Re: [projectvrm] GUARDIAN: Facebook moves 15 billion users out of reach of GDPR

[Tim Walters < >]

My legal background is not listed on LInkedIn: I took the LSAT exam in 1982. Did pretty well, thank you. ;-)

Rob: Thanks for citing the pertinent passages. And yes, there are always edge cases. (French citizen enrolled in national health care retires to Mexico, etc.) But what we should be concerned about are the fundamentals.

Elliot -- I could be wrong. I'm impressed by the number and variety of your sources that maintain that the GDPR applies to EU citizens.  I would really, really like to hear about how they reason to and justify this claim. (Sounds facetious, but I mean it seriously; obviously I don't want to go about sprouting erroneous interpretations of the GDPR.) 

However, I think it's fair to say that a legal degree is neither necessary to understand the GDPR nor a guarantee of infallibility when interpreting its meaning. So let's dive in!

1. As noted in my article, the word "citizen" does not appear in the regulation. If the GDPR followed EU citizens around the globe like a shield, you'd think that "citizen" ought to appear somewhere in the 261 pages (English PDF).

2. Legally (if I may say so), the EU can legislate only in the EU. In other words, I can't see why the EU would be able to dictate data protection for an EU citizen living in Chicago anymore than they could dictate how that person's salary is taxed in the US. (Tax treaty, sure, but they still need to abide by IRS rules while living in the US.)

3. Point 2 directly relates to the description of the scope in Article 3 (cited by Rob). The critical formulation is "in the Union." Territorially (if that was a word), the GDPR applies 1) to the processing of personal data by companies "established in the Union." (Regardless of where the data subjects are located; this is why Facebook just announced that those 1.5 billion users are going to be shifted to an entity NOT established in the Union.) And it applies 2) to the processing of the personal data of people "in the Union."  (Regardless of whether those people are citizens, or even residents; and regardless of where the company doing the processing is located. This is the "extra-territorial" reach of the GDPR.)

4. Say for the sake of argument that the GDPR does protect EU citizens wherever they are located. As someone smartly pointed out, how would a data controller determine whether the individual visiting their site or property is an EU citizen and therefore due GDPR protection? Practically, how could this determination be made? Evidently, the controller would have to interrogate each incoming visitor and ask them to prove that they are (not) an EU citizen. What could count as proof? Presumably, only a passport or national ID card. So site and property owners would be obligated by the GDPR to demand the presentation of (transmitted scan of) this highly sensitive data? I think we can agree that that is pretty much the opposite of what the regulators aim to achieve. In other words, the GDPR can't be meant to protect EU citizens because there is (evidently) no GDPR compliant manner to determine who is an EU citizen.

Conclusion: Pending evidence to the contrary, I will continue to maintain that the GDPR's scope is determined by geography, not citizenship. And I stress evidence; "Lots of people told me" counts as evidence only in the mind of Donald Trump.

At the risk of embarrassment, I would invite you (Elliot) to submit these four points to your internal or external counsel and report back with their response.

Cheers,

tw

On Thu, Apr 19, 2018 at 6:21 PM, Rob van Eijk < " target="_blank"> > wrote:

I agree that the question about material scope is not an easy question
to answer. There are edge cases. The material scope of the GDPR is
addressed in Article 3 and Recitals 22, 23, 24, and 25. Below I included
the GDPR-text because it contains some interesting details that may be
relevant for the discussion.

Rob


Article 3 sub 1 ("Location of the company"):
This Regulation applies to the processing of personal data in the
context of the activities of an establishment of a controller or a
processor in the Union, regardless of whether the processing takes place
in the Union or not.

Article 3 sub 2 ("Location of the data subject"):
This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are related to:
    (a) the offering of goods or services, irrespective of whether a
payment of the data subject is required, to such data subjects in the
Union; or
    (b) the monitoring of their behaviour as far as their behaviour
takes place within the Union.

Article 3 sub 3 ("Member state law, even outside of the EU"):
This Regulation applies to the processing of personal data by a
controller not established in the Union, but in a place where Member
State law applies by virtue of public international law.

Recital 22:
Any processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union should be
carried out in accordance with this Regulation, regardless of whether
the processing itself takes place within the Union. Establishment
implies the effective and real exercise of activity through stable
arrangements. The legal form of such arrangements, whether through a
branch or a subsidiary with a legal personality, is not the determining
factor in that respect.

Recital 23:
In order to ensure that natural persons are not deprived of the
protection to which they are entitled under this Regulation, the
processing of personal data of data subjects who are in the Union by a
controller or a processor not established in the Union should be subject
to this Regulation where the processing activities are related to
offering goods or services to such data subjects irrespective of whether
connected to a payment. In order to determine whether such a controller
or processor is offering goods or services to data subjects who are in
the Union, it should be ascertained whether it is apparent that the
controller or processor envisages offering services to data subjects in
one or more Member States in the Union. Whereas the mere accessibility
of the controller's, processor's or an intermediary's website in the
Union, of an email address or of other contact details, or the use of a
language generally used in the third country where the controller is
established, is insufficient to ascertain such intention, factors such
as the use of a language or a currency generally used in one or more
Member States with the possibility of ordering goods and services in
that other language, or the mentioning of customers or users who are in
the Union, may make it apparent that the controller envisages offering
goods or services to data subjects in the Union.

Recital 24:
The processing of personal data of data subjects who are in the Union by
a controller or processor not established in the Union should also be
subject to this Regulation when it is related to the monitoring of the
behaviour of such data subjects in so far as their behaviour takes place
within the Union.

Recital 25:
Where Member State law applies by virtue of public international law,
this Regulation should also apply to a controller not established in the
Union, such as in a Member State's diplomatic mission or consular post.
In order to determine whether a processing activity can be considered to
monitor the behaviour of data subjects, it should be ascertained whether
natural persons are tracked on the internet including potential
subsequent use of personal data processing techniques which consist of
profiling a natural person, particularly in order to take decisions
concerning her or him or for analysing or predicting her or his personal
preferences, behaviours and attitudes.


Op 19-4-2018 om 17:38 schreef elliot noss:

> Hi Tim,
>
> I took a quick look at your linkedin and did not see a legal background. You may be right. But, that is not the view of our inhouse counsel, our external counsel, two separate legal positions that have been provided (publicly) to ICANN, nor the view of DPAs who have come to successive ICANN meetings.
>
> I would also distinguish (in the example in your article) between an EU citizen passing through the US and an EU citizen living there. If you were responding here to the EU citizen traveling through the airport than I agree and my reference was confusing.
>
> Most importantly, the general approach is that questions like this (and there are MANY) will not be answered dispositively until something is challenged and takes the five years or so that it will take to get to the highest European court. This really requires companies to take a conservative view.
>
> EN
>
>> On Apr 19, 2018, at 10:05 AM, Tim Walters < "> > wrote:
>>
>> Sorry, Elliot, that's not correct. The GDPR does not apply to EU citizens (living outside of the EU). I wrote about it here: https://www.linkedin.com/pulse/three-biggest-lies-gdpr-tim-walters-ph-d-/
>>
>> tw
>>
>> On Thu, Apr 19, 2018 at 3:48 PM, elliot noss < "> > wrote:
>> I cannot imagine how they can do this without massive tax implications. I also think they cannot avoid the “ex-pat European problem” (an eu citizen living in the us is covered).
>>
>> Sent from my iPhone
>>
>>> On Apr 19, 2018, at 9:43 AM, Doc Searls < "> > wrote:
>>>
>>> 1.5, but yeah. That’s pretty much the whole thing, after you subtract out the fake accounts.
>>>
>>> This, of course, is one gigantic hunk of evidence that Facebook gives the opposite of a shit about privacy. Linkedin too. Also the U.S. government, whose oversight of all this resembles something between sleep and death.
>>>
>>> Doc
>>>
>>>> On Apr 19, 2018, at 9:28 AM, Joyce Searls < "> > wrote:
>>>>
>>>> https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law
>>