This question is about understanding GDPR in relation with non-EU established companies who are thinking about their options for protecting themselves against the fines and they think GDPR is a very aggressive/exaggerated/costly law.
Let us imagine a company which is not established in EU, and has no official relations with any firm in EU, and it has a website which offers its social contents and social consultation services in many EU languages like English, French, Italian, German, ..., and also non EU languages like Arabic, Chinese, ..., and the company is collecting personal information, and there is no profiling, behavior prediction or similar processing happening, and the company does not want to comply with GDPR because it is too much work for the so little ratio of visitors accessing the services from within EU. The question is, Is blocking EU IP ranges and denying any services unless the user declare that he is not in the EU at the moment, are enough for the company to forget about GDPR compliance provided that the company d eleted all the personal data previously collected from EU located data subjects which are recognized by IP at the time of collection?
I am mostly interested in the accuracy of using IPs to detect the visitors in our case while we know that there are many visitors coming from EU using VPNs which causes them to be detected as visitors coming from other areas like USA.
Also, I am interested in knowing if GDPR accepts denying access/services to EU visitors because the company does not want to comply with GDPR law.
Also, what about the personal information EU visitors will send using a VPN and lying when asked to confirm that they are not in the EU at the moment? Is it going to be a valid reason for liability against GDPR?
Also, please, provide guidance for the same imagined company in the following two cases:
1- The company continues collecting only insensitive personal data like "email, usernames, full name, ..."
2- The company continues collecting questions or feedback in EU languages which can naturally contain a lot of sensitive personal information submitted by the visitors voluntarily
I know this is too much, but I think there are a lot of companies in the world which has the same case.
I think you may have misunderstood when and how GDPR becomes applicable. There is indeed an extra-territorial applicability to the GDPR that is triggered if you are offering goods or services to individuals in the Union or if you are monitoring the behavior of individuals in the Union. The mere accessibility of your website by individuals in the Union or use of the languages of one of the Member States in the Union (if the same as the language of your home state) should not by itself make you subject to the Regulation.
However, the following factors are a strong indication that you are offering goods or services to individuals in the Union and so are subject to the Regulation:
- Language - You are using the language of a Member State and that language is not relevant to customers in your home state (e.g. the use of Hungarian by a US website).
- Currency - You are using the currency of a Member State, and that currency is not generally used in your home state (e.g. showing prices in Euros).
- Domain name - Your website has a top level domain name of a Member State (e.g. use of the .de top level domain).
Delivery to the Union - You will deliver your physical goods to a Member State (e.g. sending products to a postal address in Spain).
- Reference to citizens - You use references to individuals in a Member State to promote your goods and services (e.g. if your website talks about Swedish customers who use your products).
- Customer base - You have a large proportion of customers based in the Union.
Targeted advertising - You are targeting advertising at individuals in a Member State (e.g. paying for adverts in a newspaper).
In contrast, the following are weaker indications that you are offering goods or services to individuals in the Union:
- you accept payment using a credit card with a billing address in the Union;
- you deliver goods or services electronically to an individual who might be in the Union;
- your internet or email advertising is not targeted at individuals in the Union, but might be seen by them; or
- the telephone numbers on your website have an international prefix
So before deciding to block EU IPs or delete EU related data, you should consider the above.
There is nothing keeping you from doing an IP filtering if you don't want your website to be accessed by IP of specific parts of the world including the EU and as long as you are not aware where the data is coming from, in the case of a VPN there is no reason to be liable against the GDPR. You could emphasize that your services are not meant to be used by users in the EU.
Thanks very much for your reply which gave me some useful information for when a company is considered offering its goods/services to EU.
Yet, the answer is not clear for the case I suggested. I already fully understand that GDPR is extra-territorial and the case I am talking about is clearly considered offering services to EU because the website is offering contents and services in so many different EU languages at the same time, especially German language which is not considered a generally used language except in EU countries, so it is not possible to be the same language of the home state of the company because it is non-EU based, and for that, it is clear for me that the company is covered under GDPR liability.
The problem is that, it is something like tricking the law by a workaround. The website will keep targeting and offering its services to EU, and it will keep doing marketing to EU, but at the same time it will force every visitor in EU to use a VPN service to access its services (exactly how USA websites are now caused a huge increase in VPN users after they blocked EU visitors), and it will rely on the people to lie when they use its services (which mostly they will do anyway because they already used a VPN which is a kind of a lie), so the website will continue collecting the personal data from EU users, and these personal data probably will be very sensitive because it is about social consultation.
My question, if the website did that, will it be safe from GDPR liability?
To clear it even more, I just want to emphasize that, this website will have new personal data from EU, and if a data subject asked about its data, the website will reply simply: "We deleted all old data, and we have no new data from EU", and even GDPR Supervisory Authorities will not be able to contact the website nor the normal people can ask for their GDPR rights for all the newly collected data, and the company can sell the data or do what ever it wants without any fear from GDPR. Is that okay with GDPR?
If you use a VPN to “mask” the IP, and if you are offering goods and services to data subjects in the Union and targeting data subjects in the Union, the GDPR will still be applicable. If you ask me, your so-called workaround will only show Supervisory Authorities that you actually know that the GPPR is applicable and you are just trying to bypass it by forcing EU customers to use false information about themselves. Is like driving a car with a fake license plate.
The same goes for your second question. Of course, you can try and hide the fact that you processed the data or sold the data by telling SAs or data subject that either you don`t hold data or that the data has been deleted. But as you probably know there is no perfect crime so at some point you may get caught. Regardless misleading the SA or the data subjects, it is, of course, a breach of GDPR as well as other legal requirements.
Finally, the purpose of the documents provided by us is to help companies understand and become compliant with the GDPR and not bypass or cheat their way out if it.
Thank you very much, that is exactly what I was trying to say to some people when they suggested the workaround as an easy escape from liability of GDPR, but they requested from me to show them some expert advice.
I personally believe they cannot just block the IP without stopping offering services to EU on all their channels, regardless what ever they do even if they took the declaration from user that he is not in EU at the moment.
My reasoning was that, if they offer services to EU and got any identifiable personal information from any EU based data subject, they will be held responsible against GDPR no matter how that data reached them, as the method is never mentioned in the law itself.
So, now I have my confirmation from you. Thank you very much. And I hope you give me your final agreement on my thinking.
Mr. Andrej, how did you say in your first reply that if the user is using VPN and we don't have a way to know the he is bypassing the blockage is a valid reason to give for the authority, then you accept that it's a workaround and not going to work in your next reply. Why your opinion changed like this, are you agreeing with something else than the aforementioned?
In another words, do you still think it's OK for a company to block European traffic to avoid gdpr liability?
It is not the same thing. If you use a VPN just for the sole purpose of trying to bypass the EUGDR or other such means to cheat your way out of compliance, then this is definitely going to work. However, if you genuinely don`t know where your website comes from and you are not knowingly targeting or monitoring individuals in the Union, then you should be bound by the EU GDPR. I hope this is more clear now, please try to read my responses in the right context.