Why GDPR probably doesn’t apply to the Liberty data breach

Liberty Group (“Liberty”) released a communication on 18 June 2018, advising that “it has been subjected to illegal and unauthorised access to its IT infrastructure”. The data that was the subject of the breach seemed to be “largely emails and possibly attachments.”

GDPR background

About 3 weeks before that, on 25 May 2018, a new European Union law - the General Data Protection Regulation (“GDPR”) - came into effect. It is a stringent piece of legislation which extends its jurisdiction beyond the EU.

It is intended to protect the personal information of people in the European Union. It incorporates new concepts and principles that have not yet been tested in any tribunals. Given that there are no decided GDPR-related cases, there has been much speculation about how certain provisions, including its jurisdictional scope, should be interpreted.

"GDPR is intended to protect the personal information of people in the European Union."

A proliferation of South African GDPR experts suddenly appeared when the Liberty breach happened (bearing in mind that GDPR is a piece of law, it was interesting to note how many of these experts were not lawyers). They used the opportunity to point out that Liberty is subject to GDPR (do a search using the keywords “liberty hack gdpr” to see what I mean).

In true scaremongering fashion, some focused on the fact that GDPR’s penalties could potentially be devastating: up to 4% of a group of companies’ turnover.

Whilst I am not privy to Liberty’s inner workings, business strategies and plans, the publicly available information I do have access to, makes a strong argument that GDPR would not apply to it.

The territorial scope of Liberty’s business

I considered a few publicly available documents to get an idea of the territorial scope of Liberty’s business.

A document titled Liberty Holdings Limited Investor Conference, 2016 set out its then Afrika presence and anticipated 2020 presence. It mentions that Liberty is “a multi-specialist investment company in 10 Afrikan countries with business partners in North America, United Kingdom, Europe, the Middle East and Asia.” The business partners mentioned in the document appear to be institutional investors. What is evident from this document is that Liberty is clearly focused on Afrika.

Liberty’s website is also helpful as it gives an analysis of its shareholders’ geographic locations. It says that 2% of its shareholders are from the UK and 3% are from Europe. I could not find more recent information, but the Liberty Holdings Limited Annual Report 2009 says that 1.83% of its shareholders are individuals. I am neither an actuary nor accountant, but my rudimentary calculations tell me that, at best, 0.092% of Liberty’s shareholders are EU individuals.
Its Integrated Report for the year ended 31 December 2017 and its Report to Society, 2017 were helpful. Both documents focus on Liberty’s business across Afrika. Its Report to Society, 2017 describes its “geographies” and lists the 25 Afrikan countries where it operates. Neither document makes any mention of the EU or conducting business in EU jurisdictions.

It seems to me, therefore, from all these documents, that Liberty is not too interested in securing business from individuals based in the EU.

Given what the documents say, does GDPR apply to Liberty?

GDPR is an EU law. One would not expect it to extend beyond its jurisdiction and regulate the behavior of businesses in other jurisdictions. But the reality is that GDPR does indeed intend to regulate businesses beyond EU borders. This is a major concern for those outside of the EU who may be processing the personal data of EU based individuals.

GDPR’s territorial scope is dealt with in Article 3. Articles 3(1) and (2) say:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

From the publicly available documents I have seen, it does not seem that Liberty is engaged in “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.” There is a long explanation of what “activities of an establishment mean”, but I will not deal with it here. In plain English, it simply means: are you conducting a stable business in the EU, in whatever form.
The case of Google Spain SL, Google Inc. v Agencia Espanola de Protection de Datos (AEPD), Mario Costeja Gonzalez, under the now repealed Data Protection Directive, deals with the question of “establishment” in more detail and is helpful in clarifying the issue of jurisdiction.

From publicly available documents, it does not seem that Liberty is processing personal data in the EU, as part of a business there. So, this disposes of the first basis on which GDPR can claim jurisdiction over Liberty.

But what about GDPR’s article 3(2) which says it applies where an entity outside of the EU is engaged in the “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:… the offering of goods or services; or …the monitoring of their behavior…”
Another case, Peter Pammer v Reederei Karl Schlüter GmbH & Co. KG (C-585/08) and Hotel Alpenhof GesmbH v Oliver Heller is just as helpful. It deals with situations regarding the offering of goods and services. It clarifies circumstances where a service provider would, or would not, be regarded as offering services to potential customers in the EU.

Similarly, all the publicly available documents I have seen point to the fact that Liberty’s business is focused on Afrika. I think there is a strong argument that even the 0.092% of Liberty’s shareholders who may be EU based, are simply incidental. The circumstances of how they came to be Liberty shareholders would need to be interrogated further but, from the face of it, I do not think that there is a strong argument that GDPR would apply to Liberty because of them.

Conclusion

I think there has been a lot of scaremongering and hype. Many of the opinions on whether GDPR applies to Liberty may not have been carefully considered. In instances of a breach involving personal data, entities subject to GDPR are required to report a breach to the relevant data protection regulator within 72 hours.

Given my view above, and I do not know whether it did do so or not, I do not think Liberty would have been required to report its breach to an EU data protection regulator.


Cover image credit: Liberty Group press conference on the data breach at the Liberty head office in Johannesburg, South Africa. iAfrikan Digital

Comments