Transcript of the Video
Good afternoon ladies and gentlemen, Suzanne Dibble here, data protection law expert. I’m coming to you raw and uncut from sunny Dubrovnik, where I'm here all week in meetings on my other business. So I’m managing to fit some videos in around that.
Today, I'm talking to bloggers outside of the EU. So I know there are quite a few American bloggers in the group, and you'll probably come into this group thinking oh my goodness, this sounds a complete nightmare, do I really have to comply with all of this? If only a very small amount of traffic is coming from the EU to your website. So I have done a video on the territorial scope, but I'm going to clarify that and talk about the recitals in a bit more detail, and particularly in the context of blogging.
So if you're not established within the EU, then the regulation applies, where you're processing the personal data of data subject who are within the EU, where the processing is related to one of two things. The first is that you're offering them goods or services, irrespective of whether a payment is required, to data subjects within the EU. Or, you’re monitoring their behavior, in so far as that behavior takes place within the EU.
Now the first thing to note is that if you are established in, and I don't think this applies to US bloggers, but if you are established in the US and you have an establishment within the EU, then GDPR applies in totality. But if you don't have an establishment within the EU, then you have to ask yourself one of those two questions. One, are you offering goods or services, irrespective of whether payment is required, to data subjects within the EU? Or are you monitoring their behavior, as far as that takes place within the EU?
So, we then look to the recitals, which give us a little bit more information on what that actually means. So, I did have it tagged and now the tag has fallen off. Bear with.
Right, here we are, recital 23 for those of you who are interested. So, it says, "In order to determine whether a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union." And it says, "Whereas the mere accessibility of the controller or processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
So it's not the case that if you have a website that is accessible by people within the Union then GDPR automatically applies. We need to look at whether you are envisaging offering goods or services to people within the Union. And what you would look at there are things like are you using a language that is specific to a country within one of the Member States? So, for example, if you're using French on your website ... Actually, that's not a great example because you've got French in Canada, but if you've got German, for example, on your website, then that's a clear indication that you are envisaging offering services or goods to people in Germany, IE within the Member States within the EU. And you would be caught within... GDPR would apply to you.
Also, if you're charging in a currency that's generally used in one or the Member States. So if for example, you are using pounds as a currency, then that would be an indication of the fact that you are envisaging offering goods and services to people within the Union, or if you actively mention people within your website, a country within the Union. So if you have a blog post that is specifically for people within the UK or within Germany or within Sweden or wherever it might be, then that is again a further example of you envisaging offering services and goods to people within that jurisdiction. They are examples of how it is apparent that you are envisaging offering goods or services to data subjects within the Union.
Now, if you don't do any of that and you just have a website that isn't geo-blocked, so that anybody can access it, and according to your traffic reports you've got, say 2% of people who are coming from within the EU. Then unless there is anything else that would give that ... it would demonstrate that you are envisaging offering services or goods to data subjects within the Union, then that first part of that test wouldn't apply.
The second bit is about monitoring the behavior of data subjects in so far as that behavior takes place in the Union. And in order to ascertain that and whether they are tracked on the internet... Sorry, in order to ascertain whether you're monitoring the behavior, then it should be ascertained whether natural persons are tracked on the internet, including potential subsequent use of personal data processing techniques, which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting his or her personal preferences, behaviors and attitudes.
So if you are using cookies for example for the purpose of behavioral advertising, and you are targeting people within the EU, then on that second test, GDPR will apply. So it's a neither or. So if you're envisaging offering goods or services to people within the EU, then GDPR applies. If you are monitoring the behavior of data subjects within the EU, then GDPR applies. So either one of those occurs, and then GDPR applies.
But purely having a website that people within the EU just happen to stumble across, and then you would not be subject to GDPR. Now if you're using Facebook ads for example to promote your blog and you are including people within the EU within those... when you're setting the geographical limits for those ads, then GDPR would apply. But if you're purely targeting people in the United States and none of the other things that I've mentioned before apply, then GDPR will not apply to you.
So I hope that's clear for you bloggers out there. There has to be this envisaging of offering services or goods, or you're monitoring the behavior of data subjects.
So yeah, so if you are a blogger and you're based in the States, you don't have an establishment within the EU, you're not envisaging offering goods or services to them, and the examples that I gave before about the currency, the language, mentioning those people are indications as to whether you envisage doing that or not. And if you're not monitoring the behavior of data subjects within the Union then GDPR doesn't apply.
So I hope that clarifies for you and gives some of you US bloggers some comfort that possibly GDPR won't apply to you if you fall outside of the things I've mentioned.
Okay, well enjoy your evening. I hope it is as beautiful as mine. I'm not sure actually, it's so bright I'm not sure if you can actually see me or not, which may or may not be a bad thing. But whatever you're doing, have a fantastic time, and got some very exciting news coming up about our GDPR party in central London. So stay posted for that. Take care, guys.