News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | The European Commission’s new proposed regulation: From “equipment/means” to “directed to” criterion Related reading: EDPB issues opinion casting doubt on legality of pay-or-consent models

rss_feed

""

By Fabio Di Resta

In a globalised world where every place is interconnected via the Internet and new technologies, companies—both big multinationals and SMEs—are operating more and more in different jurisdictions. Particularly, in the Internet environment, companies provide services and products remotely and they collect data that they can easily share among an undetermined group of enterprises. These are widespread activities in the Information Society that can raise problems if not carried out lawfully.

New Regulation and Harmonisation

In order to ensure legal certainty for controllers, individuals and stakeholders, the EU legislative body is trying to address applicability and jurisdictional issues. The European Commission will publish its new proposed data protection framework on Wednesday, January 25. According to an official draft (version no. 56, 29 November 2011) of the new regulation released late last year for inter-service consultation, one of the main objectives of this document is to fulfill the ambitious harmonisation of the data protection laws of EU Member States. This is particularly relevant for multinationals, who struggle with the lack of sufficient harmonisation, which creates legal uncertainties and barriers to free movements of data in Europe.

External scope of the EU data protection law

In more detail, the following example of a common electronic transaction shows the main challenges that faced in protecting personal data in the EU:

A buyer resides in Europe, while the vendor’s place of business is outside of the EU. In this case, many privacy experts say that the rules and conditions under which the buyer controls his own personal data should be applied; these rules should come from the country in which the buyer (data subject) resides rather than those in which the place of business of the operator of electronic commerce is located (data controller).

The simple above-mentioned case illustrates one of the most crucial issues of the EU data protection law and the ongoing debate on the review of EU data protection law framework. On this subject, the provisions on applicable law provide a set of rules to determine the external scope of EU law, this means that provisions determine the extent to which the EU data protection law is applicable to data processing that has taken place wholly or partially outside the EU or European Economic Area (EEA) (Iceland, Liechtenstein and Norway).

The “Equipment/Means” Criterion

Regarding European data protection law applied outside the EU, there is a clear principle stated in the 95/46/CE Directive that will be revised. The article 4 (1) c provides that the national law of Member States is applicable when the data controller is not established in the EU/EEA but for purposes of data processing that “makes use of equipment, automated or otherwise, situated on the territory of the said Member States.” The principle expressed here is called “equipment/means” criterion, and it is rather relevant in network environments such as cloud computing and for multinational companies. It should be considered that the scope of protection of a person residing in the EU cannot be reduced only to a national or resident in EU, taking into account that the right to protection of personal data is a fundamental right that can be infringed even by data processing wholly or partially operated outside of the EU. On the other hand, there should be a mitigation of the application the “equipment/means” criterion, otherwise there could be a serious risk to apply EU law to data processing thta does not have any real connection with EU/EEA.

For this reason, this principle is combined with a complementary criterion which takes into account the relevant targeting of the data processing to individuals. This is a criterion that is widespread in different jurisdictions: the EU regulation on jurisdiction and recognition and enforcement of judgments of civil and commercial matters; the United States’ legislation on the protection of children online (COPPA), and some national laws transposing the Directive 2000/31/EC on electronic commerce. In these cases, national law applies respectively when individuals, children or purchasers are targeted by the data processing.

Case 1: Geo-Location Services

For the sake of clarity, two cases in which the criteria apply should be considered. These examples were analysed in the Opinion 8/2010 on the applicable law adopted on 16 December 2010 by the Article 29 Data Protection Working Party. The first case refers to geo-location services. A company located in New Zealand used cars globally, including in EU Member States, to collect information on Wi-Fi access points (which also includes private terminal equipment of individuals). In this case, the cars collecting Wi-Fi information along the streets were considered as data processing “equipment.” Moreover, the company provided a geo?location service to individuals processing data through dedicated software installed in the individuals’ devices. In this case data protection law applies to the data controller located in New Zealand because of the presence of the “equipment” (cars and devices).

 Case 2: Cloud computing

The other case refers to cloud computing. In this IT model, personal data are usually processed and stored on servers in several places around the world. The exact place where the data are stored is not always known, and it can change over the time. In order to trigger the applicability of EU law, the relevant information includes the context of activity within the EU (principle of establishment) and the location of the equipment.

The first step is to identify the data controller and its activities. In this context, the user of the cloud service could be a data controller. A company uses an agenda service online: if the company uses the agenda in the context of activity of its establishment in the EU, the EU law will be applicable. However, the cloud provider could also be under some circumstances a data controller. This is the case when it provides for an agenda online where private parties can upload all their personal appointments and contacts. Even if the cloud provider is located outside the EU, it uses means in the EU, thus there is a “use of equipment” that means EU law will be applicable. In order to further explain when EU law is applicable, it is important to note that the directive does not apply when means are used for transit purpose only, but it will again be applicable if the service uses calculating facilities, runs java scripts or installs cookies for the purpose of storing and retrieving personal data of the user. A further consequence of the application the EU law is the appointment of a representative established in the EU, in such a way the controller can eventually be responsible under the EU law.

To sum up, the use of the “equipment/means” criterion must always take into account all relevant elements, otherwise there could be a real risk of the absence of connecting factors with the territory.

The New Perspective in the Regulation Proposal: “Directed To” Criterion

The criteria analysed above could be amended by the European Commission’s recent proposal of regulation. The article 2 (2) provides that “the regulation applies to the processing of personal data of data subjects residing in the Union not carried out in the context of the activities of an establishment of a controller in the Union, where the processing activities are directed to such data subject, or serve to monitor the behavior of such data subject.” The Article 2 (5) d states the regulation does not apply to the data processing when operated “by a person without any gainful interest in the course of its own exclusively personal or household activity, unless personal data of other natural persons is made accessible to an indefinite number of individuals.”

The article 2 (2) eliminates the “equipment/means” criterion to be substituted only by the relevant targeting of the data subject (nationals and residents), this entails that it is sufficient to direct an online service to a European resident to make the controller subject to the EU Law. The recital 15 of regulation proposal specifies that the overall activity of which the data controller was envisaging processing the personal data of the data subject should be taken into account, considering in particular the international nature of the activities or use of the language or currency other than the language or currency generally used in controller’s country of establishment or the use of top-level domain name. In the last part of the recital there is an interesting statement: “The mere accessibility of the controller’s website by a data subject residing in EU is insufficient.” This last provision should bring to the exclusion of “necessary” cookies as a valid ground to claim the EU law application.

Furthermore, it should be considered that any economic operator who targets to an EU data subject (i.e. operator of electronic commerce) will be obliged to appoint a representative established in the EU, leading to a further economic burden to do business in EU territory. This should bring an exemption for SMEs, who cannot afford this burden. Without this exemption, there could be several negative consequences. For example, the representative appointment could be an economic barrier, which strongly restricts the choice of EU consumers who will not be able to purchase online products and services coming from outside of the EU.

With respect to article 2 (5) d, this provision could imply that an individual who posts the personal data of others in a social network or on the Internet could be subject to the EU law.

Conclusion

The choice of the European Commission to enhance the threshold to trigger the application of EU law outside the EU does not seem appropriate to address the future challenges of Internet and could use some amendment. On the other hand, the lack of stronger law enforcement and thus the effectiveness of data protection provisions seems to be the real priority in the international context. Lastly, it should be regarded that the “directed to” criterion pushed towards an exterritorial jurisdiction of the EU law. The worry is that this legal criterion will be considered a mere theoretic principle by Extra EU/EEA countries without further international legal agreements and  strong international cooperation at the EU level.

Fabio Di Resta is an attorney at the Di Resta Law Firm, where he specialises in data protection and IP law. 

Comments

If you want to comment on this post, you need to login.

Related Stories
Corrected text of EU AI Act released
The corrigendum of the EU Artificial Intelligence Act has been released. The document corrects and clarifies language in the act and is required before it can fully come into effect. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard. Full story...
Read More queue Save This
EU questions DSA compliance of TikTok Lite
The European Commission requested a risk assessment from TikTok to ensure compliance with the Digital Services Act after this month's launch of TikTok Lite in France and Spain, Reuters reports. European Commissioner for Internal Market Thierry Breton said he is concerned about TikTok's new app and t...
Read More queue Save This
IAF looks to the privacy industry's future
In a blog post, Information Accountability Foundation Chief Strategy Officer Elizabeth Denham talks about the future of the privacy industry as it faces new challenges. She encouraged readers to broaden their assessments, study new artificial intelligence law requirements and think creatively about ...
Read More queue Save This
Related Stories
Recent Comments