[roel_v]

I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks users accessing their site through a VPN, without informed consent, they are in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't make provisions about whether the controller or processor has a way to find out if the behaviour of the data subject takes place within the Union. I don't see any reason for a different interpretation in the Recitals, either. Furthermore note that subs a and b in art 3 para 2 are alternative, not cumulative requirements.

Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.

[ghaff]

The relevant language is in recital 24. “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.

[roel_v]

Sure, that's a criterion for art 3 para 2 sub a. What I am talking about is sub b, for which the question whether one offers goods and services is irrelevant (that's what I meant when I said 'a and b are alternative, not cumulative').

So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.

[chopin]

I've been served ads on US outlets for products which clearly target my home market (Germany). This will make a hard time arguing that you are not targeting that audience. In my opinion, if you serve ads on your site which target EU consumers, you're doing business here. I don't think it matters whether you do that through a third party.

By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.

[runako]

>> "offering goods or services"

IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.

The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.

[philipov]

So you're saying that if I block my site to EU IPs, and someone uses a VPN to look like they're coming from the US and bypass that, they can then sue me under the GDPR? No way.

[roel_v]

No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).

[rblatz]

Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.

[roel_v]

Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.

I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.

So no, that's not how it works.

[pythonaut_16]

Unduly onerous to say you're not allowed to access the site if you're in the EU?

So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.

That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.

[roel_v]

In many civil law systems, there are limits to contracts. Sometimes these limits are codified, sometimes they're not. Let's take Dutch law here as an example, because well that's what my degree is in. The Dutch civil code has a list of so-called 'black' and 'gray' clauses in terms and conditions; the black ones are always void, the grey ones sometimes (obviously grossly simplifying here, I'm not going to type a paper on a phone). Many catch-all statements are either black or grey, especially when they are designed to absolve one party from their legal obligations. Nobody is saying anything about requiring you to allow EU citizens. What I'm saying is the GP's plan is an obvious scheme to avoid one's legal obligations, and will be treated as such - and hence won't be a defense or obstacle when an authority goes after a non-compliant processor.

Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.

[Kerrick]

> Intent matters

So shouldn't the website's intent to block you from accessing it matter?

[roel_v]

That point was part of a general observation. When something 'matters', that doesn't mean there cam be other factors. In thi specific case I see no reason why the territorial scope would not extend to processors outside the EU when they monitor user behavior. Taking some limited technical measures to prevent access doesn't absolve them from the law to apply.

[rdlecler1]

The Cambridge Analytica whistleblower is using Facebook and Google for incomplete compliance so yes, you can get sued.

[roel_v]

I don't quite understand what you're saying here.

[lmkg]

The relevant part of GDPR is Recital 23.

https://gdpr-info.eu/recitals/no-23/

Short version: GDPR does not apply if you happen to collect data on a few EU residents by accident (assuming you're not otherwise based in the EU).

[merinowool]

This is only your opinion. It doesn't say that on the page you pasted. To be complaint you probably must clearly state that the service is not for EU resident and ask them to leave. Even that could be too little.

[lmkg]

"...the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union [...] is insufficient to ascertain such intention"

[roel_v]

This only applies to sub a (of art 3 para 2). So no, this quote does not confirm your assertion.

[stale2002]

If you use a VPN to access a server that does it want you to access it, then you are breaking the computer fraud and abuse act in the United States.

Shouldnt you be the one sent to jail, as you are illegally accessing a computer that you were sepecially told not to access?

[roel_v]

Maybe. That's entirely orthogonal to the question whether or not the person who's server it is, is affected by the GDPR though.

[taysic]

But if that person could get sent to jail for that, then I don't see why they would file a complaint.

[roel_v]

I don't even see in the law whether or why the dpa would disclose the identity of the complainant. Maybe there are procedural situations where it would happen, I haven't really thought about it. I think people are too hung up on a specific person making a complaint. It's the dpa that will take action, probably removed a few steps from the initial complainant(s). This is not Law and Order style legal proceedings.

[merinowool]

If they are from poor EU village that could be tempting to get to US jail to learn language and have free food and bed.