Employer CCPA FAQs #5: Does an employer have to be “established” in the United States for U.S. data privacy and security laws, and particularly the CCPA, to apply?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols to close identified gaps. Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address their obligations under the California Consumer Privacy Act. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.

Question #5: Does an employer have to be  “established” in the United States for US data privacy and security laws, and particularly, the CCPA, to apply?

In general, United States data privacy and security laws are not tied to the physical location of an organization or its country of incorporation.  That said, some state privacy and security laws apply only to entities that “conduct business” within the state.^[1]  Such requirements are likely designed to make the scope of the state statutes harmonize with the ability of state courts to obtain personal jurisdiction over defendants.

The CCPA is a good example of a state statute that applies to entities that conduct business within the state, regardless of where the entity is ultimately located.  Specifically the CCPA states that it applies to “businesses,” a terms which is defined as including only an organization that “does business in the State of California.”^[2]  In practice, courts have exercised a great deal of flexibility when determine what activities constitute “doing business.”

The practical effect is that any entity that conducts business in California and has employees who are California residents may have to comply with the CCPA, effective January 1, 2020.  Employers should be conducting an analysis of their potential compliance obligations now.

The GDPR Contrast

In comparison, the European GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”^[3]  Although the regulation does not offer a precise definition of what it means to be an “establishment,” it offers the following hints:

• Stable Arrangements According to the GDPR establishment “implies the effective and real exercise of activity through stable arrangements.”^[4]
• Legal Form May Be Relevant, But Is Not Determinative. The GDPR states that if an entity is active in the European Union the legal form of those activities “whether through a branch or a subsidiary with a legal personality, is not the determining factor” when deciding whether the entity is “established.”^[5]  Put differently, the fact that a company is not incorporated in the European Union does not necessarily mean that it does not have an “establishment” in the European Union.
• Location of Infrastructure May Be Relevant, But Is Not Determinative. The GDPR states that “presence and use of technical means and technologies for processing” within the European Union is not the “determining criteria” of whether a company’s “main establishment” is in the European Union, but it implies that it may be one factor of whether an establishment exists.^[6]
• Central Administration Is a Factor. The GDPR refers to the "central administration” of an organization as typically its “main”^[7]  The net result is that if an organization coordinates its activities from a European Union Member State the organization is likely to be found to have an establishment in that Member State.
• Decision Making Is a Factor. The place where “decisions on the purposes and means of the processing of personal data” are made is a factor when determining where a company’s “main establishment” may be located.^[8]

The Article 29 Working Party - an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority - provided little additional context other than to advise companies to look to judicial interpretation stating that ultimately "[t]he place, at which a controller is established, . . . has to be determined in conformity with the case law of the Court of Justice of the European Communities."^[9]  The European Court of Justice in turn has provided two additional indications of what factors may be relevant when determining whether an entity has an establishment in the European Union.

In the final analysis, it is unclear what, if any, difference exists between how European courts interpret what it means to be “established” within the EEA and how United States courts interpret what it means to be “doing business” within the United States.

[1] See, e.g., Wisconsin Data Breach Notification Statute, Wisconsin Section 134.95(1)(a)(1).

[2] CCPA, Section 1798.140(c)(1).

[3] GDPR, Article 3(1) (emphasis added).

[4] GDPR, Recital 22 (emphasis added).

[5] GDPR, Recital 22; See also Article 29 Working Party, WP 56: Working Document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites at 8 (30 May 2002); Verein fur Konsumenteninformation v. Amazon, ECJ Case C-191/15 at ¶ 75 (28 July 2016).

[6] GDPR, Recital 36 (emphasis added).

[7] GDPR, Recital 36 (emphasis added).

[8] GDPR, Recital 36 (emphasis added).

[9] Article 29 Working Party, WP 56: Working Document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites at 8 (30 May 2002).