[fenier]

Well I mean think of a store which doesn't accept EU payment or ship to EU addresses, nor target EU residents with Advertising. You'd be hard pressed to say they service EU residents even if the site was able to be visited by EU residents.

[ensignavenger]

No where in Article 3 does it say anything about "targeting" them- it only says if the "service" is "offered", whether or not payment is required. So in broad interpretation, simply serving a webpage to an EU data subject is an act of processing personal data (IP address) of an EU data subject related to offering them a service (the web page itself). That is as long as it doesn't fall into one of the carve outs in Article 2- https://gdpr-info.eu/art-2-gdpr/

It could be argued that such an act "falls outside the scope of Union law;" but that seems to be a matter of contention.

[fenier]

I think we have to look at Recital 23 through 31 they clarify what 'goods and services' mean.

https://gdpr-info.eu/recitals/no-23/

[ensignavenger]

Thank you, that does seem to alleviate some of my concerns as above. I'm not as familiar with EU law, it seems that recitals aren't legally binding equally with the "operative" text. But given the context, it seems unlikely a small blog or web shop that doesn't target EU customers would be in scope.

[M2Ys4U]

Recitals play two roles in EU law:

1. They are the legal justification for legislating; The EU is not sovereign, so it cannot legislate of its own accord, the EU must show that the legal powers flow from the treaties. So recitals set out which provisions of the treaties apply, and why the legislators think the law is necessary under them.

2. They are an aid to interpretation; the main body of the law should be read "in the light of" the recitals to understand the legislators' intent and to help ensure there is a consistent application of the law between all of the different courts and tribunals in the EU. These recitals are, of course, not part of the actual legal text and are thus not binding, but they're not inoperative.

[zaarn]

They're not legally binding since they're written to be understood as clarifications for the lay-person. Ie, not written in the strict language that courts understand and hence, you might hit edge cases the courts might interprete in ways that you don't expect.

[throwhauser]

It seems somewhat strange that a company selling a service to EU customers might be in trouble for using Google Fonts in a jurisdiction (e.g. Germany) where there are ways to identify a user by means of IP address [0]; but a weblog that was using Google Fonts might not be, since it's a blog and not a goods-and-services site. Google ends up with the IP address equally in both cases.

[0] https://news.ycombinator.com/item?id=30135264