The GDPR also know as the General Data Protection Regulation is being rolled out and mandatory starting May 25th 2018. What exactly is this and how will it effect us all? The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR, is the most significant overhaul of EU privacy law in more than twenty years. Why is this happening? Well basically people and companies want the right to choose who has access to their personal data. Because of this aggressive new approach, many American publishers are wondering whether the GDPR will apply to them, especially in light of new demands by Google for publishers to collect “consents” from EU users on Google’s behalf. The answer is yes, this will absolutely apply to us Americans. This could very well hurt the business of marketers trying to build their email list or generate sales.
Before the GDPR, a company with no employees, offices or computer servers in the EU could generally be assured that EU law wouldn’t apply to its activities in the United States. However, the GDPR aspires to go further. It is intended to cover any company, anywhere in the world, that either (1) offers “goods or services” to EU users or (2) “monitors the behavior” of EU data subjects.
Let’s look at those two tests and the recent Google consent-collection requirement, and assess whether U.S. publishers are likely to be covered by European law.
1. “Offering Good or Services.” Offering “goods or services” isn’t as simple as having a website or mobile application that might be accessed by an EU data subject. The GDPR admits that “mere accessibility” of a digital service from Europe is “insufficient” to confer EU jurisdiction over that service (Recital 23). Instead, a regulator must determine that the digital service “envisages offering services to data subjects in one or more Member States in the Union.” This means that the digital service must actually be targeting European customers, based on factors such as publication in a language of an EU Member State or accepting the Euro or pound (for now, at least) as payment for services. In prior court cases, EU courts have established that the factors that should be considered include:
Specifically mentioning that the service is provided to users in an EU Member State;
Paying search engines to have its website favorably indexed in order to facilitate access by consumers in specific Member States;
The international nature of the services;
Whether the service provides local or international telephone numbers as contact information for users; and
Whether the service uses an EU top-level domain (such as .eu, or country domains such as .fr for France).
In the absence of specific evidence that a service is targeting Europe, the EU should not find jurisdiction under this test.
“Monitoring the Behavior.” So far, so good — but what about the broader test of whether a digital service is “monitoring the behavior” of EU data subjects? Do general internet advertising techniques, such as dropping a cookie on a user’s computer or serving an ad based on a device’s identifier, mean that the EU has jurisdiction over you?
The answer to this question should generally be “no.” The GDPR’s recitals provide important guidance on when this test should apply: “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques, which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” (Recital 24, emphasis added)
For this provision to confer jurisdiction over a publisher, the tracking of behavior and profiling about an EU user must be quite extensive. Only tracking undertaken with the intention of influencing the user based on an analysis and prediction of personal preferences should constitute the sort of tracking that might subject a site to EU jurisdiction. Internet advertising strategies that rely on data that does not contain contact or identifying information of “natural persons,” but might rely on device identifiers, IP addresses, cookies and other privacy-protecting proxies for identifying a particular advertising subject on the Internet would not seem to imply the extensive profiling intended by this provision of the GDPR. Although most major global advertising networks that engage in tracking and profiling believe that the GDPR will apply to them because of more extensive profiling efforts, it seems clear that general Internet advertising techniques undertaken by publishers should not confer jurisdiction over the publishers (as compared to the advertising networks themselves).
In addition, it is often impossible to know with any degree of certainty the country from which an online user is accessing an internet service, particularly if a U.S. publisher has not targeted EU data subjects specifically. For example, by advertising in a European language, using EU domains, specifically targeting advertising toward EU data subjects, or marketing subscriptions to European customers, a publisher would have a good argument on the facts that it is not “monitoring” EU data subjects.
The Impact of Collecting a Consent for Google. All publishers that use a Google advertising network recently received notice that Google will expect publishers to ask any user with an EU Internet protocol (IP) address for “consent” for their personal data to be used to target advertising to them. Under this new request, Google will consider itself a “controller” of the user’s data along with the publisher. Being a “controller” means that Google will be able to “control” that data, including using that data for Google’s own purposes (subject to any contractual limitations a publisher may have in its agreement with Google).
Google has not yet provided language that it expects publishers to include in seeking this “consent” from EU users. Until that language is finalized, we will not know precisely how it will affect the arguments a U.S. publisher may have that GDPR does not apply to the digital services of the publisher seeking the consent for Google. But more generally, a publisher’s collection of a consent on behalf of an advertising network that the publisher does not control should not, without more, concede to European regulators that GDPR should apply to all of the U.S. publisher’s digital activities.
It is, of course, possible that an aggressive EU regulator could look at a publisher’s willingness to serve this sort of consent to a European user as evidence that the publisher knows that it is serving EU users and, indeed, targeting them with EU-specific advertising. Under this broad view, Google is exposing publishers to jurisdictional risk by requiring consent to be gathered, even by U.S. publishers that have no intent at all to target EU users. A publisher can avoid this risk in a number of ways.
First, Google intends to offer an option to publishers to serve only “contextual,” rather than targeted, advertisements to any EU user that happens to show up on a publisher’s site. Contextual advertising is served not on the basis of the personal data of the user, but on the basis of the user’s immediate behavior on the site (such as serving an ad for sporting goods to a reader of a sports story). Again, as of today, we do not have details on how this service would work. But because it would not require the collection or processing of personal data from EU users, it arguably should not result in any jurisdiction being exercised over U.S. publishers as a consequence of its operation.
Second, publishers may avoid this consent by simply blocking EU users entirely, or by not serving any targeted advertising (or any advertising at all) to EU users. This option would, of course, impose significant burdens on publishers, who would be required to write new code and program their digital services in new ways to accomplish it. It also raises practical issues, such as whether publishers can charge European users for advertising-free services without conceding, by offering such a service, EU jurisdiction. Any decision to abandon advertising revenue entirely, of course, implies difficult business considerations, regardless of how small a potential audience is at issue.