GDPR Brief: understanding the extraterritorial effect of the GDPR for genomic and health-related research

6 Jul 2020

The GDPR may apply to processing activities happening outside of Europe, commonly referred to as the GDPR’s “extraterritorial effect”. Reflecting the latest guidance on the subject from the European Data Protection Board (EDPB), this brief should be considered an update to an earlier brief on the GDPR’s territorial scope.

The GDPR may apply to processing activities happening outside of Europe, commonly referred to as the GDPR’s “extraterritorial effect”. Reflecting the latest guidance on the subject from the European Data Protection Board (EDPB), this brief should be considered an update to an earlier brief on the GDPR’s territorial scope.

The GDPR applies to processing activities rather than to individuals or organizations. This means that researchers and their institutions cannot accurately say that the “GDPR does not apply to us”. Rather, there are two principal criteria by which the GDPR may apply to the processing of personal data by organizations outside of the European Economic Area (EEA): the “establishment” criterion and the “targeting” criterion.

Establishment criterion

The GDPR applies to data processing activities occurring outside of the EEA that have a link to the activities of an establishment in the EEA. The notion of an “establishment” encompasses “any real and effective activity – even a minimal one – exercised through stable arrangements”. This may encompass processing activities carried out by a controller outside of the EEA but have a connection to an establishment within the EEA. For example, this would be the case where a pharmaceutical company based in the EEA has its research arm in Canada carry out its personal data processing activities related to genomics. While the Canadian office would not normally be within the territorial scope of the GDPR, the activities of the EEA establishment and their connection to the research arm draw the Canadian office into the establishment criterion.

Targeting criterion

Perhaps more far-reaching than the establishment criterion is the targeting criterion. Organizations should first ask themselves if the processing activities relate to the personal data of individuals in the EEA. Then if so, they should further ask whether processing relates to (1) the offering of goods and services or (2) the monitoring of behaviour of individuals in the EEA.

Offering goods and services may catch certain research projects depending on the circumstances: no payment is required and the return of results, for example, may qualify as a service. Monitoring the behaviour of EEA-based research participants may be more relevant for longitudinal studies or other research projects that are built upon participants habitually reporting their health status. Thus, for example, a research project based in Australia with a mobile app offered in the Benelux countries’ “app stores” that asks participants to periodically input their dietary and fitness information would be caught by the GDPR.

Concluding observations

An analysis of the GDPR’s applicability is a determination to be made on a case-by-case basis. Guidelines indicate that, for example, the merely incidental (non-intentional) processing of personal data of individuals in the EEA on its own is insufficient to trigger the GDPR’s application. Moreover, the mere selection of an EEA-based processor by a controller outside of the EEA, without other factors present, will not subject that controller to the GDPR. Frequently, however, the surrounding circumstances of  personal data processing are not so simple and a determination may be difficult to make. Consequently, the EDPB’s guidelines on this subject are a “must read”. Finally, it should be noted that the European Commission has signalled its intention to further clarify the relationship between the GDPR’s territorial scope and its rules on data transfers outside of the EEA.

Further Reading

• “Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) (Version 2.1).” European Data Protection Board, November 12, 2019. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.
• Svantesson, D. J. B. “A ‘Layered Approach’ to the Extraterritoriality of Data Privacy Laws.” International Data Privacy Law 3, no. 4 (November 1, 2013): 278–86. https://doi.org/10.1093/idpl/ipt027.
• Azzi, Adèle. “The Challenges Faced by the Extraterritorial Scope of the General Data Protection Regulation.” Journal of Intellectual Property, Information Technology and Electronic Commerce Law 9, no. 2 (2018): 126–37.
• Kohler, Christian. “Conflict of Law Issues in the 2016 Data Protection Regulation of the European Union.” Rivista di diritto internazionale privato e processuale 52, no. 3 (2016): 653–75.
• Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case C-230/14)
• Google v Commission nationale de l’informatique et des libertés (CNIL) (Case C-507/17)

Relevant GDPR Provisions

• Recital 22 – notion of an establishment exercising activities within the EEA
• Recital 23 – application of the GDPR where data subjects within the EEA are targeted
• Recital 24 – application of the GDPR where data subjects’ behaviour is monitored
• Article 3 – territorial scope

Michael Beauvais works at McGill University’s Centre of Genomics and Policy.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.