14

I've heard from fairly reliable sources that you can't avoid GDPR by using your website's terms of service as way to circumvent that law. From what I have seen online, if your website serves European users, it must obey that law. However, if a website is based in the US and the terms of service say that the law governing the terms is US law, how can GDPR have any affect? I'm not a lawyer, but I've signed many contracts in my life and nearly all of them have some form of "governing law" clause.

Jim
  • 141
  • 3

3 Answers3

22

However, if a website is based in the US and the terms of service say that the law governing the terms is US law, how can GDPR have any affect?

It is unlikely that the EU will be able to enforce financial penalties against a company with no presence in the EU. But they could for example block your website in the EU, depriving you of your EU user base. The actual measures that they could or would take against such a company are still unclear, since the GDPR is quite new, and there has been no action under the GDPR against foreign companies.

I'm not a lawyer, but I've signed many contracts in my life and nearly all of them have some form of "governing law" clause.

The governing law clause in a contract identifies the law that will be used to interpret the contract and to resolve any disputes arising from the contract. The law identified in the clause does not become the sole law governing every aspect of the relationship between the parties, however.

For example, a business in New Jersey could have a contract with a client in New York with a clause specifying New Jersey law as the governing law of the contract. But that does not mean that New York's consumer protection law doesn't apply to the transaction.

phoog
  • 42,299
  • 5
  • 91
  • 143
12

What you are asking for is, in effect, an "opt out" clause. It might be framed in terms of choice of governing law, but effectively it seeks to opt you out of EU consumer protection laws.

Not surprisingly, most consumer laws just don't allow you to do that.

Otherwise a car seller would simply write onto their contract "If this car has a fault that kills anyone, you agree to hold the seller and maker harmless and not to claim damages for any reason", and similar for anything else - your unsafe or unreliable toaster, your bank transfer that's sent to the wrong place, your "unbreakable" phone that broke the first time you carried it, your unexpected exit charges on a loan or phone contract, and so on.

So consumer protection law generally doesn't permit opting out. (Much the same way as a lot of employment law, you can't just opt out of by putting it in the contract.)

If you flip it around and hypothetically suppose there was a US law and an EU website wanted an opt out, you can see why it wouldn't be fair or work well also. It that were to be legally permitted, one of 2 things may tend to happen - either

  1. many other websites seeking to deprive US citizens of the benefit they would get from that law, would just move overseas and also avoid giving the benefit to US users (and under market pressure others may feel they have to do likewise to compete), or
  2. we end up with a situation where equal US citizens are protected unequally depending on how canny their retailer is, in their hosting.

You can imagine that wouldn't be ideal either way.

But really, its worth understanding why that law is there. After all, its for reasons that affect citizens worldwide.

There has been enough in the press recently, as well as commonsense understandings, to appreciate the possible negative impact on private citizens if their data is mishandled - and that far too often it has been mishandled. Citizens trust you with their data when they visit your site. The GDPR makes clear what current standard of protection and rights they should be able to take for granted without needing to check each website's T&Cs.

Update

Also be aware that in at least some jurisdictions (the UK is one, at least, not sure about other EU countries or US states), there is a law about unfair contract terms to consider as well. The UK version of that law, which is the only one I know well enough to describe, says that if a supplier of tangible goods or of a service, has a standardised contract, and the consumer has to "take it or leave it", then the consumer can ask a court to strike out any term in it on the grounds it is an unfair contract term, essentially one where they had to accept it even though it's unfair and unreasonable, and if the court agrees, the term is replaced (if possible) with a similar but fair term, or (if not) it is struck out. This law isn't actually used very often, but is a very powerful one for addressing unequal bargaining power - think in terms of "whatever Microsoft might put in the Windows T&C" or a rogue payday lender's unfair repayments/interest, or similar. I know the argument that "they don't have to use it if they don't like it", but the reality is some will, and that's enough for an unfair business to profit from; so the law is what it is. A term that forced a person using your terms, to give up their rights as a cost of using the site within its "small print" could well find the clause struck out anyway, although in practice such cases are pretty uncommon.

Stilez
  • 3,219
  • 12
  • 26
2

Imagine you export some goods to Ireland, and you put on the shrink wrap that the governing law of the goods is that of the US (or rather a specific legal country within the US). Your goods are illegal in Ireland because they don't meet Irish and EU safety standards.

Do you get to opt out of Irish law by your shrinkwrap? If not, how is this different from trying to opt your website out of GDPR?

Marcin
  • 128
  • 4