Article 3 seeks to extend the scope beyond the EEA where firms offer services to, or monitor the behaviour of, data subjects (i.e. living individuals) in the Union.
The European Data Protection Board adopted guidelines on this provision 16 November 2018. These include a number of helpful examples.
Action under this provision so far has been limited. The UK Information Commissioner’s Officer (ICO) served a formal notice on a Canadian analytics firm, AggregateIQ, which worked in the Brexit campaign; we understand this is under appeal.
The ICO also has issued a warning to The Washington Post over its approach to obtaining consent for cookies to access the service on the basis that as the newspaper has not offered a free alternative to accepting cookies, consent cannot be freely given and the newspaper is in breach of Article 7(4) of the GDPR. It seems unlikely that this will result in further action however. The ICO and the Federal Trade Commission signed a memorandum for mutual assistance in 2014; however, cookie consent is not subject to US privacy law.