At the heart of EU data protection law is the passionate belief in the right to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and data protection as fundamental rights under EU law.
Yet, like any other law, it must be clear when and where EU data protection rules apply and the applicable law provision in the current Data Protection Directive (Directive) has caused some headaches.
Following the Google Spain decision, all global businesses should take note of how they may be brought within the scope of EU data protection law even if it appears that a non-EU based part of their business is involved in different services from EU operations. Certainly a global business without a clearly identified EU-based controller should consider establishing an entity in one Member State in order to conduct all data processing subject to EU rules through that entity and the law of that Member State.
Going forward, the new Regulation’s likely direction of travel will include applying EU data protection law to online services and behaviours that target EU individuals. Therefore, global businesses should think through how their online offerings are positioned and the likelihood that their customers are or will be EU individuals. In particular, global businesses operating online tracking or profiling technologies are far more likely to be caught by the scope of the new Regulation and would do well to prepare for it.