A Luxembourg resident discovered that his data were being processed by two US-based companies. Apollo and RocketReach collect and market personal data online. The data subject tried to action his right of access and right to erasure (articles 15 and 17 of the GDPR). In both cases, the responses from the two data controllers were neither sufficient, nor adequate. As a result, the claimant contacted NOYB, which filed a claim before the the CNPD on his behalf
While the supervisory authority confirmed the applicability of the GDPR to both data controllers, it came to the conclusion that the claims were unfounded and considered that it could not enforce the GDPR against the US data controllers on the basis that they did not have a representative in the EU (this in itself being a violation of article 27 of the GDPR) and that therefore there would be no effective manner of imposing enforcement measures on them.
Despite the applicability of the GDPR, the CNPD notified the claimant of its decision to close the file and the reason for not pursuing his claims any further.
Issues at stake:
These decision contradict the territorial scope of the GDPR and are in violation of the EU legislator’s intention to ensure the protection of data subjects in the EU, which should be effective even when the data controller has no establishment in the EU. This was a major promise of the GDPR to ensure the universality of data protection rights by setting up a wide territorial scope of application.
The CNPD’s decisions may therefore jeopardise the effectiveness of the GDPR in Luxembourg by inciting entities outside of the EU to not comply with it.
In addition, the CNPD’s position may also affect data subjects’ rights under the Charter of Fundamental Rights of the EU such as:
- The right to have an effective remedy (Article 47(1)); and
- The right to protection of personal data ( Article 8).
What is the territorial scope of the GDPR?
The GDPR may apply to the processing of personal data of data subjects who are in the European Union, performed by a controller or a processor whether or not they are established in the EU (article 3 of the GDPR). This is a rather wide scope of application to ensure the protection applies to natural persons, whatever their nationality or place of residence (recital 14 of the GDPR).
The criteria of application take into account two different aspects:
- the question of establishment; and
the nature of the processing of personal data.
GDPR is therefore applicable to non EU-organisations if two conditions are met:
- the data relates to data subjects located in the EU;
- the activity relates to offering goods or services, or to the monitoring of their behaviour in the EU.
The important legal aspect here is the presence of the data subject in the EU at the moment the processing takes place.
The processing of personal data needs to be in direct or indirect relation to the offering of goods or services or the monitoring of their behaviour in the EU. The targeting criterion should be analysed in concreto. The European Data Protection Board (“EDPB”) considers factors such as paying a search engine operator for internet referencing to facilitate access to websites from EU consumers, making marketing and advertisement campaigns directed to the EU, the international nature of an activity such as tourism, or specifying service delivery in the EU as relevant to establish that a company is targeting the EU markets.
However, as per recital 23 of the GDPR, “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the EU, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention”.
It should be highlighted that if an organisation that is not established in the EU processes personal data as described in article 3(2) of the GDPR, it has to “designate in writing a representative in the Union” according to article 27(1) of the GDPR.
The designation of a representative aims at faciliting the contact between the organisation subject to the GDPR and the competent supervisory authority, as well as the data subjects located in the EU.
What is the purpose of data protection authorities in the EU and locally?
The GDPR (Article 57) defines the national supervisory authorities’ duties. In particular, a supervisory authority must monitor and enforce the application of the GDPR, ensure compliance with it, as well as deal with complaints lodged by a data subject (Article 80). It has to investigate a data subject’s claim to the extent necessary and keep the complainant informed of the progress and outcome of the investigation. At local level, the CNPD is vested with the same powers (article 7 of the Law of 1 August 2018 on the organisation of the CNPD).
In terms of the the case in question, the CNPD justified its position by explaining that national data protection authorities may be faced with the impossibility of examining complaints and can therefore object to conducting investigations into activities carried out outside their borders (recital 116 of the GDPR).
The claimant has requested the Court to overturn the CNPD’s decisions. The outcome of the Luxembourg Administrative Court is therefore highly awaited.
Article provided by: Michel Molitor and Virginie Liebermann (Molitor, Luxembourg)
Dr. Tobias Höllwarth (Managing Director INPLP)