The litmus test when assessing potential targeting, is whether the controller or processor “en-visages” offering services to data subjects.99 The definition of envisage is to “contemplate or conceive of as a possibility or a desirable future event”.100 This means that controllers and processors must, as a bare minimum, be consciously aware that they are offering services to data subjects in a member state. The subjective nature is further emphasised by the use of “in-tention” in recital 23. The definition of intention is “a thing intended; an aim or plan”.101 This would require the controller or processor to make a concerted effort to target data subjects in a
99 See 5.8.1.
100 The Oxford English Dictionary, (2017a).
101 The Oxford English Dictionary, (2017b).
35
member state. The discrepancy between the words leads to a discrepancy in the concept of targeting. A cloud service provider can be aware that their services are available to data sub-jects in a member state, without have singled out the market with the intention to offer their services.
Svantesson has criticized the subjective nature of the targeting approach, which he sees as requiring a “conscious decision” from the controller or processor. He argues that the targeting approach should abandon the subjective elements and instead focus on the “outcome” of ac-tivities of a controller or processor.102 By focusing on subjective aspects, situations can occur where data subjects are being deprived of their protection under the GDPR, but are still hav-ing their personal data processed. The consequences for the data subjects remains the same, but the controller or processor has avoided the restrictions of the GDPR owing to its igno-rance or lack of intention. This can incentivise circumvention through deliberate unawareness.
If Svantesson’s outcome argument is applied, the GDPR would be applicable where the data subjects have been targeted, regardless of knowledge or intention.
I share Svantesson’s opinion that an outcome-based targeting approach is a better solution than a subjective-based targeting approach. The GDPR’s recital seems at odds with this proach. In my opinion, article 3. (2) can be interpreted to allow for an outcome-based ap-proach through the effects principle. The principle is intended to be used as the basis for juris-dictional claims and requires there to be a certain effect within a territory that justifies the exertion of jurisdiction over third country subjects. If a controller, regardless of intention, e.g.
processes personal data in connection with the sale of goods to a data subject in a member state, there is a tangible effect in the territory. The jurisdictional claim is justified. If the con-troller does not sell any goods to data subjects in the territory, no data processing takes place.
A jurisdictional claim cannot be justified. The effects principle necessitates that the third country subject’s activities have the required effect, i.e. the outcome approach goes hand in hand with the effects principle.
Regardless of which approach is taken towards targeting or whether they can coexist, it is evident that this area needs clarification. The uncertainties about the terminology in recital 23 and the subjective elements as a whole, makes it difficult for third country controllers and processors to predict their legal standing. Considering the central role the targeting approach plays in the extraterritorial scope of the GDPR, it is unfortunate that third country controllers or processors potentially will have to consult secondary sources for this clarification.
102 Svantesson, (2015), p. 232.
36 5.13 Preliminary concluding remarks
5.13.1 Procedure for determining the applicability
The GDPR retains the two-stage examination of the DPD. It must be ascertained whether the controller or processor has an establishment on the territory of a member state, and whether the personal data was processed in the context of the activities of the establishment. The sec-ond step has accommodated the Google Spain case in its phrasing, which means that the GDPR is applicable even if the processing itself takes place outside the EU/EEA. The aban-donment of the connecting factor equipment represents the biggest change from the DPD. In its place, the targeting approach has been implemented. If a controller or processor offers goods or services, or monitors data subjects in the union, the GDPR may be applicable to their activities.
5.13.2 A missed opportunity
The drafters of the GDPR has implemented some of the interpretations and lessons that has been made during the life of the DPD. The irrelevance of the geographical location of a pro-cessing operation is codified in the text, though the accompanying requirement that the activi-ties of the controller and its establishment must be inextricably linked is inexplicably missing.
Equipment has been abandoned as a connecting factor because of modern technology making it unsuitable, and the unsatisfactory consequences it can result in. My analysis has also un-covered that there are multiple concepts that need further clarification. Opinions by the WP and the Weltimmo case have both clarified aspects of what constitutes an establishment, yet the GDPR retains the same definition as the DPD. Recital 23 of the GDPR uses terminology that makes it unclear what type of subjective elements are relevant when determining if a con-troller or processor has engaged in targeting.
I am cautious to criticize the choices made by the drafters, as we do not know how the GDPR will function in practice, but I feel that there are some missed opportunities to clarify im-portant aspects of the instrument. The importance that the territorial scope has for the legal standing of third country controllers and processors, who have little or no knowledge of the jurisprudence of the EU, should justify an approach that elaborates on the concepts of article 3 as much as possible. If third country controllers and processors are forced to conduct exten-sive and costly research into legal sources outside the text of the GDPR, the willingness to engage with the EU, business related or otherwise, may be diminished.
5.13.3 Motivation behind the GDPR’s extraterritorial application
The motivation behind the continued extraterritorial application of European data protection law under the GDPR seems to still be rooted in the desire to protect the fundamental right of protection of personal data. Article 1 of the GDPR has retained the objectives of the DPD. In
37
its explanatory memorandum, the Commission identifies the rapid technological develop-ments as being responsible for new challenges for the protection of personal data.103 The tar-geting approach, which incorporates new connecting factors that are better suited for the pre-sent and potentially future technological situation, can be seen as a response to these chal-lenges.
The Commission also recognises the importance of trust in the online environment and the economic and innovative consequences lack of trust has.104 The internet transcends state bor-ders, and many businesses utilize the internet to sell their wares or services. If data subjects cannot rely on third country businesses to adequately protect their data, this may lead to the undesirable consequences identified by the Commission. The targeting approach seems to be designed to catch business conducted over the internet. The EU has traditionally focused on the well-being of the internal market in its legislation. The GDPR is no exception.105 I believe that the Commission’s rationales and resulting extraterritorial application of the GDPR repre-sents an acknowledgement of the fact that the European economy does not function in a vacu-um. Consequently, the EU’s internal market has motivated the drafters to expand upon the extraterritorial application of the GDPR.
103 COM(2012) 11 final, p. 1.
104 Ibid., p. 1 – 2.
105 GDPR. recital 13.
38