If we have a company incorporated solely in the USA that has web content that violates the GDPR but shows a popup and states in its ToU that the website is not to be used by any person or entity in countries that follow the GDPR, can our company be fined under the GDPR?
In other words, do GDPR countries claim jurisdiction over non-GDPR countries' websites?
But is that the case with Disqus? They are collecting marketing information on citizens of the EU. Who is buying that information? I would assume that Disqus does business with EU companies that want that information. Either that, or they do business with other international companies that do business with EU companies.
At some point, Disqus is probably trapped within a graph that connects them and their legal obligations to the EU.
Ignoring legitimate fines seems like a pretty bad idea. I think most countries have law to the effect that the directors of the company being fined are liable, so if you skip those fines then one of the directors goes on holiday to that country then they could be sent to prison.
Any EU citizen in our out of country has their PII protected by EU law, regardless of who processes that data.
A pop-up or ToU would not skirt the visitors rights, regardless of what the message said and regardless of the action the user took as a result of the message
That's a common misconception. GDPR applies to "data subjects who are in the Union". Whether or not the data subjects are EU citizens is irrelevant.
It also applies to all data processing of processors or controllers who are in the Union, regardless of where the processing takes place or whose data is being processed.
For processors or controllers not in the Union processing data of a subject in the Union it applies if (1) the processing is related to the offering of goods or services in the Union, or (2) the monitoring of behavior that takes place within the Union.
Some examples:
If I, a US citizen who has never set foot outside the US, has some interaction with a German company then GDPR applies. The German company is in the Union so it applies to all their data subjects regardless of citizenship or location.
If a French citizen comes to the US and some local US business gathers all kinds of personal information about them GDPR does not apply. The data subject is not in the Union and the processing is not being done by an entity in the Union, so no GDPR.
No, that's wrong.
First of all, the GDPR does not take in to consideration citizenship, at all. The Regulation targets location rather than nationality. In other words, if either the data subject or data controller are in the EU/EEA then the GDPR applies, even if the other party is not in the EU/EEA (The UK GDPR is the same, but replace "EU/EEA" with "UK").
Secondly, the GDPR regulates the use of Personal Data, not PII. PII is a US legal term and has multiple definitions. Personal data is a broader concept than PII.
If GDPR applies, it applies not only to citizens, but also to residents at the time of the transaction.
The relevant part of GDPR is Article 3, and Recital 23 (full law text in the links below--read them, they're short!).
GDPR applies to a non-EU website that "envisages offering services to data subjects" in the EU. Recital 23 explicitly says that a website merely being available does not count. Offering localized content (e.g. languages, currency for ecommerce) counts. And if your website treats users in the EU differently (such as by having a pop-up that mentions GDPR), that shows evidence that you believe users from Europe are in the target audience of your site.
Actually enforcing fines are a different matter, and will require some locus of business in the EU.
This is an interesting passage.
It seems to me that saying to ALL visitors of the website that the goods and services are not offered to GDPR places should be sufficient to preclude GDPR jurisdiction.
It's not that uncommon. As a concrete example, I know that US expats in Germany are having problems with some banks because FATCA[1], a US law, imposes more controls over every bank in the world dealing with US citizens. At least one German bank [2] has stopped taking US citizens as customers, and I have informally heard of more.
[1] https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance...
[2] https://americanexpatfinance.com/news/item/612-german-bank-t...
If you are transparent about what tracking you do and don't do stuff that people don't want, all that's left is including some boilerplate text like "you have rights X, Y and Z and you can contact us at our@email" and you're GDPR compliant.
To me at least, 95% of GDPR compliance is just acting ethically.
Doing that requires understanding a law with out much case precedent, that is extremely broad and has a whole spectrum of enforcement options.
I completely see why a small org might decide to just geo block. That’s an easy to implement, easy to document & defend attempt at compliance.
2. It was my understanding that GDPR compliance is extremely expensive, is this not the case? Perhaps it is very simple.
GDPR is not about web or technology. It applies for information on paper too, so there is no clever workaround with hosting your website somewhere else or other tricks.
In short if you don't want to respect GDPR then do what some websites do and reject users from EU.
> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union […]
https://gdpr-text.com/read/article-3/
And no, there is no exception for a disclaimer. The only thing you can do to workaround it is to simply not collect the data, which is what some sites have attempted do with geo-blocks on their sites.
There are several factors that play in. For example that the data controller offers the delivery of goods in EU Member States, say a plugin like Disqus. It could also be that they have a .eu top level domain.
The Norwegian DPA also writes this in their advanced notice: "Online tracking using cookies and behavioural advertising are explicitly mentioned as activities which constitute monitoring of behaviour in the EDPB Guidelines on the territorial scope of the GDPR."
EDPB: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) https://edpb.europa.eu/sites/default/files/files/file1/edpb_...
Have a read if you don't believe: https://decoded.legal/blog/2021/04/the-eus-terrorist-content...
I think it's a load of bunk shit.
Companies should be following the law of their country, not of other countries.
I don't want businesses to be forced to bow to the will of Europe, or Iran, or China, or any country other than their own.
It sets up a weird quazi-legal precident where companies could be in the position of trying to play ball with multiple legal systems.
See russia, they want russians data to be on russian servers, even if your company is not there.
Why? Probably so they can seize the digital assets of citizens they want to send to the gulag.
I don't like it one bit, I don't like google working with china, I don't GDPR effecting American companies.
You need to be careful and follow the law of your country.
It pertains to tax as well, which I never understood how a different country wants to impose a tax on a company that doesn't operate there. They might have customers there - but they don't operate there in any meaningful sense more than they 'operate' there if I go onto a US website into it while on vacation in a foreign country.
thanks - I hate it.
Interesting that Norway isn't part of EU, but they implement GDPR.
Wiki quote on Norway:
> After the 1994 referendum, Norway maintained its membership in the European Economic Area (EEA), an arrangement granting the country access to the internal market of the Union, on the condition that Norway implements the Union's pieces of legislation which are deemed relevant (of which there were approximately seven thousand by 2010) Successive Norwegian governments have, since 1994, requested participation in parts of the EU's co-operation that go beyond the provisions of the EEA agreement. Non-voting participation by Norway has been granted in, for instance, the Union's Common Security and Defence Policy, the Schengen Agreement, and the European Defence Agency, as well as 19 separate programmes.
[1] https://arkiv.klassekampen.no/article/20180420/ARTICLE/18042...
The GDPR is great for the citizens! My wish is that more countries follow the EU and implement similar and compatible laws. An interesting example of this is that the UK made sure to implement a clone of GDPR in UK law before leaving the EU/EEA.
I suggest instead that the UK government have deliberately extracted themselves from the EU's version of GDPR, by cloning it.
The UK is now an external "third country" in terms of EU GDPR, and has a data border with the EU - whereas Norway sits within EU GDPR.
Incidentally, the UK has now left the EU but has retained the GDPR in domestic law.
Almost all EU regulations and rights – except those pertaining to agriculture, fisheries and the customs union – apply to the whole of the EEA, meaning all of the EU + Norway, Iceland and Liechtenstein (in addition, many also apply to Switzerland, but in that case through a complicated set of bilateral Swiss-EU agreements that sorta-kinda emulate EEA membership, but isn't).
For all intents and purposes, apart from the three areas stipulated above + voting rights, Norway is an EU member. A business that operates in Norway (outside of the agriculture or fisheries sector) can be seen as operating in the EU. Likewise, Norway-based users of a service with a business presence in the EU are protected by EU laws, like the GDPR.
Norwegians have the same access to the EU labor market as, say, Germans. And EU citizens have the same right to take up residence in Norway and interact with the Norwegian state under the same conditions as a Norwegian.
That meant that websites that had enabled a specific setting ("Enable anonymous cookie targeting") in Disqus were tracking Norwegian without informing them. Most of the websites in Norway and elsewhere did not know they were sharing users data through Disqus.
Major sites like the Wirecutter, The Hill, 9to5mac, Breitbart had enabled the setting in 2019. Of the 23 websites I contacted, all 11 that responded told me they were unaware of the tracking and had turned the setting off.
(I wrote the investigative articles in 2019 for the Norwegian public broadcaster NRK.)
A thread in English from then explains most of the findings: https://twitter.com/martingund/status/1207327648093003777
Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow. Only the biggest services with the biggest publicity like GA have rudimentary privacy (opt-out, IP anonymization).
That's definitely not the case. It'd be true only if there is no contract w/ the 3rd party at all. Many contracts cover data leaks and the like and the contractual obligations are "non-trivial" to put it mildly.
That you have to take care of these things is kind of the point of GDPR. If you don't know what some embedded server will do with users data, don't use it. No more fast and loose.
There was for example one case of Canadian firm 'AggregateIQ' being pursued by the UK's ICO over privacy violations, and Canadian regulators agreed.
https://www.theguardian.com/world/2019/nov/26/brexit-data-fi...
As an aside, I'm completely behind GDPR, CCPA, and related privacy laws. I think they're great. I definitely comply with the spirit of the laws in my hobby projects by doing things like not tracking anonymous users, not retaining identifiable logs, etc. This isn't me trying to get away with something nefarious. More like, I don't (and won't) bother with things like cookie banners even if GDPR would want me to.
If a company asks for GDPR consent, either:
• They have cool, optional features of their site / service / system (though they could just ask at run-time, when you try to use those features, in most cases); or
• They're doing something dodgy and want to wave a magic wand and remove the dodginess by getting you to “consent”.
Note that if it is a personal website you are not subject to GDPR. GDPR only applies to companies and organizations.
Also note that most stuff that a layperson would say is reasonable for a website to function isn't a problem in GDPR.
||disqus.com^
* disqus.com * block
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...
https://github.com/gorhill/uBlock/commit/7c22a312945a2bff41a...
It seems that there was some setting that is enabled by default in all other countries than countries with the GDPR law.
Also, from an earlier article: "The company also claims that they have not shared Norwegians' online visits with anyone other than the parent company Zeta Global. Zeta Global describes itself as a 'data-driven marketing company"' that has information on over two billion identities."[1]
As a Norwegian, it will be interesting following this case.
[0]: https://nrkbeta.no/2021/05/05/datatilsynet-varsler-bot-pa-25...
[1]: https://nrkbeta.no/2020/09/04/datatilsynet-mener-det-er-sann...
Good to see them taking this seriously. I get the impression a lot of sites/services make expansive use of the legitimate interest provision.
Ad-tech companies get more and more emboldened lately. They see that the GDPR is not really enforced, they assume that big, cash-rich companies will get taken on first, competitors are doing it too, so they gamble they can get away paying lip service to GDPR while continuing their illegal tracking practices.
I have seen several startups pitching schemes that seem blatantly illegal to me, while assuring that their tech is fully compliant. Often using the words "legitimate interest" to prove this point.
But then it's just a matter of closing that enterprise down and creating a new one. They can keep apis stable and give the big corporations plausible deniability as "the contractor said they're compliant"
Oh well.
(Edit: their revenue was $368M over the last 12 months, so €2.5B would be too high. The current fine is still an order of magnitude or two too low to change meaningfully change anyone’s behavior. It’s a couple of days of revenue. They could simply write it off as the cost of doing business, especially if they think the GDPR compliance will impact business growth)