Related point: if you're intending to get out of GDPR, blocking the EU doesn't really help, because the law applies on the basis of citizenship, not territory. If an EU citizen accesses your website in America, that's still within GDPR scope. If you have EU business assets, ship things to the EU, or have any other ties to the EU, then they still have jurisdiction and you certainly still have to comply with GDPR.
And the GDPR is a way way more sensible law than whatever the UK is trying to do here, nobody will comply and no body will care, its only going to Hurt UK citizens and The UK's economy.
I care about privacy and really like what the EU has passed with the GDPR and DSA, but unfortunately we will have countries that does stupid things like this. Hopefully they aren't that important so no one complies.
No, that's not correct. You have to be clearly intending to (not just incidentally happening to) offer goods or services to an EU data subject.
> ship things to the EU
This wouldn't be enough to make the GDPR applicable. You'd have to be specifically targeting EU customers in some way, such as allowing users to pay in euros - not just incidentally selling some stuff to folks who live in the EU. Your other examples (such as having EU business assets) hold because they would make you an EU entity.
The other is when you are processing personal data of EU data subjects that is related to "the monitoring of their behaviour as far as their behaviour takes place within the Union".
There's a recital that adds:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Unlike the recital that explains the goods and services case, which talks about it only applying if you envisage offering goods and services in the Union as opposed to your site merely being accessible from the Union, the monitoring case doesn't seem to have any requirement that you are intending to monitor EU data subjects.
That's pretty broad as written. From what the recital says it even applies if you are gathering data the could be used for profiling even if you are not actually currently profiling.
As noted in the article at gdpr.eu that a parallel commenter cited:
> If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
Argh, why won't this misinformation die? You are completely, utterly, 100% wrong.
The GDPR applies if either the data controller is established in the EU or the data subject is physically in the EU.
Article 3 (territorial scope) is incredibly short, read it: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:...
No it doesn't. depends on location only. A US, or any other, citizen is protected by GDPR when they access the web from within the EU
