GDPR shows its extraterritorial reach
Canadian company caught by the GDPR
10 September 2019
For the first time (at least in France), a Court (the Paris Tribunal de Grande Instance), in a decision dated 2 August 2019, has expressly held that the GDPR applies to an entity established outside the European Economic Area, on the basis of the extraterritorial reach of the regulation.
A Canadian-based company, presenting itself as the holder of IP rights in relation to hundreds of audio-visual works, claimed that these works were being made available for illegal download over certain electronic communications platforms.
The Canadian company thus instructed a German-based entity to collect the IP addresses associated with the alleged illegal downloading.
The Canadian company then requested the Paris Tribunal de Grande Instance compel the relevant electronic communications provider (Orange) to provide it with contact details of the holders of the identified IP addresses.
Extraterritorial reach of the GDPR
The Paris Court considered that the the Canadian entity was caught by the GDPR in this context, as:
- The collection of IP addresses is data processing.
- A large portion of the IP addresses collection took place in France.
- Such collection of IP addresses corresponds to the monitoring of the behaviour of individuals in the EU.
- The Canadian entity is the controller regarding this data processing.
Obligation to appoint a DPO
By application of the GDPR, the Paris Court held that, the Canadian entity should have:
- Designated a representative in the EU;
- Appointed a Data Protection Officer (DPO), As the processing at stake should be deemed a processing on a large scale of personal data relating to criminal convictions, which triggered the obligation to designate a DPO.;
- Ensured security of the personal data;
- Framed the transfers of personal data (i.e. the IP addresses) to i.e made clear the legal mechanism for transferring data outside of the EU. [This is quite surprising given that Canada is generally recognised by the European Commission as ensuring an adequate level of data protection]
Show me you are GDPR-compliant or I will reject your request
Given that the Canadian entity did not produce any evidence to demonstrate that the processing of IP addresses complied with the GDPR, the Court rejected its request to be provided with the contact details of the persons holding the identified IP addresses.
Are the first GDPR sanctions against overseas organisations just around the corner?