This article was first published in IAPP, 28 January 2021.
I’ve long questioned the extra-territorial scope of the GDPR and whether non-EU based organisations that engage solely in B2B activities (corporation to corporation) are actually caught by the GDPR.
The GDPR is at best ambiguous on this issue and the guidance published to date from the regulators is unhelpful.
This issue has been brought into focus as a result of Brexit and the numerous enquiries I’m getting about whether UK B2B businesses (with no physical presence in the EU) need to appoint an EU representative (and comply with the GDPR more generally in the EU).
What is the issue in a nutshell?
Art. 3(2)(a) of the GDPR states that controllers and processors not based in the EU are subject to the GDPR where they process personal data of individuals in the EU in the course of offering goods or services to those individuals.
So a UK based clothing retailer selling items to an individual in France needs to comply with the GDPR. Makes sense as the retailer could be collecting a fair amount of information about the individual including name, address and payment information and possibly some profile data.
But what happens if the UK based retailer is selling to a company and only collecting business contact details in that context? It is not offering goods to an individualbut a company. Does that mean the GDPR does not apply?
Interpretation of Art. 3(2)(a)
On a literal reading of Art. 3(2)(a), the answer must be yes. The B2B retailer is not offering goods to an individual. The European Data Protection Board (EDPB) has published guidance (accessible here) to help clarify the scope of Art. 3(2)(a) and all of the examples given by the EDPB relate to business to consumer scenarios. Not helpful at all.
The EDPB could have taken the opportunity to make clear that Art. 3(2)(a) also applies to B2B scenarios and individuals should be read as individuals acting on behalf of companies. It did not do this and I’m not sure why.
Is that an implicit recognition that Art. 3(2)(a) may not apply to B2B scenarios? It would be somewhat of an anomaly that personal information collected in the context of a B2B transaction is subject to the GDPR if you have an establishment in the EU but out of scope where you are not in the EU. And what about protecting the privacy rights of individuals at companies that are clearly entitled to protection.
Because of this, it is fair to say that generally privacy practitioners have interpreted Art. 3(2)(a) as applying to employees at corporates because ultimately, whilst goods and services are being sold to a company, individuals are managing and running the process.
It could create somewhat of an unfair advantage where you sell into the EU but are based outside of it. The GDPR and, in particular, the extra-territoriality provisions were intended to level the playing field to ensure non-EU based tech businesses were also subject to the GDPR when active in the EU. Recognising this, it might be hard to justify an interpretation that excludes B2B transactions for non-EU based businesses, although employees at corporates are protected by virtue of the data transfer rules in Chapter V of the GDPR.
Arguably, you do have equivalency and safeguards in place for the processing of personal data of employees in the context of B2B transactions which would support a more natural interpretation of Art. 3(2)(a) as there is no getting away from the fact that Art. 3(2)(a) only refers to individualsand the EDPB guidance highlights B2C transactions.
Whilst it seems odd to distinguish between B2B and B2C in this way, this distinction is well established (even if controversial) in the UK where B2B (e.g. corporate email accounts) communications are excluded from the scope of Privacy and Electronics Communications Act 2002 (PECR). Only B2C (e.g. private email accounts) communications require opt-in consent. There is then form for having different standards depending on whether the processing of personal data is in the context of B2B or B2C transactions.
Purposive and pragmatic Interpretation
For my part, whilst Art. 3(2)(a) is ambiguous, I’ve always worked on the basis that non-EU based organisations that engage solely in B2B activities are within the scope of the GDPR although I have often had clients query this and highlight the fact that they are not selling to individuals.
With Brexit, clarity is important as UK businesses need to know as a matter of urgency the scope of their obligations as there is a real cost to having to appoint an EU representative.
The ICO has no clear official position on this issue and there are mixed messages on whether an EU representative is needed when the activities are pure B2B.
Scope for a UK approach
In September, the UK government published a consultation document on a new National Data Strategy with laudable goals to “build a world-leading data economy” with laws that are “not too burdensome” and “a data regime that is neither unnecessarily complex nor vague”.
In this context, is there scope for the UK to develop a different and more business friendly interpretation of the GDPR? The UK courts and lawyers have historically taken a more literal approach to interpretation as compared to the EU courts and lawyers. Hence my EU peers do not necessarily see the same issue with Art. 3(2)(a). If the UK did develop a more literal interpretation to Art. 3(2)(a), that may reduce some regulatory friction to trade with UK. It would mean non-UK based B2B businesses would not need to have a UK representative.
That though does not help the many UK based businesses that are querying whether they now need to appoint an EU representative. Clarity from regulators would be extremely welcome.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.