Professional Documents
Culture Documents
Global Applicability of The GDPR in Context
Global Applicability of The GDPR in Context
3 ARTICLE 225
*Associate Professor in European Law, DIHR, Faculty of Law, Department of of 27 April 2016, on the protection of natural persons with regard to the
Law, Stockholm University, , Email:claes.granmar@juridicum.su.se processing of personal data and the free movement of such data, and
The author would like to thank everyone at the Institute for European and repealing Directive 95/46/EC, Official Journal (‘OJ’) 2016 L 119/1.
Comparative Law (IECL), Oxford University, for their support and encour- 2 Consolidated version of the TEU and TFEU, OJ 2012 C 326/1.
agement in the course of researching the GDPR as a visiting fellow. 3 EU Charter, 2010 OJ C 83/389.
1 EDPB guidelines 3/2018 on the territorial scope of the GDPR (Art 3), 4 See as to the ‘constitutional fabric’ of the GDPR, Communication from
Version 2.0, 12 November 2019, <https://edpb.europa.eu/our-work- the Commission, Exchanging and Protecting Personal Data in a Global
tools/our-documents/riktlinjer/guidelines-32018-territorial-scope-gdpr- World, [2017] COM 7 final.
article-3-version_en> accessed 03 April 2021. Regulation (EU) 2016/679
fields of secondary legislation. In this piece, the EDPB guide- exported by legal entities caught by the Regulation, the
lines are discussed in the context of a systematic construc- need for undertakings not having a main establishment
tion of Article 3 of the GDPR, and as a result, it is possible to in the Union to align their business models with EU
make more solid policy recommendations.5 data protection standards, depends on the territorial
scope of the GDPR. It is the purpose of this article to
explore and explain the applicability of the Regulation
Article 3 of the GDPR and in relation to undertakings that are headquartered in a
5 A draft of this article was published in the DiVA open access portal 03 10 Compare with Joined Cases C–293/12 and C–594/12 Digital Rights
January 2019. Ireland and Kärntner Landesregierung, ECLI:EU:C:2014:238; and Joined
6 Compare with the Opinion of Advocate General Saugmansgaard Øe on Cases C–203/15 and C–698/25 Tele2 Sverige AB and Secretary of State of
Case C–311/18 Data Protection Commissioner v Facebook Ireland Ltd and the Home Department, EU:C:2016:970.
Maximiliam Schrems, ECLI:EU:C:2019:1145. Compare with World Trade 11 Articles 44–45 of the GDPR and Recitals 101–108 in the preamble to the
Organization’s, Work Programme on Electronic Commerce (WPEC) GDPR.
adopted on 25 September 1998, WT/L/274. 12 Case C–311/18 Data Protection Commissioner v Facebook Ireland Ltd and
7 See, eg DJB Svantesson, ‘Extraterritoriality of EU Data Privacy Law – Its Maximiliam Schrems, ECLI:EU:C:2020:559 (‘Schrems II’) where the
Theoretical Justification and Its Practical Effects on U.S. Businesses’ Court ruled on Commission Decision (EU) 2016/1250 of 12 July 2016 on
(2014) 1 Stanford Journal of International Law 53; and C Kuner, the adequacy of the EU US Privacy Shield, 2016 OJ L207/1.
‘Extraterritoriality and Regulation of International Data Transfer in EU 13 Recitals 22–25 in the preamble to the GDPR.
Data Protection Law’ (2015) 4 International Data Privacy Law 235. 14 Directive 95/46/EC of 24 October 1995 on the protection of individuals
8 See M Cremona and J Scott, EU Law Beyond EU Borders (Oxford with regard to the processing of personal data and on the free movement
University Press, Oxford, 2019). of such data, 1995 OJ L281/31.
9 See, eg the USA Patriot Act (HR 3162) of 24 October 2001; the USA
CLOUD Act (HR 4943) of 2 June 2018; and the US Supreme Court in
United States v Microsoft Corp, No 17–2, 584 US (2018).
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 227
systems to the DPD, it was considered necessary to clar- Data protection, the rule of law and the
ify that the domestic legislation should transpose the di- ‘methodological source code’ of EU law
rective also when applied beyond the State’s territory in
for instance embassies, consulates and on ships. By con- In the introduction to the EDPB guidelines, it is said
trast, an EU Regulation is per definition directly applica- that the GDPR ‘in part confirms choices made’ by the
ble as law in the domestic legal systems.15 Hence, the EU legislator and the Court of Justice in the context of
GDPR applies as domestic law beyond the EU territory applying the revoked DPD. True, a legislator has a cer-
15 Article 288 of the TFEU. Communication from the Commission, States, of the other part, 2017 OJ L11/23; and Commission implementing
Stronger Protection, New Opportunities – Commission Guidance on the decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU)
Direct Application of the General Data Protection Regulation of 25 May 2016/679 of the European Parliament and of the Council on the adequate
2018, [2018] COM 43 final. protection of personal data by Japan under the Act on the Protection of
16 Compare with the EDPB guidelines (n 1) 22–23. Personal Information, 2019 OJ L76/1.
17 There are 13 Overseas Countries and Territories, see <http://www.octas 20 See, eg Agreement on Air Transport between Canada and the European
sociation.org/> accessed 29 July 2020, and nine Outermost Regions, see Community and its Member States, 2010 OJ L207/33. See also alternative
<https://www.europarl.europa.eu/factsheets/en/sheet/100/outermost- venues under Arts 46–50 of the GDPR. In addition, the GDPR provides a
regions-ors-> accessed 29 July 2020. See, eg as to the relation between legal framework for private measure such as binding corporate rules.
the EU, Denmark and Greenland, Council Decision 2014/137/EU 2014 21 See Case C–621/18 Andy Wightman and Others v Secretary of State for
OJ L76/1, and the Danish law Anordning om ikraftraeden for Gronland Exiting the European Union, ECLI:EU:C:2018:999; and Art 31 of the
af lov om behandling af personuplysningen, Lovtidene A Nr 1238, 15 Vienna Convention on the Law of Treaties, 23 May 1969, United Nations
October 2016. Treaty Series vol 1155, 331.
18 Treaty of Oporto, 1994 OJ L1/3. 22 See, eg T Hartley, Constitutional Problems of the European Union (Hart,
19 See, eg the Comprehensive Economic and Trade Agreement (CETA) be- Oxford, 1999) 152 et sec.
tween Canada, of the one part, and the European Union and its Member
228 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
and family life, home and communications’, and Article citizens and those of the Member States [. . .]’. In many
8 thereof establishes even more unequivocally the ‘right instances, a teleological and consistent approach are vir-
to the protection of data concerning him or her’.23 tually two sides of the same coin.28 Article 13 of the
Along the lines of Article 5(2) of the TEU, the Court of TEU also stipulates that the Union shall ‘[. . .], ensure
Justice has reiterated that situations cannot exist which the consistency, effectiveness, and continuity of its poli-
are covered by EU law without the rights enshrined in cies and actions.’ Article 7 of the TFEU summaries the
the Charter being applicable.24 Indeed, the rights to pri- EU competences by establishing that ‘the Union shall
23 Case C–131/12 Google Spain SL and Google Inc v Agencia Espa~ na 29 Compare with Case C–210/16 Unabhängiges Landeszentrum für
Proteccion de datos (AEPD) and Mario Costejo González, Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein
ECLI:EU:C:2014:317 (‘Google I’) paras 68–69, 74, 81, 97, and 99. See as GmbH, ECLI:EU:C:2018:388 (‘Facebook Insights’) para 47; eg Case C–
to ‘horizontal direct effect’ of the EU Charter in, eg Case C–414/16 343/19 Verein für Konsumentinformation v Volkswagen AG,
Vera Egenberger v EvangelischesWerk für Diakonie und Entwicklung e.V., ECLI:EU:C:2020:534, para 19. See also Case C–398/15 Camera di
ECLI:EU:C:2018:257. Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore
24 See, eg Case C–617/10 Åklagaren v Hans Åkerberg Fransson, Manni, ECLI:EU:C:2017:197.
ECLI:EU:C:2013:105, paras 21–22. 30 See, eg Article 8 of the GDPR on the definition of ‘child’, and Recital 10
25 In the context of data protection, the Court of Justice has clarified the in the preamble to the GDPR. See also K Lenaerts, ‘Interlocking Legal
territorial importance of proportionality in Case C–507/17 Google v Orders in the European Union and Comparative Law’ (2003) 52
CNIL (‘Google II’), ECLI:EU:C:2019:772. International and Comparative Law Quarterly873, 902; and C Granmar,
26 Compare with Report of the Secretary-General Kofi Annan to the United ‘Chronopost: Horizontal Harmonization through Overlapping National
Nations Security Council, ‘The Rule of Law and transnational justice in Jurisdictions’ (2012) 4 Europarättslig Tidskrift 681 et sec.
conflict and post conflict societies‘, S/2004/616, 23 August 2004. 31 See references to other legal frameworks in Articles 2, 4(25), 21, 43, 76,
27 This is the ‘law’ that the Court of Justice shall recognize under Article 19 and 95 of the GDPR, and in Recitals 17, 19, 21, 35, 42, 54, 106, 147, 154,
of the TEU. 161, 163, 167, 172, and 173 thereof.
28 See for an overview of provisions requiring consistency in RA Wessel and 32 See as to freedom of expression Article 85 of the GDPR and Recital 153
J Larik, ‘The European Union as a Global Actor’ EU External Relations thereof. See also the EDPB guidelines 5/2019 on the Criteria of the Right
Law (Hart, Oxford, 2020). to Be Forgotten in the search engines cases under the GDPR (Part 1),
Version 2.0, 7 July 2020 (‘EDPB search engine guidelines’) 9, 11–16. See
also, eg Case C–136/17 GC, AF, BH, ED v CNIL, EU:C:2019:773 (‘Google
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 229
‘digital internal market’.33 Hence, the GDPR must tally Furthermore, legislation builds as far as possible on ear-
with legislation regarding for instance e-commerce, lier legal structures and codifies, if suitable, the case law
‘cookies’, geo-blocking, consumer protection, company regarding repealed acts. On that note, Article 3 of the
law, and intellectual property rights.34 However, hori- GDPR testifies to the lessons learned from applying
zontal consistency is required more broadly, and the Article 4 of the DPD, but also to a changing techno-so-
GDPR must not contradict eg competition law and vice cial context. In the age of digital globalization, location
versa.35 In addition, specific trade-offs between data of data in interlinked computer networks is an ill-suited
III’); and Joined Cases C–92/09 and C–93/09 Volker und Markus Schecke kd0419345enn.pdf> accessed 29 July 2020. See also C Granmar, ‘The
GbR and Hartmuns Eifert v Bundesanstalt für Landwirtschaft und Cases Regarding Premier League: In Pursuit of Unity and Coherency of the
Ernährung, EU:C:2010:662. European Union Legal Order’ (2012) 1 Europarättslig Tidskrift 96 et sec.
33 Communication from the Commission, A Digital Single Market Strategy 36 Directive 2002/21/EC of 7 March 2002 on a common regulatory frame-
for Europe, (2015) COM 192 final. See also Communication from the work for electronic communications networks and services, 2002 OJ
Commission, on the Mid-Term Review on the implementation of the L108/33 (under revision); Regulation (EU) 2018/1725 of 23 October
Digital Single Market Strategy – A Connected Digital Single Market for All, 2018 on the protection of natural persons with regard to the processing
(2017) COM 288 final. See also, eg N Helberger, F Zuiderveen Borgesius, of personal data by the Union institutions, bodies, offices and agencies
and A Reyna, ‘The Perfect Match? A Closer Look at the Relationship be- and on the free movement of such data and repealing Regulation (EC)
tween EU Consumer Law and Data Protection Law’ (2017) 54 Common No 45/2001 and Decision No 1247/2002/EC, 2018 OJ L295/39; and
Market Law Review 1427. Directive (EU) 2016/680 of 27 April 2016 on the protection of natural
34 See, eg Directive 2000/31/EC of 8 June 2000 on certain legal aspects of in- persons with regard to the processing of personal data by competent au-
formation society services, in particular electronic commerce, in the thorities for the purpose of the prevention, investigation, detection or
Internal Market, 2000 OJ L178/1 (under revision); Directive 2009/136/ prosecution of criminal offences or the execution of criminal penalties,
EC of 25 November 2009 amending Directive 2002/22/EC (now and on the free movement of such data, and repealing Council
repealed), Directive 2002/58/EC concerning processing of personal data Framework Decision 2008/977/JHA, 2016 OJ L119/89.
and the protection of privacy in the electronic communication sector 37 See Articles 3(5) and 21 of the TEU.
and Regulation (EC) No 2006/2004 on cooperation between national au- 38 Article 3(2) of the TEU and 216(1) of the TFEU, respectively, and eg
thorities responsible for the enforcement of consumer protection laws, Opinion 1/13 EU:C:2014:2303; and Opinion 2/13 EU:C:2014:2454.
2009 OJ L337/11; Directive (EU) 2019/790 on copyright and related Compare with Case C–311/18 Schrems II (n 12); and C–362/14
rights in the digital single market and amending Directives 96/9/EC and Maximillian Schrems v Data Protection Commission and joined party
2001/29/EC, 2019 OJ L130/92. See for the time being proposal for a Digital Rights Ireland, ECLI:EU:C:2015:650 (‘Schrems I’).
Digital Service Act COM/2020/825/final; and for a Digital Market Act 39 Communication from the Commission, A Comprehensive Approach on
COM/2020/842/final. Personal Data Protection in the European Union, (2010) COM 609 final,
35 Joined Cases C–403/08 and C–429/08 Football Association Premier League 19.
Ltd and Others v QC Leisure and Others and Karen Murphy v Media 40 See, eg KL Jackson and S Goessling, ‘Architecting Cloud Computing
Protection Services Ltd, ECLI:EU:C:2011:631; Commission decision of 27 Solutions: Build Cloud Strategies that Align‘ (Packt, Birmingham, 2018).
June 2017 in Case Google Search (Shopping) AT.39740 C (2017) 4444 fi-
41 Observed already in C Millard, ‘Proposed EC Directives on Data
nal.; and Commission report by J Crémer, Y-A de Montjoye, and H
Protection’ (1990–91) 7 The Computer Law and Security Review 20 et
Schweitzer, Competition Policy for the Digital Era (2019), European
sec.
Commission. <https://ec.europa.eu/competition/publications/reports/
230 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
establishment of the processor is therefore relevant for the between a factual and formal understanding of ‘control-
determination of the territorial scope of the GDPR. Hence, ler’ is rather factitious.46 There is always a formal side to
when applying Article 3 of the GDPR to data processing af- legal requirements and yet, the letter of the law should be
ter 25 May 2018, the consistency requirement implies that applied in a purposeful way when taking all the relevant
the provision shall as far as possible be read in the light of facts in the individual case into consideration. Perhaps
the rulings regarding Article 4 of the DPD.42 more accurately, formal legal requirements are facts to
take into consideration when shaping conceptual build-
42 Article 94 of the GDPR. Compare with Case C–136/17 Google III (n 32) lines_on_controller_processor_and_jc_reg_2018_1725_en.pdf> accessed
para 33; Opinion of Advocate General Saugmansgaard Øe on Case C– 31 July 2020.
311/18 Schrems II (n 6) paras 88–93. 46 Art 29 WP Opinion 1/2010 (n 44) 9–12. See also Art 29 WP, ‘Opinion
43 EDPB guidelines (n 1) 5. 10/2006 on the processing of personal data by the Society for Worldwide
44 Supra (n 43) 6. Art 29 WP ‘Opinion 1/2010 on the Concepts of Interbank Financial Telecommunication (SWIFT)’ (WP 128, 22
‘Controller’ and ‘Processor’’ (WP 169, 16 February 2010) (‘Art 29 WP November 2006).
Opinion 1/2010’) 8. EDPB Guidelines 7/2020 on the concepts of control- 47 Art 29 WP Opinion 1/2010 (n 44) 15.
ler and processor in the GDPR, Version 1.0, 2 September 2020 (‘EDPB 48 Art 29 WP Opinion 1/2010 (n 44) 13–15.
Guidelines 7/2020’) <https://edpb.europa.eu/our-work-tools/public-con 49 Art 29 WP Opinion 1/2010 (n 44) 32; EDPB Guidelines 7/2020 (n 44)
sultations-art-704/2020/guidelines-072020-concepts-controller-and-pro 12–15.
cessor_en> accessed 03 April 2021.
50 Art 29 WP Opinion 1/2010 (n 44) 13; EDPB Guidelines 7/2020 (n 44) 3.
45 EDPB guidelines (n 1) 4. Compare with European Data Protection
51 Article 26 of the GDPR and Case C–25/17 Tietosuojavaltuutettu,
Supervisor guidelines on the concepts of controller, processor and joint
ECLI:EU:C:2018:551, paras 63–75.
controllership Under Regulation (EU) 2018/1725, 7 November 2019
<https://edps.europa.eu/sites/edp/files/publication/19-11-07_edps_guide 52 See, eg the EDPB Guidelines 7/2020 (n 44) 25–26.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 231
a purely personal or household activity is pursuant to In the Google Spain ruling, a daily newspaper with a
Article 2(2)(c) of the GDPR excepted from the substan- large circulation in Spain, had published notices on its
tive scope of the Regulation.53 However, the Court of website of a real estate auction that was organized by
Justice has along the lines of general principles of EU the Spanish Ministry of Labour and Social Affairs. As
law interpreted and applied this statutory exception the notices had not been removed from the website
from the fundamental rights of data subjects in the twelve years later upon request, the data subject filed a
Union restrictively. Famously, in the Lindquist Case the complaint with the Spanish Data Protection Authority
53 Compare Article 2(2)(c) of the GDPR with Recital 18 thereof. 56 See Communication from the Commission, Online platforms and the
54 Case C–101/01 Bodil Lindqvist, ECLI:EU:C:2003:596 (‘Lindquist’) para Digital Single Market Opportunities and Challenges for Europe, (2016)
27; Case C–212/13 Frantis ek Rynes v Ú
r ad pro ochranu osobnı́ch údajů, COM 288 final. See also Case C–131/12 Google I (n 23).
ECLI:EU:C:2014:2428; and Case C–345/17 Sergejs Buivids, 57 Case C–131/12 Google I (n 23) paras 14–20.
ECLI:EU:C:2019:122. 58 Case C–131/12 Google I (n 23)para. 49.
55 See section ‘Data protection, the rule of law and the “methodological 59 See Commission report by Crémer, de Montjoye, and Schweitzer (n 35).
source code” of EU law”. 60 Case C–131/12 Google I (n 23) paras 14–15. It must be said that the
EDPB Guidelines 7/2020 (n 44) are conspicuously silent on this matter.
232 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
What makes the Google Spain ruling problematic is about the person who had been on dire straits.
that the Court of Justice explained in general terms that Although that could prima facie make the end-users the
the provider of a search engine shall be considered the controller of the processing activity, or at least a joint
controller of a processing activity since it has a purpose controller, the individual’s freedom of expression would
that can be distinguished from the purpose of a legal en- prevail in most proportionality tests.68 Furthermore,
tity providing media content.61 This line of reasoning there are a fortiori weak incentives to enforce the data
seems rather backwards. Why should the fact that a protection rights against individual internet users since
61 Case C–131/12 Google I (n 23) paras 32–35. See also Case C–136/17 66 Case C–40/17 Fashion ID & CO KG v Verbraucherzentrale NRW eV,
Google III (n 32) para 36; and Recitals 81–82 in the preamble to the ECLI:EU:C:2019:629 (‘Fashion ID’).
GDPR. See also Art 29 WP ‘Opinion 1/2008 on data protection issues re- 67 See Case C–101/01 Lindquist (n 54).
lated to search engines’ (WP148, 4 April 2008) (‘Art 29 WP Opinion 1/ 68 Recital 4 GDPR. See also Section ‘Data protection, the rule of law and
2008’) 9; and Art 29 WP ‘Opinion 5/2009 on online social networking’ the “methodological source code” of EU law’.
(WP163 12 June 2009) (‘Art. 29 WP Opinion 5/2009’)] 9.
69 Recital 18 in the preamble to the GDPR. Compare with Art 29 WP
62 Art 29 WP Opinion 1/2010 (n 44) 9. See also the absence of clarification Opinion 5/2009 (n 61) 5–7.
in Case C–136/17 Google III (n 32).
70 Articles 25 and 47 of the GDPR, Recitals 78 and 108 in the preamble to
63 Articles 17 and 21 of the GDPR and Recital 65 thereof. See also the the GDPR. Case C–131/12 Google I (n 23) para 36.
EDPB search engine guidelines (n 32) 4–9. See also Case C–507/17
71 Compare with Article 17(9) in Directive (EU) 2019/790 (n 34). See also
Google II (n 25).
Article 22 of the GDPR.
64 See Section ‘A system-coherent concept of “controller”’. Recital 18 in the
72 Art 29 WP Opinion 1/2010 (n 44) 25.
preamble to the GDPR. Compare with the reasoning in Case C–131/12
Google I (n 23) 40. 73 Ibid.
65 Compare with EDPB search engine guidelines (n 32) 5. There are also
other remedies available under civil and criminal law.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 233
processor involved. However, when stretching the con- a legal entity that processes data on behalf of someone
cept of ‘controller’ as the Court of Justice did in the else a ‘processor’.
Google Spain Case, the distinction between the ‘control- In contrast to operators of search engines, for in-
ler’ and the ‘processor’ collapses in a factual analysis.74 stance an internet service provider (‘ISP’) or a provider
Indeed, the ‘factual’ approach advocated by the EDPB of a social media platform or an online marketplace
easily leads astray and may casue inconsistencies in the normally has contracts with its end-users.78 However,
Union legal order.. If anyone who de facto processes these ‘click-and-wrap’ contracts rarely afford the end-
74 Compare with the need for a clear allocation of responsibilities expressed 80 Communication from the Commission (n 56); See also the proposed
in Recital 79 in the preamble to the GDPR. Digital Service Act Package (n 34). See as to ‘over-the-top’ electronic
75 Art 29 WP Opinion 1/2010 (n 44) 11. communication (n 36). See also Regulation (EU) 2019/1150 of 20 June
76 Art 29 WP Opinion 1/2010 (n 44)24–31. EDPB Guidelines 7/2020 (n 44) 2019 on promoting fairness and transparency for business users of online in-
10–11. termediation services, 2019 OJ L186/57.
77 Article 28 of the GDPR. 81 See section ‘Data protection, the rule of law and the “methodological
source code” of EU law’.
78 See Case C–210/16 Facebook Insights (n 29); and Case C–191/15 Verein
für Konsumentinformation v Amazon EU Sàrl, ECLI:EU:C:2016:612 82 Recital 81–82 in the preamble to the GDPR. See also Art 29 WP Opinion
(‘Amazon EU’). 1/2008 (n 61) 9.
79 Compare with Art 29 WP Opinion 5/2009 (n 61). 83 See section ‘Data protection, the rule of law and the “methodological
source code” of EU law’.
234 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
perhaps unusual situation where a natural person who ‘for his or her own purposes, outside the scope and the
is in the Union is the controller of an activity, it tran- possible control of the legal person’s activities.’89 Since
spires from the Lindquist Case that EU law applies by the place where the employee is when processing the
default.84 Arguably, the situation where a natural person data is immaterial for determining whether the em-
residing in a third country processes data for private ployer is established in the Union, the Regulation is in-
purposes in the Union beyond the scope of Article applicable pursuant to Article 3(1) of the GDPR if the
2(2)(c) of the GDPR could be distinguished from the employee is in the Union at the time, but the employer
84 See, eg Case C–101/01 Lindqvist (n 54); and Case C–40/17 Fashion ID (n 89 Art 29 WP Opinion 1/2010 (n 44) 16.
66). 90 Compare with the discussion on the Google Spain Case in section ‘A sys-
85 See section ‘Article 3 of the GDPR and extraterritorial data protection’. tem-coherent concept of “controller”’.
86 Art 29 WP Opinion 1/2010 (n 44) 15–16. 91 See, eg Case C–55/94 Reinhard Gebhard v Consiglio dell’Ordine degli
87 Case 66/85 Deborah Lawrie-Blum v Land Baden Württemberg, Avvocati e Procuratori di Milano, ECLI:EU:C:1995:411 (‘Gebhard’) para
ECLI:EU:C:1986:284; Case C–138/02 Brian Francis Collins v Secretary of 20.
State for Work and Pension, ECLI:EU:C:2004:172; and Case C–196/87 92 By contrast, the location of the ISP providing the communication serv-
Udo Stayman v Staatssecretaris van Justitie, ECLI:EU:C:1988:475. ices is immaterial.
88 See section ‘A system-coherent concept of “processor”’.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 235
islative acts relating to the GDPR is defined in terms of Italy, the Court expanded on the EU law concepts of
an establishment or residence in a Member State.93 Then ‘services’ and ‘establishments’.98 According to the
again, both system-coherency and teleology tell against Court, ‘establishment’ is a broad concept allowing an
a construction implying that third country residents EU citizen to ‘participate, on a stable and continuous
processing data in the Union for private purposes would basis, in the economic life of a Member State other than
escape the scope of the Regulation. In addition, there is his State of origin and to profit therefrom, so contribut-
no Union-wide definition of ‘domicile’, and it would ing to economic and social interpenetration within the
93 Article 1(2) Regulation (EU) 2019/1150 (n 80); Article 8(7)(b) Directive 101 Case C–55/94 Gebhard (n 91) para 27.
(EU) 2019/790 (n 34). 102 Case C–215/01 Bruno Schnitzer, ECLI:EU:C:2003:662, para 40.
94 See section ‘A system-coherent concept of “controller”’. 103 Case C–55/94 Gebhard (n 91) para 27. See nowadays Directive 2006/123/
95 EDPB guidelines (n 1) 6. EC of 12 December 2006 on services in the internal market, 2006 OJ
96 Compare with EDPB guidelines (n 1) 6–7. L376/36.
97 See section ‘Data protection, the rule of law and the “methodological 104 See section ‘Data protection, the rule of law and the “methodological
source code” of EU law’. source code” of EU law’. Case C–191/15 Amazon EU (n 78) para 76. See
98 Case C–55/94 Gebhard (n 91). also Case C–347/09 Criminal proceedings against Jochen Dickinger and
Franz Ömer, ECLI:EU:C:2011:582 (‘Dickinger and Ömer’), paras 33–34.
99 Case C–55/94 Gebhard (n 91)para 25.
100 Case C–131/01 Commission v Italy, ECLI:EU:C:2003:96.
236 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
Article 3(1) of the GDPR and an EU decision-making powers.111 However, the ‘group of
establishment ‘of’ the controller or undertakings’ that is recognized in the GDPR, encom-
passes also merely affiliated undertakings that process data
processor under the control of the determining body. Such a deter-
Obviously, only an ‘establishment’ in the Union can be mining body can be a corporate group, a specific com-
an EU establishment of a controller or a processor. pany or a self-employed person. Hence, the determining
Hence, the EDPB is wrong when maintaining that ‘in body may have a single establishment or several establish-
105 EDPB guidelines (n 1) 6. 112 See the cases on ‘main establishment’ under Art 54 TFEU such as Case
106 See for an overview S Grundmann, European Company Law, Finance and C–212/97 Centros Ltd v Erhvervs- og Selskabsstyrelsen,
Capital Markets (2nd edn, Intersentia, Cambridge, 2012). ECLI:EU:C:1999:126.
107 Fd Saussure, Courses in General Linguistics (trans W Baskin, ed P Meisel 113 See also Recital 36 in the preamble to the GDPR. L Tosini, ‘Main
and H Saussy, Columbia University Press, New York, 2011). Establishment’, in C. Kuner and others (eds), The EU Data Protection
108 See also Recital 36 in the preamble to the GDPR. Regulation (GDPR): A Commentary (Oxford University Press, Oxford,
2020).
109 True, Recital 37 primarily clarifies the impact assessment procedure un-
der Article 35 of the GDPR, and the rules in Article 47 thereof concerning 114 See eg the EDPB guidelines (n 1), referring in this context to the intra-
adoption of binding corporate rules. But consistency requires that the Union data processing Case C–230/14 Weltimmo s.r.o. v Nemzeti
definition has a more general applicability under the Regulation. Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639
(‘Weltimmo’).
110 Article 29 of the GDPR; Recital 48 thereof.
115 See eg Case C–210/16 Facebook Insights (n 29) para 65; and Case C–311/
111 See, eg Case C–107/83 Ordre des Avocats au Bearreau de Paris v Onno
18 Schrems II (n 12).
Klopp of the Düsseldorf Bar, ECLI:EU:C:1984:270.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 237
pursuant to Article 4(16)(b) GDPR, may seem irrecon- Hence, the provision encompasses three categories of
cilable with Article 3(1) of the GDPR. If it is immaterial establishments ‘of’ controllers or processors. It may be a
for the applicability of the Regulation under Article 3(1) subsidiary in a corporate group, an affiliated legal entity
of the GDPR whether the ‘processing takes place’ in the in a group of undertakings that processes data under
Union, how come the main establishment is defined in the immediate control of the determining body, or an
terms of where the ‘main processing activities’ take affiliated legal entity in a group of undertakings that
place? With a view to reconcile the two provisions, a processes data beyond the determining body’s immedi-
116 See section ‘Data protection, the rule of law and the “methodological (n 114) para 51; Case C–191/15 Amazon EU (n 78); and Case C–131/12
source code” of EU law’. Google I (n 23).
117 Case C–210/16 Facebook Insights (n 29) para 74. 121 Case C–347/09 Dickinger and Ömer (n 104) para 35. See also the concept
118 See also Art 29 WP ‘Guidelines for identifying a controller or processor’s of intermediaries in Dir 2000/31/EC (n 34).
lead supervisory authority’ (WP 244, 13 December 2006) (‘Art 29 WP 122 See by contrast online platforms, in eg Case C–210/16 Facebook Insights
lead supervisory authority guidelines’). (n 29).
119 Case C–210/16 Facebook Insights (n 29) paras 50–74. See also section ‘A 123 Case C–230/14 Weltimmo (n 114) para 86.
controller or a processor in the Union and the concept of establishment’. 124 Case C–230/14 Weltimmo (n 114)para 14.
120 See Articles 51, 52, and 55 of the GDPR and the Art 29 WP lead supervi-
sory authority guidelines (n 118) 5–8. See also Case C–230/14 Weltimmo
238 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
and asked the Court of Justice for clarifications on inter controller or processor applies under Article 3(1) of the
alia the meaning of ‘an establishment of a controller’.125 GDPR.
In the light of the objectives to be pursued, ‘consist- In its guidelines, the EDPB suggests that all activities
ing in ensuring effective and complete protection of the which are ‘inextricably linked’ to a given processing ac-
right to privacy and in avoiding circumvention of na- tivity can make a legal entity in the Union an EU estab-
tional rules’ the Court established, ‘that the presence of lishment of the controller or processor.131 However,
only one representative can, in some circumstances, suf- that is a rather fragile hypothesis. Data processing by
125 Case C–230/14 Weltimmo (n 114)paras 15–18. 132 EDPB guidelines (n 1) 7; Case C–230/14 Weltimmo (n 114);
126 Case C–230/14 Weltimmo (n 114)para 30. Communication from the Commission, A comprehensive approach on
127 Case C–230/14 Weltimmo (n 114)para 33. personal data protection in the European Union (n 39).
128 Ibid. 133 See section ‘A system-coherent concept of “processor”’.
129 Case C–230/14 Weltimmo (n 114)paras 31, 32. 134 See the suggested ‘threefold approach’ in the EDPB guidelines (n 1) 5.
However, a slightly difference approach is used here for the sake of
130 This shall be distinguished from a ‘representative’ appointed under Art
clarity.
27 of the GPDR as defined in Art 4(17) of the GDPR.
131 EDPB guidelines (n 1) 8.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 239
data processing in legal and administrative affairs to be only an activity that contributes to the achievement of the
a relevant context. goals of a given processing activity to be a relevant con-
In its guidelines, the EDPB makes an effort to clarify text. Hence, the validity of the interpretative data pro-
the meaning of the required ‘context’ in terms of contri- vided in Google Spain must be called into question.137
butions made in the Union to the revenues of the con-
troller or processor.135 However, if ‘revenue-raising’ is
decisive for whether data has been processed in the con-
liability whether an EU controller can be considered an context of the activities of an EU establishment of the
EU establishment of the processor. processor, that entity is an EU establishment of the con-
Thirdly, with regard to the reverse situation, where troller only if stipulated in a contract. Hence, the re-
the processor is in the Union and the controller in a quirement to confer obligations on the sub-processor
third county, the EDBP guidelines are even more puz- enshrined in Article 28(4) of the GDPR is inapplicable,
zling.142 In that case, data processing is according to the albeit the processor with an EU establishment must still
EDPB, not carried out in the context of the activities of abide by the Regulation.146
142 See section ‘A system-coherent concept of “controller”’. 146 Lexically, Article 28(4) of the GDPR does not hinder such a construction,
143 EDPB guidelines (n 1) 12. but the ‘controller’ should arguably be subject to the GDPR without a
144 See sections ‘A system-coherent concept of “controller”” and “A system- need to apply Article 3 thereof.
coherent concept of “processor”’. 147 See eg EDPB guidelines (n 1) 15.
145 See section ‘A system-coherent concept of “processor”’. 148 See section ‘Article 3(1) of the GDPR and an EU establishment “of” the
controller or processor’.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 241
cessor in the Union, or in the context of the activities of an whether a ‘payment’ is required.153 In a systematic
establishment in the Union of the controller or processor. analysis, this concept of commercial offers tallies with
As recognized in the EDPB guidelines, the fact that the market definitions in competition law and relates to
the Regulation shall pursuant to Article 3(2) of the the debate on whether personal data can be considered
GDPR apply to any data subject in the Union and not a ‘payment’.154
only to EU citizens, is consistent with the fundamental More importantly, the EDPB discusses the factors
rights to data protection enshrined in Article 8 of the that should according to the Court of Justice in joined
149 EDPB guidelines (n 1) 14–15. See also the Recital thereof. 155 EDPB guidelines (n 1) 17–18.
150 Compare with M Gawronski (ed), Guide to the GDPR (Wolters Kluwer, 156 See Case C–191/15 Amazon EU (n 78).
Zuidpoolsingel the Netherlands, 2019) 19. 157 Compare with Articles 77–81 of the GDPR. See also Article 22 of the
151 Joined Cases C–585/08 and C–144/09 Peter Pammer v Reederei Karl GDPR.
Schlüter GmbH & Co KG and Hotel Alpenhof GesmH v oliver, 158 EDPB guidelines (n 1) 15.
ECLI:EU:C:2010:740 (‘Pammer and Alpenhof’). 159 See eg PA Perinetto, ‘Intent and Competition Law Assessment: Useless or
152 Regulation (EU) 1215/2012 on jurisdiction and the recognition and en- Useful Tool in the Quest for Legal Certainty’ (2019) 1 European
forcement of judgements in civil and commercial matters, 2012 OJ L351/ Competition Law 153.
1. 160 See eg Commission Notice, Guidelines on Vertical Restraints, OJ C131/1,
153 EDPB guidelines (n 1) 16. See also Case C–109/92 Stephan Max Wirth v 19 May 2010.
Landeshouptstadt Hannover, ECLI:EU:C:1993:916. 161 Compare with Commission report by Crémer, de Montjoye, and
154 See decision of the Federal Court of Karlsruhe of 23 June 2020—KVR 69/ Schweitzer (n 35).
19—vindicating that the decision of the German competition authority re-
garding abuse of market dominance by Facebook can be enforced.
242 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
TLD of a Member State or .eu should not be considered of a person in the Union only if the person is in the
being in the Union unless he or she is also physically Union, and it adds truly little information that the
present in a Member State. It makes sense that an indi- Regulation applies only with regard to the behaviour of
vidual residing in a Member State that stays in a third a person in the Union. When a data subject in the
country for weeks cannot enjoy the rights specified in Union is monitored, the Regulation applies without fur-
the GDPR, but if the person leaves the Union for some ther inquiries.
hours, it is less obvious. For instance, an Irish citizen Evidently, the wording of Article 3(2)(b) of the
162 EDPB guidelines (n 1) 20. Mere use of cookies is captured by the GDPR, 165 Article 4(17) of the GDPR. See also section ‘A controller or a processor
compare with Case C–40/17 Fashion ID (n 66). in the Union and the concept of establishment’ and ‘Article 3(1) of the
163 EDPB guidelines (n 1) 19. GDPR and an EU establishment “of” the controller or processor’.
164 See section ‘Article 3(1) of the GDPR and an EU establishment “of” the
controller or processor’.
Claes G. Granmar Global Applicability of the GDPR in Context ARTICLE 243
under Article 3(1) of the GDPR by a detour over Article It may be an entity in the same corporate group, or an
3(2) of the GDPR when the former provision is prima affiliated entity in a group of undertakings that pro-
facie inapplicable.166 More to the point, it is incompati- cesses data under the immediate control of the deter-
ble with the rule of law to make the Regulation applica- mining body or beyond that control. In its guidelines,
ble to processing activities beyond the scope of Article the EDPB suggests that any legal entity involved in an
3(2) of the GDPR by considering a representative activity that is ‘inextricably linked’ to the processing
appointed under Article 27 of the GDPR an establish- activity would be an establishment of the controller or
166 Articles 13–14 of the GDPR; and Recital 80 thereof. 167 See section ‘Data protection, the rule of law and the “methodological
source code” of EU law’.
244 ARTICLE International Data Privacy Law, 2021, Vol. 11, No. 3
State could constitute an ‘establishment’ in the Union Finally, when it comes to Article 3(2) of the GDPR,
of a controller or a processor in a third country. the EDPB guidelines are less controversial and more
However, the employer is normally responsible for the apt. Particularly, the construction of Article 3(2)(a) is
employees’ professional data processing and the vicari- convincing. In addition, the reasoning regarding Article
ous liability makes the place where the employee pro- 3(2)(b) is credible, albeit the distinction between being
cesses the data immaterial. If the controller or processor in the Union and behaving in the Union is strained.
is headquartered in a third country, the employee’s ac- Having said that, clarifications regarding the spatial and