The European Union (EU) Article 29 Working Party (WP29), comprised of the data protection authorities (DPAs) of all EU Member States, released a new opinion on the territorial scope of EU data protection law to non-EU companies. The WP29 opinion is an update to its original stance, based on the Google Spain case. In the Google Spain case, a Spanish man sued Google, Google Spain (an advertising branch of Google), and a local newspaper for retaining and linking to a story about his repossessed home (a matter which he found to be irrelevant and embarrassing because the proceedings had been fully resolved years prior). Among other things, the European Court of Justice held that even though Google’s physical servers were outside of the EU, EU data privacy rules applied because Google had a subsidiary in Spain promoting and advertising for it (which the court found to be an “inextricable link” to the EU). The opinion made it clear that the EU Data Protection Directive 95/46/EC applies to foreign companies that do not reside in the EU if their conduct is “inextricably linked” to entities in the EU.
With its new opinion, WP29 states that the Google Spain judgment provided useful clarification on two aspects:
- the scope of current EU law extends to processing carried out by non-EU entities with a “relevant” establishment whose activities in the EU are “inextricably linked” to the processing of data, even where the applicability of EU law would not have been triggered based on more traditional criteria; and
- the judgment also confirms that – where there is an “inextricable link” – according to Article 4(1)(a) of Directive 95/46/EC, there may be several national laws applicable to the activities of a controller having multiple establishments in various Member States.
The WP29 opinion clarifies that the Article 4(1)(a) territoriality requirements of Directive 95/46/EC mean that the Directive applies to non-EU entities whose EU subsidiary is performing processing merely “in the context of activities” of the non-EU entity, not that the processing in question necessarily be carried out by the EU establishment. The DPAs note that the Directive 95/46/EC applies when the EU branch or subsidiary “orientates its activity towards the inhabitants of that Member State” (e.g., Member State oriented advertising). The WP29 goes so far as to say that there could be an “inextricable link” between the activities of the EU establishment and the data processing of the non-EU controller, “even if the local establishment is not involved in any direct way in the processing of data.” For example, according to the European Court of Justice, when the EU establishment raises revenues there could be an “inextricable link” triggering the Directive’s application.
This opinion broadens the understanding of the territorial scope of the Directive 95/46/EC with respect to foreign companies with unrelated (though “inextricably linked”) entities in the EU. Because of this broad interpretation of scope, non-EU companies with any entities in the EU should consider that the Directive 95/46/EC may apply to their data processing outside of the EU.