undefined | Better HN

0 pointstzs8y ago0 comments

If you aren't in the Union, it applies to you if either [1]:

(a) you are processing data of data subjects who are in the union related to the offering of goods or services to such data subjects, or

(b) you are processing data of data subjects who are in the union related to monitoring of their behavior as far as their behavior takes place within the Union.

If you can avoid both of these, then I believe you can pretty much ignore GDPR.

If you have "no interest in doing business in Europe", it should be easy to avoid falling under (a). Recital 23 [2] discusses what it means to be "related to the offering of goods or services" to data subjects in the Union.

It means that you have to envisage offering services to such people. The mere accessibility of your website to EU people, or having an email or other contact details in the EU, is insufficient to show such intent. If you offer your website in EU languages that are not generally used in your non-EU country, accept EU currencies, mention your EU customers on your site, and things like that, will strongly suggest you are offering them goods and services.

What monitoring of their behavior means is discussed in Recital 24 [3]. It basically means tracking a person for profiling or analyzing or predicting their personal preferences, behaviors and attitudes.

Most sites selling things to end users probably don't need to do any such behavioral monitoring. If you do, just do a geoip check and exclude EU IPs. If you aren't trying to do business in Europe you probably want to do that anyway, because EU visitors are just noise in your data.

[1] https://gdpr-info.eu/art-3-gdpr/

[2] https://gdpr-info.eu/recitals/no-23/

[3] https://gdpr-info.eu/recitals/no-24/

0 comments

3 comments · 1 top-level

bigbugbag8y ago· 2 in thread

geoip based blocking is wrong. An American customer can be travelling in Europe and be blocked while any EU citizen can use a proxy or VPN to workaround your geoip block.

If you can live with infuriating a small portion of your customers while have a protection that can be circumvented in a matter of seconds then geoip block is what you want, otherwise ...

tzsOP8y ago

As wan23 already noted, the purpose of the geoip block is to help establish that you are not offering goods or services to data subjects in the Union, in order to not fall under GDPR territorial jurisdiction (see Article 3).

Yes, that will also catch some of your existing US customers when they travel to Europe. However, you may actually want that, because the GDPR does not talk about EU citizens. It talks about data subjects "in the Union".

I haven't seen anything about what makes someone who is physically present in the EU count as being "in the Union" for GDPR purposes. One who wants to be cautious might want to count anyone physically in the EU as being "in the Union" for GDPR purposes until there is definitive guidance otherwise.

wan238y ago

It's an efficient way to protect yourself from the regulation. You don't need to prevent Europeans from using your site, you just need to be able to say reasonably that you don't intend to operate in the EU.

j / k navigate · click thread line to collapse