In 1995, the 'Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data' (hereinafter referred to as the '95 Directive') served as the predecessor of the GDPR, setting the minimum standard for personal data protection for EU member states, but it did not have mandatory force and needed to be converted into national law by each member state in order to be applicable. This also led to differences and conflicts among member states in terms of data protection levels, increasing the compliance costs for enterprises. In addition, this directive was only concerned withThe traditional territorial principleAs a fundamental basis, that isOnly when an establishment is established within the EU or data processing activities are carried out within the EUOnly when they can be included within the jurisdiction of EU law, can enterprises providing cross-border services circumvent its scope of application. In order to achieve the purpose of fully protecting the rights of data subjects and creating a fair competitive environment, the GDPR was officially implemented on May 25, 2018, by expanding the scope of data jurisdiction through 'establishment standards' and 'target-oriented standards', extending its jurisdiction beyond the EU domain.
What is the "establishment of entity standard"?
Legal guidance: Article 3(1) of GDPR: "This Regulation applies to data controllers or processors established in the European Union who process personal data within the scope of their establishment, regardless of whether the processing occurs within the European Union."
1.The subjects applicable to this standardareData controllers and data processorsWhat are the data controller and the data processor? According to the GDPR, the core processing method of the data controller is: determining what data should be processed, deciding the time of processing, deciding the access rights, and determining the category of the data subject. The core processing method of the data processor for data processing is: choosing what software, adopting what technology, using what storage methods, and adopting what security measures.
2. When applying this standardIt does not need to consider whether its data processing activities occur within the European UnionIt only needs to focus on whether the data controller has a real and effective entity within the European Union. It is noteworthy that the entityIt cannot be understood formally, and it should not be understood as a physical existenceThe European Court of Justice believes that a flexible approach should be adopted, as long as "Data controllers should establish an effective and real connection with the European Union through stable arrangementsThat is. From the GDPR application guidelines provided by the European Union Data Committee, the establishment of production lines, data centers, hiring employees, and other activities within the European Union can constitute a "real and effective connection". In order to adapt to the intangible characteristics of data transactions, the European Union has established the establishment of entities by data controllers in the European UnionIt does not require a direct connection with a specific place or locationOn the contrary, as long as the data controller has invested the necessary human and technical resources in the European Union to complete a specific task, and has demonstrated a stable connection with the European Union, it can be considered to meet this standard. This flexible definition allows the data protection regulations of the European Union to adapt to the characteristics of data transactions in the digital age.
3. "Establishment of entity standard"Expanded the traditional territorial jurisdiction standardsThat is, as long as there is a stable economic arrangement between the data controller and the European Union, and the data controller has engaged in activities related to data processing within its business scope, even if it is not the actual processor of specific data processing activities, it is subject to the provisions of the GDPR. For example, an e-commerce website operated by a Chinese company can provide cross-border services, and it has established an office in the European Union to be responsible for the development and marketing of the European market. The data processing activities carried out by the Chinese company outside the European Union (related to sales activities in the European Union) have an inseparable connection with the development and marketing activities of the office within the European Union. Therefore, the data processing activities of the Chinese company belong to the situation where activities are carried out within the scope of the office (within the European Union), and the Chinese company will be subject to the jurisdiction of the GDPR.
Case: In July 2021, the Dutch Data Protection Authority imposed a fine of 750,000 euros on TikTok for violating children's privacy, which was the first time a Chinese enterprise was penalized for violating GDPR. During the trial process,TikTok raised objections on the grounds that its main institution is located in Ireland. But the Dutch Data Protection Authority believes that TikTokthe headquarters was transferred to Ireland during the investigation, and the human and resource capacity in Ireland was not sufficient to support its business operations locally, and there was a suspicion of evading Dutch law enforcement by using the excuse of establishing an institution in Ireland. This case also fully illustrates thatThe territorial application of GDPR and the determination of regulatory authorities will be combined with the specific business form, rather than limited to the location of the establishment of entities
What is the "target-oriented standard"?
Legal guidance: Article 3(2) of GDPR: "This Regulation shall apply to the processing of personal data in the following related activities, even if the data controller or processor has not established an institution within the EU: (i) the provision of goods or services to data subjects within the EU; (ii) the monitoring of activities of data subjects within the EU.
In practice, in order to avoid the requirement of establishing an institution within the EU domain, data controllers or processors outside the EU can choose not to establish an institution within the EU, or to close the institutions that have already been established. However, even if no institution is established within the EU, it does not mean that the data processing behavior of data controllers or processors outside the EU is not subject to the jurisdiction of GDPR."Target-oriented standard" is a supplement to the "Establishment of Institution Standard"it refers to data controllers or processors that have not established institutions within the EU domain. According to this standard, if the activities of the data controller or processor are directly related to the EU and their data processing behavior is aimed at personal data within the EU, GDPR still applies to them. In other words, even if the data controller or processor has not established an institution within the EUas long as their business has a direct economic relationship with the EU and the data they process involves personal data within the EUHowever, they still need to comply with the provisions of GDPR. Therefore, the scope of the target-oriented standard is extensive,making the expansion of jurisdiction indistinguishable from the protection principle
1.for data subjects within the EUto provideto provide goods or services
This standard applies to the provision of goods or services to subjects within the EU domain, regardless of whether the data subject needs to pay for the service. During the application of this standard, it is necessaryConsiderationOf the data controller or data processor'sSubjective motivationThat is, whether it targets entities within the EU domainIntentionalProviding goods or services to them, such as specifying the name of an EU member state in the introduction of the provided goods or services, providing a network address or phone number exclusively accessible in EU member states, or using the language or currency of one or more EU member states, etc., it is applicable. Of course, due to the broad scope of jurisdiction of this standard, the EU has also provided an interpretation, namelyThe mere fact that EU data subjects can access the website of the data controller is generally not sufficient as a condition for the data controller to provide products and services to EU data subjects. If the introduction of the product or service specifies the name of an EU member state, provides a network address or phone number exclusively accessible in EU member states, or uses the language or currency of one or more EU member states, etc., it is applicable.
2.Monitoring the activities of data subjects within the EU
The understanding of "monitoring" should be interpreted in conjunction with the recitals and guidelines of GDPR. According to the recitals and relevant provisions of GDPR:"Monitoring" can be understood as the behavior of data controllers tracking, analyzing, and predicting individuals on the internet to obtain their personal preferences, behavior, and attitudes.Because all network access leaves personal browsing traces, thus generating potential data analysis possibilities.If website operators intentionally or actually conduct commercial analysis of the visitors' product access data and classify visitors into different consumer groups, this will constitute the monitoring behavior described in GDPR.In addition, the broad interpretation of personal data by GDPR actually expands the scope of monitoring. GDPR defines personal data as including IP addresses and data stored on websites and user terminals (such as Cookies). In the case of Google v. Vidal-Hall, the British court ruled that the data on users' internet habits and news reading habits stored on web pages (Cookies) constitute personal information. If network service providers can associate IP addresses and other data to identify individuals, it can also be regarded as monitoring personal information. This means that as long as website operators collect information such as the click-through rate of visitors to the network, it may constitute monitoring of the data subject.
In summary, GDPR strengthens the jurisdiction over data controllers and processors with a legal standard centered on the data subject, expanding its control scope in the target market. By introducing the "Establishment Standard" and the "Targeted Standard", GDPR can apply to processing activities related to personal data within the EU, even if the data controllers are located outside the EU. For Chinese companies going abroad, determining the extent to which foreign laws apply to the company is an important starting point for internal compliance work. Even if some companies intend to set up servers and data centers in the EU to avoid data processing in China, the GDPR compliance risk of the Chinese headquarters cannot necessarily be completely isolated. If the data processing decisions of the European business (i.e., the purpose for which data is collected) are mainly made by the headquarters, the servers established in the EU may also be considered as an extension of the Chinese headquarters, leading to Chinese companies not located in the EU being regarded as "indirectly" established in the EU.
评论已关闭