![[2025] UKUT 319 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
Data subjects in the Union
Data subjects in the Union
The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed. Recital 14 confirms this interpretation and states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
This provision of GDPR reflects EU primary law which also lays down a broad scope for protection of personal data, not limited to EU citizens, with Article 8 of the Charter of Fundamental Rights providing that the right to the protection of personal data is not limited but is for “everyone”. [page 14 of Guidelines]
…
The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.
…
The EDPB also wishes to underline that the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU, either by offering goods or services to them, or by monitoring their behaviour (as further clarified below), must always be present in addition. [page 15 of Guidelines]
…
For Article 3(2)(b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.
The nature of the processing activity which can be considered as behavioural monitoring is further specified in Recital 24 which states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” While Recital 24 exclusively relates to the monitoring of a behaviour through the tracking of a person on the internet, the EDPB considers that tracking through other types of network or technology involving personal data processing should also be taken into account in determining whether a processing activity amounts to a behavioural monitoring, for example through wearable and other smart devices. [page 19 of Guidelines]
As opposed to the provision of Article 3(2)(a), neither Article 3(2)(b) nor Recital 24 expressly introduce a necessary degree of “intention to target” on the part of the data controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to the processing activities. However, the use of the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”, It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject behaviour, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration.
The application of Article 3(2)(b) where a data controller or processor monitors the behaviour of data subjects who are in the Union could therefore encompass a broad range of monitoring activities, including in particular:
Behavioural advertisement
Geo-localisation activities in particular for marketing purposes
Online tracking through the use of cookies or other tracking techniques such as fingerprinting
Personalised diet and health analytics services online
CCTV
Market surveys and other behavioural studies based on individual profiles
Monitoring or regular reporting on an individual’s health status
[page 20 of Guidelines]
…
Example 18: An app developer established in Canada with no establishment in the Union monitors the behaviour of data subjects in the Union and is therefore subject to the GDPR, as per Article 3(2)(b). The developer uses a processor established in the US for the app optimisation and maintenance purposes.
In relation to this processing, the Canadian controller has the duty to only use appropriate processors and to ensure that its obligations under the GDPR are reflected in the contract or legal act governing the relation with its processor in the US, pursuant to Article 28.
…
When it comes to a data processor not established in the Union, in order to determine whether its processing may be subject to the GDPR as per Article 3(2), it is necessary to look at whether the processing activities by the processor “are related” to the targeting activities of the controller.
The EDPB considers that where processing activities by a controller relates to the offering of goods or services or to the monitoring of individuals’ behaviour in the Union (‘targeting’), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Art 3(2) in respect of that processing.
The ‘Targeting’ character of a processing activity is linked to its purposes and means; a decision to target individuals in the Union can only be made by an entity acting as a controller. Such interpretation does not rule out the possibility that the processor may actively take part in processing activities related to carrying out the targeting criteria (i.e., the processor offers goods or services or carries out monitoring actions on behalf of, and on instruction from, the controller).
The EDPB therefore considers that the focus should be on the connection between the processing activities carried out by the processor and the targeting activity undertaken by a data controller.
Example 19: A Brazilian company sells food ingredients and local recipes online, making this offer of good available to persons in the Union, by advertising these products and offering the delivery in the France, Spain and Portugal [sic]. In this context, the company instructs a data processor also established in Brazil to develop special offers to customers in France, Spain and Portugal on the basis of their previous orders and to carry out the related data processing.
Processing activities by the processor, under the instruction of the data controller, are related to the offer of good to data subject in the Union. Furthermore, by developing these customised offers, the data processor directly monitors data subjects in the EU. Processing by the processor are [sic] therefore subject to the GDPR, as per Article 3(2).
Example 20: A US company has developed a health and lifestyle app, allowing users to record with the US company their personal indicators (sleep time, weight, blood pressure, heartbeat, etc…). The app then provide users with daily advice on food and sport recommendations. The processing is carried out by the US data controller. The app is made available to, and used by, individuals in the Union. For the purpose of data storage, the US company uses a processor established in the US (cloud service provider).
To the extent that the US company is monitoring the behaviour of individuals in the EU, in operating the health and lifestyle app it will be ‘targeting’ individuals in the EU and its processing of the personal data of individuals in the EU will fall within the scope of the GDPR under Art 3(2).
In carrying out the processing on instructions from, and on behalf of, the US company the cloud provider / processor is carrying out a processing activity ‘relating to’ the targeting of individuals in the EU by its controller. This processing activity by the processor on behalf of its controller falls within the scope of the GDPR under Art 3(2).” [page 21 of Guidelines]
- Heading
- The decision of the Upper Tribunal is to allow the appeal The decision of the First-tier Tribunal made on 17 October 2023 was materially in error of law. It is SET ASIDE under section 12(2)(a) of the Tribunals, Courts and Enforcement Act 2007 (“TCEA
- REASONS FOR DECISION
- Introduction
- The decision under appeal
- A summary of the relevant factual background
- The FTT’s decision
- The FTT’s findings of fact
- The FTT’s conclusions
- The issues in this appeal
- Appeal ground 1
- Appeal ground 2
- Appeal ground 4
- Additional Reason 1
- The scope of the appeal - admitting the additional reasons arguments for consideration
- Permitting Privacy International to intervene in the appeal
- Permitting Clearview to rely on a written reply to Privacy International’s skeleton argument
- Reliance on the evidence filed by Privacy International
- Reliance on legal arguments not raised before the FTT
- Legal framework
- Relevant legislative provisions
- The GDPR
- The UK GDPR
- “Article 2 This Regulation applies to the automated or structured processing of personal data, including
- 1A. This Regulation also applies to the manual unstructured processing of personal data held by an FOI public authority This Regulation does not apply to
- “Article 3
- The 95 Directive
- The Law Enforcement Directive
- State immunity and foreign act of state
- Material scope: the caselaw
- Territorial scope: the caselaw
- The Travaux in respect of the GDPR
- The EDPB Guidelines
- Data subjects in the Union
- The burden of proof in appeals against ICO Notices
- Analysis
- The parties’ positions on material scope in brief
- What the FTT decided in relation to Article 2(2)(a)
- General approach to construction of the GDPRs
- Domestic authorities on comity, extra-territoriality and utility
- EU authorities on extra-territorial effect and comity
- Certainty and foreseeability
- Proportionality
- EU law authorities on the construction of Article 2(2)(a) of the GDPR
- Relevant comity principles
- Our construction of Article 2(2)(a)
- Analysis of Clearview’s proposed intersectional construction
- Alternative analysis based on the ICO’s construction
- Would regulation of Clearview’s data processing breach comity principles?
- Article 3(2)(b) GDPR: territorial scope
- What was the policy objective behind Article 3(2)(b)?
- The meaning of “related to” in Article 3(2)(b)
- The meaning of “behavioural monitoring” in Article 3(2)(b)
- Ground 1
- Ground 2
- Ground 3
- Ground 4
- Clearview’s Additional Reasons
- Additional Reason 1
- Additional Reason 2
- Additional Reason 3
- Additional Reason 4
- Conclusions