Article excerpts from a forthcoming book – 99 Articles on the GDPR
Summary: Not selling or targeting EU customers/citizens does not discharge an organization’s obligation to the GDPR. An organization should not only get consent from all visitors to their website but also, understand how personal data is handled within the organization.
- Even if you don’t sell to the EU, if your organization is “established” in the EU, you are subject to the GDPR.
- Blocking all traffic from the EU will cause more harm than good.
- Intent and targeting are important factors in non-targeting.
The arising concern with regulating technology is that enforcement may not be in line with the spirit of the regulation and its attendant outcome. The argument is always that it’s very hard to measure and regulate “disruption” or competition. While terms that may be overbroad are open to criticism, there may not be verbiage or a framework that addresses a focused way to regulate data and privacy and, even more difficult, implementing it into practice when new technologies are introduced into the market. In the case of the GDPR, the intent of the regulation has always been to protect EU citizens from the willful targeting and use of their data.
Data Controllers & Processors
Under the terms of the GDPR, data controllers and processors are subject to the GDPR if they are established in the EU. Being “established” in the EU could mean a branch, subsidiary or even a single employee or agent in the EU. It’s a low threshold for sure. If the controller or processor is handling data of a non-EU entity with customers who are non-EU person, the controller or processor will fall under the purview of the GDPR. The terms are quite overarching to any organization that sends data to the EU.
A physical location is quite important for the purposes of the GDPR. Data subjects in the EU means any person “in the Union whose information is being collected at that moment, regardless of their nationality or legal status.” If a US organization with US ciitzens is operating in the EU, it is subject to the GDPR. However, if the same US organization’s employees are EU citizens doing business in the US, it is not subject to the GDPR. Visually, any person physically within the EU is subject to the GDPR regardless of citizenry.
Intent and Targeting are Keywords
However, a concern arises in the real world when a EU citizen is not targeted. Data governance has not evolved enough to accurately discern constituents of non-EU states or understand who are EU citizens. At this point, general information, such as an email address, which is collected during registration, is not the best indicator of citizenry. In current theory, if the organization knowingly collects a EU citizen’s email address, it will be expected to handle the information as if it were collected in European Union. Even if the collection was non-intentional or collected outside from outside of the EU, the organization is still subject to the regulation. For example, if an EU citizen visits the Explorer’s Club (it’s a wonderful organization) for a real world event, the organization must be able to distinguish the EU citizen’s data from other attendees. The concern with data protection under the GDPR is not how an organization obtains or uses data so long as the EU citizen is protected under the GDPR.
Avenues To Look For
An organization can simply block all traffic that comes from the EU but that would be a bit drastic as online marketing and rankings would be affected more broadly for an organization around the world. While the internet is truly a borderless form of communication, excepting an entire area such as the EU can have periphery effects to the organization’s business model.
GDPR allows organizations to service or target the EU so long as there is consent. However, if theirs is not consent, make sure the website isn’t directly or indirectly offering up services to the EU. So for example, offering website language versions in German or running paid ads in the EU is considered to be targeting. From a data collection perspective, make sure the organization lays out what type of data is collected but also have the ability to document the data if someone from the EU asks for a data request.
The GDPR does not concern itself with whether a person lived or worked in the European Union (EU) or not. You still are liable if the organization’s service or communications target the EU. The reason is that many website operators don’t even know where in the world you are experiencing their sites. For example, just because an analytics platform says that your traffic originates from somewhere in the EU doesn’t necessarily mean that you are in the EU. And vice versa. It will be interesting to see how the members of the EU enforce the GDPR because now organizations may be culpable based on unwilling actions. So fair warning to the organizations, just because you’re not intending to target someone in the EU doesn’t mean that you’re out of the woods. The GDPR is meant to create a client-centric environment for organizations so understanding your customer’s location is an attendant effect of this regulation.