How Do Global Businesses Know When EU Data Protection Law Applies to Them?
At the heart of EU data protection law is the passionate belief in the right
to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and
data protection as fundamental rights under EU law.
Yet, like any other law, it must be clear when and where EU data protection
rules apply and the applicable law provision in the current Data Protection
Directive (Directive) has caused some headaches.
Following the Google Spain decision, all global businesses should take note
of how they may be brought within the scope of EU data protection law even
if it appears that a non-EU based part of their business is involved in different
services from EU operations. Certainly a global business without a clearly
identified EU-based controller should consider establishing an entity in one
Member State in order to conduct all data processing subject to EU rules through
that entity and the law of that Member State.
Going forward, the new Regulation’s likely direction of travel will include
applying EU data protection law to online services and behaviours that target
EU individuals. Therefore, global businesses should think through how their
online offerings are positioned and the likelihood that their customers are
or will be EU individuals. In particular, global businesses operating online
tracking or profiling technologies are far more likely to be caught by the
scope of the new Regulation and would do well to prepare for it.