As well as applying to all organisations in the EU that process personal data, the GDPR (General Data Protection Regulation) applies to non-EU organisations that offer goods and services to, or monitor the behaviour of, EU residents.
However, numerous organisations outside the EU have simply opted to block EU traffic to their websites rather than comply with the new law.
TechCrunch reported on 25 May – the day the GDPR came into effect – that a number of high-profile US news websites owned by Tronc and Lee Enterprises were “temporarily unavailable in Europe”.
Affected sites included the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun.
News organisations weren’t the only ones to shut Europe out. According to the BBC, a number of tech firms also took this route, including Instapaper, Stardust and Unroll.me.
Payver, an app that pays users for dashcam footage, is pulling out of the EU market entirely, never to return, as are a number of video games companies, many of which said they couldn’t afford to comply with the new law.
Others are undoubtedly doing the same. But do they need to?
Why block EU traffic?
What does the GDPR say about offering goods and services, and monitoring the behaviour of, data subjects in the EU?
Recital 23 explains that:
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain [their intention to offer goods or services to data subjects in the EU], factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
In other words, if you’re not based in the EU:
- The fact that your website is merely accessible in the EU doesn’t mean you necessarily intend to offer goods and services to the EU, so you don’t need to block all EU traffic to your website by default.
- However, if you offer customers the chance to use a language that’s generally used in the EU, it might indicate that you intend to offer goods and services to EU residents –that is, if the language is generally not used in your own country.
- Offering customers the opportunity to pay in a currency that’s used in the EU (in other words, euros, UK sterling, Bulgarian lev, Croatian kuna, Czech koruna, Danish krone, Hungarian forint, Polish zloty, Romanian leu, Swedish krona, Swiss franc or Turkish lira) might also be taken as an indication that you intend to offer goods and services to EU data subjects.
- If you mention customers or users in the Union, authorities may assume that you intend to offer goods and services to EU residents.
The extent to which these factors apply is, obviously, open to interpretation by the supervisory authorities. Note that in all cases it’s your intention that seems to be the most crucial point – the GDPR talks about whether you ‘envisage’ offering goods and services, so there’s certainly room for interpretation.
As to monitoring, Recital 24 says:
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
This should be self-explanatory. Do you use web analytics tools to track your EU site visitors? The vast majority of commercial websites do.
Rejecting the GDPR
Rather than turn their backs on the European market, those non-EU organisations that do not think they can afford to comply with the GDPR may be pleasantly surprised. Compliance needn’t be prohibitively expensive, especially if you were compliant with previous EU data protection laws.
We emphasise that the GDPR is not all about fines and penalties: compliance is a good thing for your organisation, bringing with it enhanced customer relationships through improved accountability.
Moreover, by implementing and maintaining the technical and organisational measures required by the GDPR, you will benefit from greater information governance and cyber resilience, ultimately saving your organisation money.
Help complying with the GDPR
Obviously, blocking EU traffic isn’t an option for organisations within the EU, which must comply with the GDPR irrespective of where their customers are based.
If you’re concerned about your level of compliance with the new law, don’t worry. It’s not too late.
To help, IT Governance is offering 15% off its certified GDPR training courses as part of its summer sale.