria ´personal data´ is the first important factor to enter the applicability of the GDPR – it is not a high one though.

It applies to the processing of personal data in the context of activities of EU established controllers and processors, irrespective of their place of processing.¹⁵ As we can see, this extends the reach of GDPR well over the territory of the EU Member States. The term `establishment` is not defined explicitly but Recital 22 states that it implies effective and real control through stable means regardless of its legal form. Moreover, the CJEU held that “the concept of an `establishment` extends to any real and effective activity, even a minimal one, exercised through stable arrangements”¹⁶. In Google Spain v. AEPD, the CJEU held that an “establishment on the territory of a Member State, implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor”.¹⁷ In the context of activities of an establishment, the CJEU has stated that the phrase should not be interpreted restrictively.¹⁸ It further observed that “the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed”.¹⁹

WP29 in its opinion has suggested that the GDPR would cover oversees organizations with EU offices involved in promoting, marketing, selling advertising or targeting EU individuals.²⁰ Regardless of the place of residence the GDPR also applies to the processing of personal data of data subjects based in the EU by non-EU established organizations where such processing relates to the offering of goods or services to the data subjects or monitoring of their behaviour within the EU.²¹ This would include an information society service that has been defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of service”.²² It is therefore decisive to determine whether there is an EU relevant ´offering of goods or services´ and ascertaining whether the controller or the processor envisages the offering of goods or services to data subjects in one or more EU Member States.²³ The CJEU while applying Brussels I²⁴ in Pammer and Alpenhof held that “whether, before the conclusion of any contract with the consumer, it is apparent from those websites and the trader’s overall activity that the trader was envisaging doing business with consumers domiciled in one or more Member States, including the Member State of that consumer’s domicile, in the sense that it was minded to conclude a contract with them”.²⁵ The `monitoring of behaviour` covers internet tracking including potential subsequent use of personal data processing techniques consisting of profiling of natural persons to take decisions for analyzing or predicting his personal preferences, behaviour and attitudes.²⁶ It brings under its ambit E-Commerce companies, advertising technology networks and many more service offerings. The GDPR also applies to the processing of personal data by a controller, not in the EU but where Member State law applies by virtue of Public International Law.²⁷ This would cover ships, aeroplanes, diplomatic missions and consular posts.²⁸