As a member of the in-house legal team of an international group of companies, I have had the pleasure of negotiating numerous cross-border contracts with EU and non-EU companies, particularly in the realm of software contracts such as Software-as-a-Service (SaaS) agreements . This article will analyze the applicability of the GDPR in a contractual relationship among US entities.
The issue of whether Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly known as the General Data Protection Regulation (GDPR), necessitates the execution of a Data Processing Agreement (DPA) under Article 28(3) GDPR between two US companies has piqued my interest. This arose when several US companies expressed a heightened interest in signing DPAs for procuring software from a US software vendor. Initially, my reaction was dismissive – W hy would two non-EU companies concern themselves with the GDPR? However, the answer is not as straightforward. Typically, inquiries are directed towards the material scope of the GDPR rather than its territorial scope, which is often overlooked when dealing with two non-EU companies. This oversight underscores the need for a more nuanced analysis.
In a Business-to-Business (B2B) relationship, a US software vendor sells software (SaaS) to software customers in the US. A DPA only becomes relevant in a controller-processor relationship. Both, controllers and processors have their own (distinct) responsibilities. Art. 28(3) GDPR only requires the execution of a DPA between a data controller and a data processor. In the present case, the SaaS customer acts as an independent data controller because he decides what is to be done with the data and instructs the Software vendor with hosting its data. The US software vendor, a SaaS business provider, is usually both, a data controller and a data processor. According to the European Data Protection Board (EDPB), they are controllers in situations when they decide the purposes and the means of the processing (e.g. when it comes to their website, user databases, newsletter, marketing, payment data, etc.) and data processors when they act upon their customers´ instructions (e.g. in B2B activities when they process the personal data of their clients´ customers). The latter is true for the describe scenario where, in addition, the software vendor uses a third party, a so-called sub-processor, in the EU for the provision of its hosting services, thereby locating the data within an EU jurisdiction. Such customer data may (or may not) include personal data of EU data subjects. For the purposes of the scope of the GDPR, it does not matter if such data is publicly available or not. All that matters for GDPR to be applicable is that personal data is processed. Thus, the described scenario involves three parties:
From the perspective of international data transfer, the primary question is whether there exists a data exporter and a data importer, and if GDPR applies to the data exporter – the EU data center provider. In this context, the EU data center provider qualifies as a data exporter, transferring data to the US-based software vendor as the data importer. Consequently, both the material scope (Article 2 GDPR) and territorial scope (Article 3 GDPR) of the GDPR are met. Thus, the transaction qualifies as an international data transfer, necessitating appropriate safeguards in the absence of an adequacy decision for the recipient country, in the present case, the US. For a data transfer to a US company to be deemed safe, the US software vendor must either be Data Privacy Framework (DPF) certified or EU Standard Contractual Clauses (SCCs) need to be executed. Given that both, the EU data center provider and the US software vendor, are data processors, the SCCs must be executed under their module 3 (Processor-to-Processor SCCs).
However, the initial question pertains to the relationship between the US software vendor and the US software customer. We already know that the data transfer between the two falls within the material scope of the GDPR. However, in three out of four cases, the territorial scope of the GDPR is not met, why?
Art. 3(1) GDPR does not apply because neither the processor (US software vendor) nor the controller (US software customer) has an establishment in the EU.
Art. 3(2) GDPR requires a closer look since it applies GDPR to the processing of personal data of data subjects who are located in the Union even if the controller or processor is not established in the EU. The territorial scope of subsection (b) of Art. 3(2) GDPR would be met in case the purpose of the SaaS business would be to monitor the behavior of data subjects in the EU. This would be true, e.g. for a CCTV camera installed by a US company in the EU. In the present case, however, we are considering software which merely hosts data in the EU.
Therefore, the pivotal question is whether the US-based software customer, as an independent data controller, falls within the purview of the GDPR. According to Article 3(1)(a) GDPR, this would be the case if "the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union." In essence, the US software customer would be subject to the territorial scope of the GDPR only if it offers services to individuals residing in the EU.
If the software services provided are not offered to individuals residing in the EU, then none of the aforementioned falls within the scope of GDPR, and there is no need to execute a DPA between the US software vendor and its US customers. Conversely, if the vendor's services are specifically offered to individuals residing in the EU, the territorial scope of GDPR is invoked, which requires the US software vendor to execute a DPA with its US-based customers.
While the GDPR may be limited to the data of individuals in the EU, it is not limited to European companies. Non-EU companies must act in accordance with the GDPR just as much as European-based organizations, if they fall within the scope of Art. 3(2) GDPR.
In conclusion, it is highly advisable to meticulously evaluate each scenario outlined in Article 3 GDPR concerning territorial scope before discounting GDPR obligations in transactions involving non-EU entities. Such diligence ensures comprehensive compliance with the GDPR's regulatory framework.
In case, a non-EU company comes to the conclusion that GDPR is applicable according to Art. 3(2) GDPR, the appointment of a GDPR EU representative according to Art. 27 GDPR should be considered. This section of the GDPR states that non-EU companies that offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU must designate an EU representative to act on their behalf.
Sign up for a regular dose of news and updates from the legal landscape.
Get the latest updates about legal and privacy from experts in the field.