undefined | Better HN

0 points_m7bj6y ago0 comments

>I imagine they get a pretty low amount of EU traffic, and so went for the least effort path to deal with GDPR.

But they haven't actually dealt with it. This is a common misunderstanding among websites that do this.

EU citizens are not required to identify themselves to you preemptively for GDPR to apply. If I connect to their website via a US VPN and they start tracking me without asking my consent assuming I'm from the US, that's a violation of GDPR.

So, in reality, there are two cases here:

1. They do not operate under EU jurisdiction, and thus might as well not have bothered making the EU specific page since the EU has no leverage over them any more than china can force them to take down articles that paint the chinese government in a negative light.

2. They do operate under EU jurisdiction, in which case their EU specific website is not in and of itself enough to handle their GDPR liability. Regardless on your opinion on VPNs, they must still for example nominate a specific data protection officer if they fall under EU jurisdiction.

I suspect that at least some of the websites with EU specific experiences know that the EU experience legally speaking doesn't achieve anything and are attempting to use them as a protest movement disguised as a self-righteous compliance effort. A whole bunch of other websites then didn't do their homework and are blindly hopping on the bandwagon.

The funny thing is the whole thing is backfiring, since a common reaction is "the EU experience is really nice I wish it was like this for americans as well".

0 comments

tzs6y ago

Article 37 says that a DPO is needed if the controller and processor (a) is a public authority or body (except for courts), (b) their core activities require regular and systematic monitoring of data subjects on a large scale, or (c) their core activities include processing on a large scale of special categories of data from Article 9 or data related to criminal convictions and offences referred to in Article 10.

It sounds like their EU site would not fall under any of those.

Their US site might, but their US site seems like it would be out of scope for GDPR according to Article 3, because it is not offering goods or services to data subjects in the Union.

_m7bjOP6y ago

In fairness, you're probably right about them not requiring a DPO. I thought that was required for any organization over a certain size, but it seems it's required for any sized organization that tracks people with a certain amount of enthusiasm. A court would have to determine if they meet that criteria, I guess.

However, with response to this:

>but their US site seems like it would be out of scope for GDPR according to Article 3, because it is not offering goods or services to data subjects in the Union.

You're referring to Article 3.a. The argument on whether the US site is offering services to EU citizens if it does not take active steps to forbid VPNs or place "are you currently in the EU?" gates in place is something only a court could rule on.

However, more importantly, you're skipping over 3.b.

>the monitoring of their behaviour as far as their behaviour takes place within the Union.

That's unquestionably happening for anyone in the EU that uses a VPN to connect to their US website. Hence, their GDPR obligation is not discharged if they are under EU jurisdiction.

The GDPR does not lay out a set of ways to handle EU citizen data. If you ctrl-f search "citizen" in the GDPR document[1] you'll get no hits. It lays out the way /companies are expected to handle personal data/. Americans may not realise this, but they have the right under EU law to file GDPR requests against EU companies. They may even be able to file them against American companies, although which companies are or are not in scope gets complex at that point and I really don't know enough about who is incorporated or has subsidiaries where to know which companies that would work against if it came down to lawyers in courtrooms.

The point is, if a company falls under the territorial scope, they have to extend GDPR rights to /everyone/, because it's not about who you're allowed to track, it's about how you're allowed to use tracking technologies.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

j / k navigate · click thread line to collapse