The way that some organisations have reacted to the GDPR is not only rash but, most importantly, it is not future-proof; the main reason for these hasty decisions seems to be that organisations were not ready for GDPR implementation.
Taking Chicago Times and LA Times as examples, these news sites likely realised that they were not compliant and panicked, simply putting a sticky plaster in the place they assumed would best shield them from exposure: removing access to their websites for EU residents. But the question is, have they put the sticky plaster in the right place? These organisations have assumed that, by not offering their services to EU residents, the GDPR no longer applies to them. Of course, there is the possibility for US companies to explore Privacy Shield certification, but this takes time, and any organisation seeking such certification has to meet specific criteria.
The key question remains: does this approach even successfully circumvent the applicability of the GDPR? The answer depends in great part on what these organisations are doing with the data of their readers behind the scenes. As part of their strategy of making their services unavailable to EU residents, are they also deleting the data of old EU account holders or other users that they hold? If they are not, they will not be compliant with the GDPR. And what about advertising – have they adjusted their marketing processes to ensure they do not advertise the newspaper itself to EU residents, and do not permit EU residents to place advertisements on their news site and even in the paper version of the newspaper? Have they stopped any ongoing distribution of their papers’ print version in the EU?
Additionally, does the technical process by which these organisations are excluding EU residents from accessing their online services involve the processing of those EU residents’ personal data? Are they doing so by using their subscribers’ or previous users’ cookies information or other personal data to know who and where they are, in order to exclude them, or using geo-blocking technology that recognises and blocks IP addresses based in the EU? In either event, it can be said that that the organisation is using personal data to exclude EU residents from services – but this amounts to processing of EU residents’ data and the GDPR applies.
The adoption of this exclusionary approach could be damaging to organisations who assume that they have resolved their non-compliance problem in this manner, without having done the full analysis. The GDPR is meant to incentivise companies to facilitate individuals’ ability to control how their data is processed – it should not be pushing companies to make hasty decisions that will be detrimental to their business operations. One thing is for certain: privacy considerations aside, excluding the entire EU market is not a sustainable long-term solution to a GDPR non-compliance problem – assuming that this approach is a compliant solution to begin with!
Oana Dolea, GDPR Practice Lead, D2 Legal Technology