🎦
Monitoring Data Subjects Within Jurisdiction

The monitoring of data subjects' behavior within a jurisdiction is a key factor used to determine the applicability of data protection laws to controllers or processors not established within that jurisdiction.

Provision Examples:

"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (b) the monitoring of their behaviour as far as their behaviour takes place within the Union." (GDPR Art. 3(2b), EU)

"This Law shall apply to the processing of personal data of data subjects who have their domiciles and/or habitual residence in the territory of the Republic of Serbia by a controller and/or processor which do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia, where the processing activities are related to: 2) the monitoring of activities of data subjects, as far as their activities take place within the Republic of Serbia." (LPDP Art. 3(4)(2), Serbia)

"In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities: (2) the monitoring of the data subject's behavior, where the behavior takes place in the Kingdom of Thailand." (PDPA, B.E. Sec. 5(2)(2), Thailand)

Description

The monitoring of data subjects' behavior within a jurisdiction is a common factor used to extend the territorial scope of data protection laws. This factor is designed to ensure that individuals' personal data is protected even when processed by entities not physically present in the jurisdiction, as long as those entities are monitoring the behavior of data subjects within the jurisdiction's borders.The provisions across different jurisdictions show remarkable similarities in their approach to this factor. They all focus on:

  1. The location of the data subject: The data subject must be physically present within the jurisdiction's territory.
  2. The location of the controller/processor: The provisions specifically target controllers or processors not established within the jurisdiction.
  3. The nature of the processing activity: The processing must involve monitoring the behavior or activities of the data subject.
  4. The location of the monitored behavior: The behavior being monitored must take place within the jurisdiction's territory.

This approach reflects lawmakers' recognition of the global nature of data processing and the need to protect their citizens' data regardless of the physical location of the entity processing it. By including this factor, jurisdictions aim to prevent companies from circumventing data protection obligations simply by establishing themselves outside the jurisdiction while still targeting or monitoring individuals within it.

Implications

The inclusion of this factor has significant implications for businesses operating across borders:

  1. Global reach: Companies based outside a jurisdiction may still be subject to its data protection laws if they monitor the behavior of individuals within that jurisdiction. For example:
    • A US-based e-commerce company tracking the browsing behavior of EU residents on its website would be subject to the GDPR.
    • A Chinese social media platform monitoring the activities of Thai users would fall under the scope of Thailand's PDPA.
  2. Online tracking: Many common online practices could be considered "monitoring," potentially bringing companies under the scope of these laws. This might include:
    • Using cookies or similar technologies to track user behavior on websites.
    • Analyzing user interactions with mobile apps.
    • Profiling users based on their online activities for targeted advertising.
  3. IoT and smart devices: Companies offering Internet of Things (IoT) devices or smart home products that collect data on user behavior within a specific jurisdiction may be subject to its data protection laws, even if the company is not based there.
  4. Geolocation services: Apps or services that track users' physical location within a jurisdiction could fall under these provisions.
  5. Compliance challenges: Companies operating globally may need to implement jurisdiction-specific data protection measures to comply with various laws, potentially leading to complex and costly compliance programs.
  6. Extraterritorial enforcement: While these provisions extend the laws' applicability, enforcing them against companies with no physical presence in the jurisdiction can be challenging, potentially requiring international cooperation mechanisms.