Data Subjects, who are they?
Does the GDPR really apply only to EU Citizens? If so then what about all the non-EU Citizens residents of the EU?
Something I have been trying to research as it is not crystal clear in discussions and articles I have read and I have read many, too many. Non I have come across offer a clear explanation as to who is an EU Citizen and what happens to the data of non-EU Citizens for instance.
What does the GDPR say?
The GDPR does not actually mention EU Citizen nor Residents. It instead uses the term "Data Subject". So who is a Data Subject? We know they a "natural individuals" however, does the Data Subject has to be an EU Citizen or can they be non-EU Citizens? You often see EU Citizens being used in articles to describe the data subject. However, not all people residing in the EU hold the nationality of a member state.
So lets first define who is a Citizen.
Who is an EU Citizen?
The EU Article 20(1) describes EU Citizenship thus:
Article 20 (1) of the Treaty on the Functioning of the European Union states that: "Citizenship of the Union is hereby established. Every person holding the nationality of a Member State shall be a citizen of the Union.
The GDPR defines its scope to only EU Citizens:
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” – www.eugdpr.org
By this definition, you would be correct to assume that the GDPR only applies to citizens of the EU. Those that are not citizens of one of the member countries will not be afforded the protection. This will exclude foreign students, ambassadors, immigrants, asylum seekers, refugees, migrant workers etc?
Well, this is not so. This is not the intention of the GDPR.
When is a Resident a Citizen too?
You have to search deep in the Regulation to find what the actual definition of a citizen is in the context of the Regulation. Recital 14 states that:
"The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data."
However, even the recital wording is ambiguous. When it says "whatever nationality", does it mean whatever EU member nationality or globally, i.e. citizens of non-EU countries? Not clear.
This is not always clear in documents, articles and posts I have seen and read. Many, by esteemed experts in this field. All I have read only refer to "EU Citizens or "EU Citizen's Data" and not just Data Subject or "EU Residents". Of course, the correct terminology is "Data Subject" as in Article 3 (2), which states:
"This Regulation applies to the processing of personal data of data subjects who are in the Union "
By the above definition, the data subject is more than an EU Citizen or a Resident. Both are by definition a Data Subject but the Data Subject does not have to be either. It could be someone on holiday in the EU or even someone in transit through the EU, on a flight.
I for instance personally know people who have lived in the UK for 40 years as residents but do not hold a British/EU passport or are not naturalised citizens.
Furthermore, Article 3 (1) expands the definition of the Data Subject even wider to include almost anyone in the world by application of GDPR to EU Data Controllers and Data Processors and their operations. Article 3 (1) states:
"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Loosely explained, this means as long as an organisation is "established" in the EU and if they process any personal data, and it does not matter where in the world nor whose data it is they must comply with the requirements of the GDPR. Therefore, by extension, those individuals whose data they process are afforded the same rights as those of EU Data Subjects. The definition of "establishment" is very wide, it could, for example, mean, an airline having a General Sales Agent, or perhaps even a landing slot in an EU airport can be construed as having an "establishment".
The "processing" is not as in outsourced processing but the collection of data sense of processing.
Territorial expansion and applicability of EU law.
So why is something as fundamental as this is buried in a recital, I wonder? Even recital 14 does not provide the required clarity. However, even though the Regulation is mute on that point, for all intents and purposes the GDPR will apply equally whether one is an EU citizen or not and we should always use the term "Data Subject".
1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
2. If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation "established" in the EU.
The following diagram illustrates the meaning of Article 3:
Consequently, the impact of 3(1) is that if an EU established Data Controller or Processor collects the data of Chinese nationals in China and processes that information in China and India, the Chinese national's data is protected by the GDPR regardless of their nationality citizenship and physical location and the location where the processing takes place. This also means an Indian IT company with an office in the UK, has an operation in India where they collect the data of local Indian citizens, they too are in the scope and the Indian company and must now comply with the GDPR for them too and afford them the same rights as EU data subjects.
The potential global applicability of the GDPR is not always clear and is tied the location of the Data Controller and Processor rather than the subject. When deciding whether the GDPR applies and to whom it applies, article 3 (1) and 3 (2) must be read separately, reference must be made to the case laws already established under EC Directive 95/46/EC.
Article 29 Working party Opions - WP179
Case law - Kololo v Commissioner of Police for the Metropolis
This and other articles can be found at www.cybercounsel.co.uk
Author: Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF