Social Networking Sites

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at

What’s wrong with using information from Facebook, MySpace, Friendster or personal Web sites for hiring decisions?

Some companies believe this is a cheap way to obtain information about an applicant. Unfortunately for the applicant, this type of background check is not covered by the Fair Credit Reporting Act (FCRA) if it is performed by the employer. And since the sites are not mandated to investigate and correct errors, the employer may miss out on hiring a qualified candidate. Additionally, much of the information posted on these sites cannot be discussed in an interview, and if not handled properly, the employer may be sued for claims under various anti-discrimination statutes, ADA, privacy laws, and state “off-duty” conduct statutes. Employers who use third-parties to conduct background investigations by searching social Web sites and Internet postings must comply with the FCRA, and thus explicitly state in the background check authorization that social networking and/or other such sites will be accessed. The FCRA does not prohibit employers from obtaining consumer reports that contain information compiled from Internet sites; however, employers are required to disclose to the applicant that the information was the basis of an adverse employment decision (Id. § 1681b(b)(3)(B)(i)(I).

Despite the liability exposure and unreliability of the information, various surveys show that employers do use information from social networking sites and blogs to support their decision to hire or disqualify an applicant. The most common causes for disqualification include:

  • Information or photographs about drinking or using drugs
  • Provocative or inappropriate photographs or information
  • Poor communication skills evident in postings
  • Bad-mouthing previous employer or fellow employee
  • Misrepresentation of qualifications
  • Discriminatory remarks related to race, gender, religion, etc.
  • Unprofessional or provocative screen name
  • Indications of criminal behavior
  • Posted confidential information from previous employers
Go to Top