The factor of "doing business in jurisdiction" is used to establish the applicability of data protection laws to organizations based on their economic activities within a specific jurisdiction. This criterion ensures that entities engaged in commercial operations or targeting residents within the jurisdiction are subject to local data protection regulations, regardless of where the actual data processing occurs.

Provision Examples

"CCPA Sec.1798.140 (d)(1) in USA - California: (d) 'Business' means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185. (B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households. (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.'

"CDPA Sec.2 in USA - Connecticut: The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data."

"FDPA Sec.501.703(1) in USA - Florida: (1) This part applies only to a person who: (a) Conducts business in this state or produces a product or service used by residents of this state; and (b) Processes or engages in the sale of personal data."

"Implementing Rules and Regulations Sec.4(d5) in Philippines: The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if: d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following: 5. An entity that carries on business in the Philippines;"

Description

The "doing business in jurisdiction" factor is crucial for defining the scope of data protection laws, ensuring that entities engaged in economic activities or targeting residents within a jurisdiction are subject to the local regulations. This factor is employed to address the following considerations:

Rationale

Lawmakers incorporate this factor to:

• Ensure Local Accountability: By applying data protection laws to entities doing business within a jurisdiction, lawmakers ensure that local residents' data is protected, regardless of where the data processing occurs.
• Prevent Jurisdictional Avoidance: It prevents companies from circumventing local data protection laws by merely processing data outside the jurisdiction while targeting local consumers.

Commonalities

Across various jurisdictions, this factor includes:

• Business Presence: Entities must have a commercial presence or conduct activities targeted at residents in the jurisdiction.
• Thresholds: Different thresholds often specify the minimum amount of data processing or revenue from data sales that necessitate compliance.

Approaches

• California: Defines "business" broadly to include various legal entities and sets thresholds based on revenue and data volume, ensuring extensive coverage.
• Connecticut and Delaware: Use thresholds related to the amount of personal data processed or revenue derived from data sales, targeting significant data processors.
• Florida: Similar to others, but emphasizes both business presence and engagement in data sale or processing.
• Philippines: Includes a broader scope, applying to entities with links to the jurisdiction, reflecting a global perspective on jurisdictional reach.

International models such as the OECD Privacy Framework emphasize similar principles, advocating for data protection laws to apply based on an entity’s activities and connections within a jurisdiction.

Implications

Business Scenarios

• Cross-Border Operations: A company based outside the U.S. but targeting U.S. consumers would need to comply with state-level data protection laws like CCPA or CDPA if they meet the business presence criteria.
• Local Entities: A business operating in Florida that processes personal data must adhere to FDPA regulations even if data processing is conducted abroad.
• Global Reach: An entity with operations in the Philippines must comply with data protection rules if it has business links to the country, even if the data is processed elsewhere.

This factor ensures that entities engaging economically with residents of a jurisdiction are bound by local data protection laws, aligning with global standards and promoting comprehensive data privacy practices.