GDPR – Territorial Scope and the Need to Avoid Absurd and Inconsistent Results

GDPR – Territorial Scope and the Need to Avoid Absurd and Inconsistent Results

It’s not just establishment it’s context!

There is an urgent need to clarify the GDPR’s territorial scope. Of the many changes the GDPR will usher in this May, the expansion of EU privacy law’s territorial scope is one of the most important. The GDPR provides for broad application of its provisions both within the EU and globally. But the fact that the GDPR has a broad territorial scope does not mean that every company, or all data processing activities, are subject to it. Rather, the GDPR puts important limitations on its territorial scope that must be acknowledged and correctly analyzed by those interpreting the regulation for the global business community. Otherwise, it could lead to absurd implementation and bad policy which no one wants.

EU Establishment

In essence:

  • Where registrars are established in the EU, the registrars’ use and processing of personal data is subject to the GDPR. That is no surprise to anyone.
  • Where registrars have no establishment in the EU, but offer domain name registration services to data subjects in the EU, the processing of personal data in the context of such offer will also be subject to the GDPR. Again no surprise and logical.
  • However, where a registrar is based outside the EU, without an establishment in the EU, and uses a processor in the EU, such non-EU based registrar (as a controller) will not be subject to the GDPR due to the EU based processor’s establishment in the EU. The GDPR only applies to the controller according to Article 3 (1) GDPR where the processor in the EU would be considered the controller’s establishment. If the controller uses an external service provider (no group company), this processor will generally not be considered an establishment of the controller. It would only be caught by GDPR if the processing is done “in the context” of that establishment. That is the key, and I’ll discuss an example of potentially absurd results if this is not interpreted correctly. NB All obligations directly applicable to the processor under the GDPR will, of course, apply to the EU based processor.

WHOIS

If we look at the example of WHOIS (searchable registries of domain name holders) where there is presently much debate amongst the many and varied actors in the domain name industry over whether public WHOIS databases can remain public under the GDPR. The second part of ICANN’s independent assessment of this issue offered an analysis of the GDPR’s territorial reach that deserves closer scrutiny. Addressing the territorial limits of the law, the authors state: “Therefore, all processing of personal data is, no matter where it is carried out, within the territorial scope of the GDPR as long as the controller or processor is considered established within the EU; the nationality, citizenship or location of the data subject is irrelevant.” In other words, the authors conclude that as long as a controller or processor has an “establishment” in the EU, all processing of personal data it undertakes, regardless of the location or nationality of the data subject and regardless of whether the processing has any nexus to the EU, is subject to the GDPR.

This is wrong. The analysis overlooks key language of the GDPR. Under Article 3.1, the law applies not to any processing that is done by a company that happens to have an establishment in the EU, but to processing done “in the context of” that establishment.

This distinction makes a difference. Imagine, for example, a Canadian company that has an office in Paris. Under the authors’ analysis, the GDPR would apply to all processing done by that company simply by virtue of it having a Paris office, whether the data subjects interacting with it were French, Canadian, or even American, whether they accessed the company’s services from France, Canada, or the U.S., and even if all the processing occurred outside of the EU. This would be an absurd result inconsistent with the text of the GDPR and sound policy. In order to determine whether the GDPR applies, one must look not only at whether the company has an establishment in the EU but also at whether the processing occurred within the context of that establishment. If the processing occurs in the U.S. or Canada for a Canadian data subject without any link to the EU establishment, clearly the processing is not done in the context of the EU establishment. Thus, the GDPR does not apply.

Understanding the territorial reach — and the limitations of that reach — of the GDPR is critical. The GDPR has the potential to shift global data privacy law and policy. As such, stakeholders must be well-informed on both the substance as well as the reach of the law’s protections.

If you are pressed for time …

… this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It’s a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

The Future of .COM Pricing

When you’ve been around the domain industry for as long as I have, you start to lose track of time. I was reminded late last year that the 6-year agreement Verisign struck with ICANN in 2012 to operate .com will be up for expiration in November of this year. Now, I don’t for a second believe that .com will be operated by any other party, as Verisign’s contract does give them the presumptive right of renewal. But what will be interesting to watch is what happens to Verisign’s ability to increase the wholesale cost of .com names. more

Suggestions for the Cuba Internet Task Force

The Cuba Internet Task Force (CITF) held their inaugural meeting last week. Deputy Assistant Secretary for Western Hemisphere Affairs John S. Creamer will chair the CITF, and there are government representatives from the Department of State, Office of Cuba Broadcasting, Federal Communications Commission, National Telecommunications and Information Administration and Agency for International Development. Freedom House will represent NGOs and the Information Technology Industry Council will represent the IT industry. more

Software-Defined Networking: What’s New, and What’s New for Tech Policy?

The Silicon Flatirons Conference on Regulating Computing and Code is taking place in Boulder. The annual conference addresses a range of issues at the intersection of technology and policy and provides an excellent look ahead to the tech policy issues on the horizon, particularly in telecommunications. I was looking forward to yesterday’s panel on “The Triumph of Software and Software-Defined Networks”, which had some good discussion on the ongoing problem surrounding security and privacy of the Internet of Things (IoT)… more

What’s So Outrageous Asking High Prices for Domain Names?

Panels appointed to hear and decide disputes under the Uniform Domain Name Dispute Resolution Policy (UDRP) have long recognized that three letter domains are valuable assets. How investors value their domains depends in part on market conditions. Ordinarily (and for good reason) Panels do not wade into pricing because it is not a factor on its own in determining bad faith. more

The New State Department Cyberspace Bureau: from Multilateral Diplomacy to Bilateral Cyber-Bullying

These days in Washington, even the most absurd proposals become the new normal. The announcement yesterday of a new U.S. State Department Cyberspace Bureau is yet another example of setting the nation up as an isolated, belligerent actor on the world stage. In some ways, the reorganization almost seems like a companion to last week’s proposal to take over the nation’s 5G infrastructure. Most disturbingly, it transforms U.S. diplomacy assets from multilateral cooperation to becoming the world’s bilateral cyber-bully nation. more

Bitcoin Domain Names Become Popular – and Attract Disputes

Cryptocurrencies (such as Bitcoin) are all the rage — so, naturally, related domain name disputes are, too. The wild fluctuations in cryptocurrency prices (Bitcoin hit a low of close to $6,000 this week, after reaching an all-time high of more than $19,000 only two months ago, and less than $1,000 a year ago) have attracted speculators, regulators and now even cybersquatters. more

Preparing for GDPR’s Impact on WHOIS – 5 Steps to Consider

With GDPR coming into effect this May, it is almost a forgone conclusion that WHOIS as we know it today, will change. Without knowing the full details, how can companies begin to prepare? First and foremost, ensuring that brand protection, security and compliance departments are aware that a change to WHOIS access is on the horizon is an important first step. Just knowing that the ability to uncover domain ownership information is likely to change in the future will help to relieve some of the angst that is likely to occur. more

Transition of the Telecoms Industry Is Overdue

It is interesting to observe the changes in the telecommunications environment over the last few decades. Before videotex (the predecessor of the internet) arrived in the late 1970s early 1980s, 90% of telecommunications revolved around telephone calls. And at that time telephony was still a luxury for many, as making calls were expensive. I remember that in 1972 a telephone call between London and Amsterdam cost one pound per minute. Local telephone calls were timed… more

ICANN Maps Whois Models for GDPR

Earlier today ICANN held a webinar to provide an update on their data privacy activities in relation to whois and GDPR. Rather than simply talking about the various “models” they produced both a visual mapping as well as a matrix. While some attendees may not agree with how all the models are classified it is still a helpful way of showing the deviations from the current fully public whois model for gTLD domain name registrations. more

The Rise of a Secondary Market for Domain Names (Part 4/4): Facilitating the Secondary Market

The defining of rights in the UDRP process is precisely what WIPO and ICANN contemplated, but it is unlikely they foresaw the destination of the jurisprudence. Since its inception, UDRP Panels have adjudicated over 75,000 disputes, some involving multiple domain names. (These numbers, incidentally, are a tiny fraction of the number of registered domain names in legacy and new top-level domains, which exceeded 320 million in the first quarter 2017). more

The Rise of a Secondary Market for Domain Names (Part 3/4): Domain Names as Virtual Real Estate

The way the Internet operates drove a wedge between strings of lexical and numeric characters used as marks and alphanumeric strings used as addresses. Domain names were described by Steve Forbes in a 2007 press release as virtual real estate. It is, he said, analogous to the market in real property: “Internet traffic and domains are the prime real estate of the 21st century.” more

From Crisis to Resilience – the Path to Sustainable Communications Infrastructure in the Caribbean

The Caribbean suffered six major storms in 2017, including the record-breaking Category 5 hurricanes Irma and Maria. In the unprecedented destruction, the islands of Dominica and Barbuda lost all communication and telecommunications service, and eight other Caribbean countries were severely disrupted. Each hurricane season wreaks greater devastation than the last, yet decreased telecommunications competition, inadequate regulation, and high national debt burdens in the region yield ever-diminishing infrastructural investment. more

How Do You Turn a Typesetting Language Into an Identifier System? (Not Easily)

Unicode’s goal, which it meets quite well, is that whatever text you want to represent in whatever language, dead or alive, Unicode can represent the characters or symbols it uses. Any computer with a set of Unicode typefaces and suitable layout software can display that text. In effect, Unicode is primarily a typesetting language. Over in the domain name system, we also use Unicode to represent non-ASCII identifiers. That turns out to be a problem because an identifier needs a unique form, something that doesn’t matter for typesetting. more

The Cuba Internet Task Force – a Win for Trump and Castro

President Obama began working on Cuban rapprochement during his 2009 presidential campaign. After over five years of thought and negotiation, the Whitehouse announced a major shift in Cuba policy, which included allowing telecommunications providers “to establish the necessary mechanisms, including infrastructure, in Cuba to provide commercial telecommunications and Internet services, which will improve telecommunications between the United States and Cuba.” more

The Rise of a Secondary Market for Domain Names (Part 2/4): Origins of the Competition

Before the Internet, the sole competition for strings of characters employable as marks was other businesses vying to use the same strings for their own products and services. National registries solved this competition by allowing businesses in different channels of commerce to register the same strings but prohibiting competitors in the same industries from using identical or confusingly similar marks on the grounds that they were likely (at best) to create confusion and (at worst) to deceive the public. more

Be the first to comment

Leave a Reply

Your email address will not be published.


*