As GDPR becomes the new normal, the European Data Protection Board (EDPB) is taking the lead in addressing some of its thorniest issues. 

Among others, the Regulation's art. 3 on territorial scope of application, whose echo is already reshaping data protection standards worldwide.

This rule is important because it "weaponized" GDPR with an extra territorial reach affecting businesses operating in the European market or offering goods and services to EU citizens from outside the Union.

In this context, EDPB's guidelines on GDPR's territorial scope (currently under public consultation) are a good tool to understand how to interpret art. 3 from a practical point of view. 

From a general perspective, the guidelines follow the same principles set forth under the previous 1995 Data Protection Directive and consolidate them with reference to existing case law of the European Court of Justice in various ground-breaking decisions (such as the Google Spain case).

In other words, the EDPB did not break any new ground but only confirmed regulators' view on the establishment criterion under the previous legal framework.

What the EDPB did though, was to introduce in the guidelines specific examples on how to solve art. 3's most complex hypothetical scenarios concerning territorial scope. 

For example: is a non-EU controller using a EU processor to offer services in a European country subject to the GDPR? Should an extra-EEA app developer designate a representative in the Union? When is GDPR applicable by virtue or public international law? 

All such questions are answered, although some gaps still remain. 

The guidelines are helpful and clear overall. However, at this time, the EDPB is leaving the door open for some refinement, as this document will most likely become a defining piece of regulatory guidance on GDPR in the future.