GDPR: Roadblocks on the Information Superhighway

We are privileged to host this guest post by David Flint from MacRoberts LLP, a law firm based in the UK. David Flint is Senior Partner of, and a partner in the Intellectual Property, Technology and Commercial Group.

Few businesses in the United States can fail to have become aware of the EU’s General Data Protection Regulation (“GDPR” Regulation (EU) 2016/679 of 27 April 2016) which entered into force on 25 May 2016 and applied from 25 May 2018.The Regulation consolidated and harmonised the data protection rules in relation to the personal data of people in the EEA and data there.

It relates to:

  • Personal Data of data subjects in the EU;
  • Data in connection with the activities of a controller or processor in the EU, irrespective of where the processing occurs;
  • Processing of any personal data (including US data) if the processing is in the EU.
  • Processing of personal data of EU data subjects relating to the offering of goods and services to such data subjects in the EU;
  • Monitoring of behaviour of EU data subjects as far as their behaviour takes place in the EU.

Many US businesses have been spooked by the possible penalties for breach of the GDPR (up to €20m or 4% of turnover) but this seems to overlook the true risk to businesses; GDPR has moved to a very much risk based compliance regime and national enforcement authorities have made it clear that providing a business is behaving responsibly – and that really means just telling data subjects what data you are gathering and what you are going to do with it – and then doing what you say; not new concepts for US businesses who would have similar issues with the FTC and State Attorneys General. So why then have over 1120 websites decided to geo-block EU visitors from finding out what is happening in places as far apart as Anchorage and Yuma? Unless a business is engaged in egregious behaviour on a large scale (perhaps Cambridge Analytics, Equifax and their like), the real prospect of the EU authorities pursuing the Yuma Sun is surely small and there are serious downsides for the website, its advertisers and local people.

If I were visiting Yuma (and why not?) maybe I would like to plan my stay; my hotel and my restaurant and if I can’t read the Yuma Sun website, all those local businesses will miss my custom. Really, what “personal data” is going to be processed by my visit – my IP Address perhaps (and how useful will that be) but anything else only if I provide it; hardly likely to be large scale processing – have a look at Article 27(2) to see the type of behaviour of non-EU processors which is likely to attract attention.

Yes, GDPR will apply to you if you deal with personal data of EU data subjects, but realistically provided you act properly and look after the data, the risk is probably minimal and the cost likely to be less than the business and goodwill lost from geo-blocking (unless you are a major infringer).

As an aside, with the upcoming California Consumer Privacy Act of 2018, are you going to geo-block Californians as well?

So the message is clear; tell visitors what you are collecting; why and where is it being shared – not an expensive process and more straightforward than complicated software blocks.

For Further Information Contact:

David Flint* Tel: +44 141 303 1100

df@macroberts.com