Private or public, does it matter?
Applicability of foreign data protection laws and the requirement for a representative in the education sector.
ata protection is becoming increasingly complex in the education sector. New laws entering into force and additional guidelines make it difficult to keep up with the constant changes. An additional layer of complexity comes with the range of organisations funded in differing ways, from private companies to charitable organisations and publicly funded institutions. The classification as a public body versus a private organisation is commonly used as a means of determining the application of specific exemptions. This article focuses on the extraterritorial scope of privacy laws and the need for education providers to appoint a representative according to the obligations under EU and UK GDPRs, KVKK in Turkey, PIPL in China and from September 2023, the DSG in Switzerland. For more information subscribe to our webinar in Asia or the America.
Extraterritorial scope of privacy laws
The territorial scope of a privacy regime indicates the reach of the laws of a jurisdiction. Where the data protection laws of a particular territory are said to have extraterritorial scope, this denotes that those laws are applicable beyond the borders of that country or geographical area. As privacy laws around the world are updated, jurisdictions are increasing including the concept of extraterritorial scope in their legislative reforms. Education providers can, therefore, be caught by foreign privacy laws when targeting students within another territory. The rationale behind this is simple: privacy is a fundamental human right and privacy laws seek to protect individuals no matter where the organisation which is processing their data is located.
This article looks at key privacy regimes which have an extraterritorial scope and require overseas organisations to appoint a local representative based within the applicable territory, in particular the EU and UK GDPRs, Turkish KVKK, Chinese PIPL and the forthcoming Swiss DSG. The wording of each extraterritorial scope is as follows:
|EU GDPR||The EU version of the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services (targeting criterion)
(b) monitoring of data subjects’ behaviour (monitoring criterion)
|UK GDPR||GDPR as currently in force in the UK applies to the relevant processing of personal data of data subjects who are in the Union the United Kingdom by a controller or processor not established in the Union the United Kingdom where the processing activities are related to:
(a) the offering of goods or services in the United Kingdom; or (targeting criterion)
(b) the monitoring of data subjects’ behaviour in the United Kingdom (monitoring criterion)
|KVKK||The Turkish KVKK shall apply to natural persons whose personal data is processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means provided that such data forms part of a data filing system.|
|PIPL||The Chinese PIPL stipulates, where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well:
- Where the purpose is to provide products or services to natural persons inside the borders;
- Where analyzing or assessing activities of natural persons inside the borders;
- Where analyzing or assessing activities of natural persons inside the borders;
|DSG||Swiss DSG is applicable on all matters with an effect in Switzerland, even if such matters were caused abroad|
A common theme among the extraterritorial scope of these territories is their application to organisations outside of that territory that are targeting individuals within the relevant region. Considering this from the perspective of educational providers it is helpful to refer to the guidance of the European Data Protection Board (EDPB) which includes the following example:
A Swiss University in Zurich is launching its Master degree selection process, by making available an online platform where candidates can upload their CV and cover letter, together with their contact details. The selection process is open to any student with a sufficient level of German and English and holding a Bachelor degree. The University does not specifically advertise to students in EU Universities, and only takes payment in Swiss currency.
As there is no distinction or specification for students from the Union in the application and selection process for this Master degree, it cannot be established that the Swiss University has the intention to target students from a particular EU member states. The sufficient level of German and English is a general requirement that applies to any applicant whether a Swiss resident, a person in the Union or a student from a third country. Without other factors to indicate the specific targeting of students in EU member states, it therefore cannot be established that the processing in question relates to the offer of an education service to data subject in the Union, and such processing will therefore not be subject to the GDPR provisions.
The Swiss University also offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such service to data subjects who are in the Union, and the GDPR will apply to the related processing activities.
Other activities of educational organisations which may trigger the applicability of foreign privacy laws may include: - any type of marketing to students in other regions e.g. through trade fairs and roadshows; - taking part in international rankings; - testimonials from foreign students on an institute’s website; - international student’s admission centres; - student exchange programs - having partnerships with the purpose to attract students from abroad; - actively looking for international staff.
Requirement to appoint a representative
Each of the jurisdictions highlighted above require organisations that are caught by the extraterritorial reach of the relevant data protections laws to appoint a representative as a local point of contact in the applicable territory as follows:
|EU GDPR||Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union||Exemption for public bodies|
|UK GDPR||Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the United Kingdom||Exemption for public bodies|
|KVKK||Data controllers not established in Turkey are obliged to register with the VERBIS Registry by their representatives prior to the start of data processing||Private and public|
|PIPL||Any personal information processor outside the territory of the People’s Republic of China shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection||Private and public|
|DSG||Controller established outside of Switzerland appoints a representative in Switzerland, if the controller processes personal data of individuals in Switzerland, provided that:
- the processing is related to the offering of goods and services or the monitoring of individuals’ behaviour;
- the processing is on a large scale;
- the processing is regular;
- the processing involves a high risk to the rights and freedoms of natural persons
|Private and public|
Exemption for public authorities or bodies
As shown in the table, the GDPR is the only privacy law with an exemption from the obligation to appoint a representative for public authorities and bodies. The other listed privacy laws do not mention such an exemption.
The rationale behind the exemption in the GDPR is that the sovereignty of states and all their authorities and bodies shall not be violated. Therefore, any organisation processing personal data in the exercise of official authority shall not be required to appoint a representative. The interpretation of “official authority” shall follow a functional approach meaning that such authorities and bodies are exempted which exercise sovereign authority.
Even if such an exemption is not explicitly included in other privacy laws, arguably the same principles apply and public authorities and bodies exercising sovereign authority need to be exempted.
There are a number of precedents classifying universities as public bodies when publicly funded. All these decisions were taken by data protection authorities in the same country where the university which was subject to the proceeding is located. Higher education may qualify as a task in the public interest. However, such public interest can only be argued for students in the same country. Reaching out to other regions to attracting students from abroad cannot be covered by an exemption for exercising sovereign authority. Therefore, any cross-border activity involves private commercial purposes.
Practical insights into the role of the representative
The extraterritorial reach of any data protection law is designed to give data subjects the same rights, protections and means of redress in respect of their personal information, regardless of the location of the organisation processing their data. The role of the representative is intended to assist overseas organisations with all privacy related matters especially the ones involving data subjects, authorities and businesses in the foreign territory. The representative therefore acts as an addressee on behalf of the overseas organisation, providing individuals and other key stakeholders with a local point of contact in the region to safeguard accessibility to entities without a presence in the territory. This has two main aspects:
- Compliance and accountability: the appointment of a representative fulfils an important compliance obligation and mitigates the risk of substantial fines. The representative assists with compliance and becomes a first line of defence for privacy related matters.
- Business enabler: Complying with data protection regulations is a testament to an organisation’s dedication to safeguarding privacy and building a relationship of trust. Because it is easy to verify if an organisation has appointed a representative within the region, an organisation can proactively demonstrate reliability and trustworthiness.
The representative’s role often extends to guidance for overseas companies on the requirements of the relevant data protection laws with such knowledge-sharing enabling companies to understand and meet the individual requirements of multiple non-domestic data protection laws. Notably there are an increasing number of enforcement actions being taken by supervisory authorities for failure to appoint a representative. The EDPB recently published a study on the ability for supervisory authorities in the EU to enforce the GDPR against organisations without an establishment in the EU. The independent study conducted by researchers of the Centre de recherche, Information, Droit et Société (CRIDS) at University of Namur (Belgium) found that “_the appointment of a controller/processor representative is crucial to the enforcement of [Supervisory Authorities] investigative and corrective powers_” .
Such interaction with supervisory authorities also comes in the form of data breach management where the representative is on hand to assist overseas organisations with the handling of data breaches in line with the requirements of the relevant laws, including reporting of the same to data subjects and the authorities. This is particularly significant to organisations caught by the EU GDPR following the recently updated guidance from the EPDB which made clear that the presence of a representative in an EU Member State does not trigger the one-stop-shop system. This means that overseas organisations are required to notify every single authority for which affected data subjects reside in their Member State, which can be carried out via the representative pursuant to the mandate of the relevant overseas entity.
Overall, a good representative provides a wealth of knowledge about the data protection regulations, guidelines and best practices of the territory in which it is located. The representative is able to assist overseas data handlers in gaining a better understanding of overseas privacy laws and help them in navigating the complexities of the application of competing data protection regimes where the client’s organisation targets individuals across multiple jurisdictions. This is of particular importance where a jurisdiction has newly updated its legislation to include the requirement to appoint a representative, such is the case at the present time for China (PIPL) and Switzerland (DSG). The representative is on hand to interpret such new requirements and to educate overseas organisations as new guidelines emerges in respect of the implementation of new laws. The representative can provide guidance on other complex and frequently changing data protection issues such as international data transfers, transfer impact assessments and more.