On December 4, the UK Information Commissioner Elizabeth Denham gave a speech to the International Privacy Forum, wherein she stated that she and other EU regulators will prioritize their GDPR enforcement actions towards bad actors that pose a threat to EU residents, not companies that are doing their best to comply. She said that those companies cooperating with regulators and aiming for compliance are more likely to be confronted by the ICO’s advisory role than its fines and penalties role. In addition, she stated that complaints from the public have increased since the GDPR came into force, with the ICO receiving 19,000 in the past six months, 10,000 more than the previous six month period. Along with public complaints, the ICO has also unsurprisingly received more breach reports, totaling over 8,000. The ICO is not the only body that has recently opined on the GDPR, with the European Data Protection Board (“EDPB”) releasing draft guidelines on GDPR’s territorial scope last month. The EDPB confirmed and refined several of the GDPR’s recitals concerning what it means to be “established” in the EU, the “targeting” of data subjects in the EU by controllers and processors not established in the EU, and the meaning of “monitoring” and the extent to which certain collection or analysis of personal data constitutes “monitoring” of data subjects in the EU. It also confirmed that a data subject is only in the EU if it is in the EU at the moment that an offer of goods or services is made to him or her by a controller not established in the EU. This should be welcome news for all controllers not established in the EU that routinely process the personal data of EU citizens that are not themselves located in the EU, from employees to visitors.
One major internet and technology company recently re-assessed its own territorial scope, with Google announcing this week that it is moving the control of EU data from its American arm to its Irish arm to aid its GDPR compliance. In so doing, it is availing itself of the GDPR’s “one-stop-shop” provision that allows data controllers operating in multiple EU member states to select a lead supervisory authority to coordinate and cooperate with, rather than interacting with each EU member state’s authority on a piecemeal basis. Google also said in a blog post that it is making the change “to facilitate engagement with EU data protection authorities,” likely hoping its increased engagement will put it in the cooperative and compliant camp when dealing with data protection authorities across the EU.
Both small business owners and Fortune 25 companies are all still refining their GDPR compliance approach, even now more than six months after the law became effective. While for some small businesses, this may mean learning about what the law is and how it might apply, for bigger companies such as Google, this refinement of its approach to GDPR compliance is likely motivated by an analysis of its compliance efforts from day one to now. For any company, determining whether and how the GDPR’s material and territorial scopes apply, and navigating the many compliance requirements can seem daunting. Luckily for those organizations not established in the EU, however, the EDPB’s recent guidance regarding the GDPR’s territorial scope should help as they work alone or with counsel to determine the best approach to GDPR compliance. Certainly, Google’s recent shift also shows that any company that put its “GDPR Compliance Program” in place on May 25, 2018 and hasn’t touched it since should likely take it off the shelf for review.