11

The context of my question comes from this comment:

The problem with solving GDPR compliance with country codes is, it is not in general sufficient to determine if a user is covered by the GDPR. The GDPR requires you to comply with certain practices for data pertaining to people who are citizens or residents of EU countries. it doesn't specify that you only have to comply if their computer or IP address reports an EU country code. I as a European permanent resident could be using a US computer terminal at an internet cafe at the moment to log in to an account. That doesn't automatically mean my data aren't protected by the GDPR.

To give even more context, until I read this, I was under the impression that "GDPR banners" only need to be presented to users within the European Union/within regions with GDPR laws. Here is my reply to their comment:

I'm really surprised to hear this. The GDPR FAQ (is this official?) says it applies to "anyone in EU territory." Their What is GDPR page says it applies to organizations that "target or collect data related to people in the EU." Cookiebot charges extra to conditionally show their banner based off of location (maybe that's only [useful] for CCPA). Do you have an official source for your statement?

Is their interpretation correct?

I want to know the technically correct answer and the "in practice" answer; bear with me on this example of the difference (if this is super confusing, please ignore it. My main question is the previous paragraph):

Let's suppose I'm technically correct and I only have to show banners to people in GDPR regions. VPNs could hypothetically make that irrelevant because VPNs can change your IP address, allowing someone physically in the EU to have an IP address of someone outside the EU. If I need to present these VPN users with a banner, I have no choice but to show the banner to everyone: I'll have no way of knowing what region their IP address comes from.

Let's suppose the company of the website is in California.

Daniel Kaplan
  • 271
  • 2
  • 7

4 Answers4

27

Your VPN scenario is the reason why you have to show the banner to everyone. If you somehow knew beyond any doubt that someone was not in the EU, then you would not have to show a banner, but because you can't verify that, you should always show the banner.

Doing so also protects against accidentally violating a similar law in another country; the GDPR is the best-known privacy law, but it is far from the only one.

Finally, there are non-legal reasons to show it for everyone. It's good practice to ask for people's permission before collecting their information even if it isn't mandatory. Many people in jurisdictions without strict privacy laws still appreciate having the choice to have sites collect less data, and once you've done the work to offer it where it's needed, you don't have to do anything more to show it for everyone; in fact, it's easier to give everyone the option since you don't have to worry about where users are.

Someone
  • 17,523
  • 13
  • 96
  • 197
14

The answer by user Someone is correct, the GDPR applies to data associated with anyone physically in the EU, UK, or other places with a GDPR law. The comment quoted in the question is incorrect on this point: citizenship is irrelevant to the GDPR. An EU citizen connecting while physically located in the US is not covered for that session.

But there are other conditions not mentioned in the answer by Someone. According to Article 3 of the GDPR, it applies only if the Data Controller (DC) "offers goods or services" with the EU (or UK or other relevant region) or "monitors the behavior" of natural persons in the EU or UK (or other relevant region, I will just write EU for the rest of this answer). That is interpreted to mean that the DC advertised in the EU, or presented pages in an EU language different from that in the DC's country, or otherwise showed intent to appeal to EU residents. Merely being accessible from the EU does not constitute "targeting". So a DC that makes no effort to appeal to EU residents is probably not covered by the GDPR.

But Someone was correct that it is good practice to ask all users for consent. In addition to the GDPR, there is the CCPA which applies to data collected from or about any resident of California, wherever that resident is currently located. There are somewhat similar laws in Colorado and several other US states, mostly newer and less publicized than the GDPR. One of these laws might well apply when the GDPR does not. Certainly one cannot reliably determine whether the GDPR applies to a particular site visitor based on the IP address used, and the GDPR cares only about the visitor's physical location, not the IP address.

Brandin
  • 136
  • 1
  • 7
David Siegel
  • 115,406
  • 10
  • 215
  • 408
2

You said, in a comment, that you may be asking the wrong question. I think a better way to put it would be that your question based on a confusion that is extremely common, so it deserves a clear answer.

From a European perspective, there are two different pieces of legislation at work.

(Rather than link directly to the legislation, I have linked to the Wikipedia pages from where you can find the legislation if you need it)

ePrivacy

The popup banners you see are aimed at compliance with Article 5(3) of the ePrivacy directive.

What the ePrivacy directive says

Article 5 begins:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

Cookies count as storing information on the equipment of a user, and requesting cookies counts as "gaining access". The default rule is that you may not do this without informed prior consent by the user.

There is an exception for essential cookies:

This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

Here "essential" really means what it says. Google Analytics, while useful, really isn't essential and so any use of it had better obtain prior consent. The ePrivacy directive imports its definition of "consent" from the GDPR, so they mean the same thing (see recital 17).

By the way, for a long time you used to see "we care about your privacy" style popups that would allow you to say "yes" but if you wanted to say "no" you had to go through and select the cookies you did not want. This breaks a general rule of GDPR consent that consent should be as easy to refuse as to a give. "Yes" and "no" should be the same level of work.

Where does this apply?

So, now to the question I think you are asking. Where does this apply? The directive itself does not give us much detail. It says (in article 3):

This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.

I have emboldened the most crucial part.

Clearly, you have to at least have an electronic communications service and it must be available over a public communications network in the EU ("the Community"). But does that apply if my website just happens to be visible in the EU?

As far as I know, there's no direct authority on this point - in other words no case law. The European Data Protection Board ("EDPB") whose job it is to oversee the GDPR have given it some thought -see Internal EDPB Document 04/2021 on criteria of territorial competence of supervisory authorities to enforce Article 5(3) of the ePrivacy Directive. Their view is that it may depend on the law of the nation state in question (eg German law might come to a different decision than French law).

The proposed ePrivacy Regulation would clarify all this to some extent, though arguably in a more Draconian fashion. If this answer hangs around for a few years, that will become relevant.

In short: it is not particularly clear. If a service targets people in the EU as customers, I suspect that would fall within the directive. Otherwise I am not sure.

GDPR

Where does the GDPR apply?

The GDPR does have clear rules on jurisdiction. If you process personal data - where "process" includes storage etc - then there are four ways that you can come within the scope of the GDPR:

  • That processing happens "within the context" of an establishment in the EU. For example, you have subsidiary with offices there which sells advertising that appears on your website (to pick an example from Google Spain). This possibility does not depend on where the data subjects are or whether they are European or no.
  • If a controller isn't established in the EU, but offers goods or services to data subjects in the EU.
  • If a controller isn't established in the EU, but monitors the behaviour of data subjects in the EU
  • If a controller, rather than being in the EU, is somewhere that the law of a member state applies as a matter of International Law (eg a ship or perhaps a spacecraft under the Outer Space Treaty).

Do I need a consent banner under the GDPR?

Other than for ePrivacy compliance? No.

Well, to be pedantic, it might be possible to conceive of some such situation, but it would be very unlikely to happen in practice.

To amplify, the GDPR imposes a number of conditions on processing. One of these is that a controller must process "lawfully".

"Lawfully" obviously includes "not breaking the law", so if you breach the ePrivacy directive by not putting up a cookie banner and those cookies are also personal data, which would be common, then you also infringe the GDPR.

But the GDPR also says that "lawfully" includes a requirement to have what is known as a "lawful basis" for processing. Article 6 provides a short list of these.

One of these is "consent". The GDPR strongly discourages over-reliance on consent. For example, consent must be properly informed; it must be properly informed; and it must be freely given. This is very different from life under the data protection directive and I have spent a lot of time since 2018 (when the GDPR came into force) explaining to clients that they could nor, or should not, try to use consent as their lawful basis.

The two bases that usually apply are one that involves a contract between the data subject and the controller (if a controller contracts to supply a service to a data subject, that will involve processing personal data and will be lawful provided it is necessary) and a catch-all "legitimate interest". Google successfully relied on "legitimate interest" in the Google Spain case.

The thing is that a banner can just about allow someone to meaningfully decide whether they want non-essential cookies or not, though it can be tough to get that right, but not the complex processing that is typical in a more complicated relationship. Sure, you can point to a privacy notice or set of terms, but they are unlikely to be read or studied at the point when you need consent, even if data subjects can (and trust me they do) go back and read them later.

And "you may not use our service unless you consent..." does not sound like consent. Any "or else" works against the freedom of consent. This is why GDPR consent banners are (1) almost certainly useless and (2) almost never used. I have certainly never seen one.

Francis Davey
  • 404
  • 2
  • 9
0

Depends on your own location

The first question is about your own location. If you (as a data controller or processor) are located within EU, then GDPR applies for any and all processing of personal data you do, no matter who is the data subject.

If you are located outside of EU then the relevant part of GDPR is Article 3.2 about territorial scope:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

So if the section applies (i.e. you're offering goods or services or monitoring behavior of these people) then the key criterion is whether these people are "in the Union". IP address might be a way to establish that, however, you may have more relevant information (e.g. address of the user or self-indicated location) in which case you should respect that even if the IP address is located outside of EU.

Peteris
  • 2,218
  • 16
  • 17