The Control and Central Management in Jurisdiction Criterion extends the applicability of data protection laws to entities that, while not formally incorporated or registered within the jurisdiction, have their central management and control located within that jurisdiction. This factor broadens the scope of data protection laws to capture entities that may otherwise attempt to circumvent local regulations through strategic incorporation practices.

Provision Examples

*"Privacy Act 1988 Art.5B(2f) in Australia: Australian link

1. An organisation or small business operator has an Australian link if the organisation or operator is:(f) an unincorporated association that has its central management and control in Australia or an external Territory."*

"DPA of 2012 Sec.6(b2) in Philippines: This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and"

Description

The Control and Central Management in Jurisdiction Criterion is incorporated into data protection laws to ensure comprehensive coverage of entities that have a significant presence in a jurisdiction, regardless of their formal incorporation status. This factor reflects the recognition that an entity's actual operational control and decision-making center can be more relevant for regulatory purposes than its place of incorporation.The rationale behind this factor includes:

1. Closing regulatory loopholes: It prevents entities from evading local data protection obligations by incorporating in jurisdictions with less stringent regulations while maintaining their primary operations elsewhere.
2. Aligning with economic reality: It acknowledges that the location of central management and control often represents the true center of an entity's activities and decision-making.
3. Enhancing regulatory effectiveness: It allows data protection authorities to exercise jurisdiction over entities that have a substantial presence in their territory, regardless of formal corporate structures.

The provisions from different jurisdictions show a consistent approach to this factor, with minor variations in wording and scope:

• Australia's Privacy Act 1988 applies the criterion specifically to "an unincorporated association" and extends it to external territories.
• The Philippines' Data Privacy Act of 2012 uses the term "juridical entity" and explicitly mentions that the Act applies even if the processing occurs outside the Philippines, as long as it involves Philippine citizens or residents.

The Philippines' approach is particularly comprehensive, as it combines the central management and control criterion with additional factors such as the processing of personal information about Philippine citizens or residents, regardless of the location of processing.

Implications

This applicability factor has several implications for data processing activities:

1. Multinational corporations: Companies that operate globally but centralize their management in a specific jurisdiction may find themselves subject to that jurisdiction's data protection laws, even if they are not formally incorporated there. For example:
   • A technology company incorporated in a tax-friendly jurisdiction but with its executive team and key decision-makers based in the Philippines would be subject to Philippine data protection laws.
   • An international consulting firm registered offshore but with its operational headquarters in Australia would fall under the Australian Privacy Act.
2. Unincorporated associations: Organizations that operate without formal incorporation, such as some non-profits or international bodies, may be subject to local data protection laws based on where their leadership and decision-making processes are centered. For instance:
   • An international research consortium with its steering committee and primary operations based in Australia would be subject to Australian data protection regulations, regardless of its lack of formal corporate structure.
3. Start-ups and emerging companies: New businesses that haven't yet formalized their corporate structure but have established their primary operations in a jurisdiction may find themselves subject to local data protection laws. For example:
   • A tech start-up founded by Philippine residents, operating primarily from the Philippines but not yet formally incorporated, would still be subject to Philippine data protection regulations.
4. Outsourcing and data processing services: Companies that outsource data processing activities to entities with central management in jurisdictions like the Philippines or Australia need to be aware that these service providers may be subject to local data protection laws, potentially affecting data transfer and processing arrangements.
5. Compliance strategies: Entities must consider not only their place of incorporation but also the location of their central management and control when determining which data protection regimes apply to their operations. This may influence decisions about where to locate key management functions and how to structure global operations.
6. Enforcement actions: Data protection authorities may use this criterion to assert jurisdiction over entities that might otherwise claim to be outside their regulatory reach, potentially leading to enforcement actions against companies that believed they were not subject to local laws.