I forgot the most compelling piece of evidence for my position (i.e., that the GDPR is not concerned with EU citizens). I put this question to Jan Philipp Albrecht, so-called father of the GDPR, at an event in Berlin in February. He not only confirmed that citizenship does not play a role in the determination of the scope; he also looked at me like I was crazy for even entertaining the idea.
Cheers,
tw
On Thu, Apr 19, 2018 at 8:37 PM, Tim Walters < <mailto: >> wrote:
My legal background is not listed on LInkedIn: I took the LSAT exam
in 1982. Did pretty well, thank you. ;-)
Rob: Thanks for citing the pertinent passages. And yes, there are
always edge cases. (French citizen enrolled in national health care
retires to Mexico, etc.) But what we should be concerned about are
the fundamentals.
Elliot -- I could be wrong. I'm impressed by the number and variety
of your sources that maintain that the GDPR applies to EU citizens. I would really, really like to hear about how they reason to and
justify this claim. (Sounds facetious, but I mean it seriously;
obviously I don't want to go about sprouting erroneous
interpretations of the GDPR.)
However, I think it's fair to say that a legal degree is neither
necessary to understand the GDPR nor a guarantee of infallibility
when interpreting its meaning. So let's dive in!
1. As noted in my article, the word "citizen" does not appear in the
regulation. If the GDPR followed EU citizens around the globe like a
shield, you'd think that "citizen" ought to appear somewhere in the
261 pages (English PDF).
2. Legally (if I may say so), the EU can legislate only in the EU.
In other words, I can't see why the EU would be able to dictate data
protection for an EU citizen living in Chicago anymore than they
could dictate how that person's salary is taxed in the US. (Tax
treaty, sure, but they still need to abide by IRS rules while living
in the US.)
3. Point 2 directly relates to the description of the scope in
Article 3 (cited by Rob). The critical formulation is "in the
Union." Territorially (if that was a word), the GDPR applies 1) to
the processing of personal data by /companies/ "established in the
Union." (Regardless of where the data subjects are located; this is
why Facebook just announced that those 1.5 billion users are going
to be shifted to an entity NOT established in the Union.) And it
applies 2) to the processing of the personal data of /people/ "in
the Union." (Regardless of whether those people are citizens, or
even residents; and regardless of where the company doing the
processing is located. This is the "extra-territorial" reach of the
GDPR.)
4. Say for the sake of argument that the GDPR does protect EU
citizens wherever they are located. As someone smartly pointed out,
how would a data controller determine whether the individual
visiting their site or property is an EU citizen and therefore due
GDPR protection? Practically, how could this determination be made?
Evidently, the controller would have to interrogate each incoming
visitor and ask them to prove that they are (not) an EU citizen.
What could count as proof? Presumably, only a passport or national
ID card. So site and property owners would be obligated by the GDPR
to demand the presentation of (transmitted scan of) this highly
sensitive data? I think we can agree that that is pretty much the
opposite of what the regulators aim to achieve. In other words, the
GDPR can't be meant to protect EU citizens because there is
(evidently) no GDPR compliant manner to determine who is an EU citizen.
Conclusion: Pending evidence to the contrary, I will continue to
maintain that the GDPR's scope is determined by geography, not
citizenship. And I stress /evidence/; "Lots of people told me"
counts as evidence only in the mind of Donald Trump.
At the risk of embarrassment, I would invite you (Elliot) to submit
these four points to your internal or external counsel and report
back with their response.
Cheers,
tw
On Thu, Apr 19, 2018 at 6:21 PM, Rob van Eijk
<
<mailto: >>
wrote:
I agree that the question about material scope is not an easy
question
to answer. There are edge cases. The material scope of the GDPR is
addressed in Article 3 and Recitals 22, 23, 24, and 25. Below I
included
the GDPR-text because it contains some interesting details that
may be
relevant for the discussion.
Rob
Article 3 sub 1 ("Location of the company"):
This Regulation applies to the processing of personal data in the
context of the activities of an establishment of a controller or a
processor in the Union, regardless of whether the processing
takes place
in the Union or not.
Article 3 sub 2 ("Location of the data subject"):
This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are
related to:
(a) the offering of goods or services, irrespective of
whether a
payment of the data subject is required, to such data subjects
in the
Union; or
(b) the monitoring of their behaviour as far as their behaviour
takes place within the Union.
Article 3 sub 3 ("Member state law, even outside of the EU"):
This Regulation applies to the processing of personal data by a
controller not established in the Union, but in a place where Member
State law applies by virtue of public international law.
Recital 22:
Any processing of personal data in the context of the activities
of an
establishment of a controller or a processor in the Union should be
carried out in accordance with this Regulation, regardless of
whether
the processing itself takes place within the Union. Establishment
implies the effective and real exercise of activity through stable
arrangements. The legal form of such arrangements, whether through a
branch or a subsidiary with a legal personality, is not the
determining
factor in that respect.
Recital 23:
In order to ensure that natural persons are not deprived of the
protection to which they are entitled under this Regulation, the
processing of personal data of data subjects who are in the
Union by a
controller or a processor not established in the Union should be
subject
to this Regulation where the processing activities are related to
offering goods or services to such data subjects irrespective of
whether
connected to a payment. In order to determine whether such a
controller
or processor is offering goods or services to data subjects who
are in
the Union, it should be ascertained whether it is apparent that the
controller or processor envisages offering services to data
subjects in
one or more Member States in the Union. Whereas the mere
accessibility
of the controller's, processor's or an intermediary's website in the
Union, of an email address or of other contact details, or the
use of a
language generally used in the third country where the controller is
established, is insufficient to ascertain such intention,
factors such
as the use of a language or a currency generally used in one or more
Member States with the possibility of ordering goods and services in
that other language, or the mentioning of customers or users who
are in
the Union, may make it apparent that the controller envisages
offering
goods or services to data subjects in the Union.
Recital 24:
The processing of personal data of data subjects who are in the
Union by
a controller or processor not established in the Union should
also be
subject to this Regulation when it is related to the monitoring
of the
behaviour of such data subjects in so far as their behaviour
takes place
within the Union.
Recital 25:
Where Member State law applies by virtue of public international
law,
this Regulation should also apply to a controller not
established in the
Union, such as in a Member State's diplomatic mission or
consular post.
In order to determine whether a processing activity can be
considered to
monitor the behaviour of data subjects, it should be ascertained
whether
natural persons are tracked on the internet including potential
subsequent use of personal data processing techniques which
consist of
profiling a natural person, particularly in order to take decisions
concerning her or him or for analysing or predicting her or his
personal
preferences, behaviours and attitudes.
Op 19-4-2018 om 17:38 schreef elliot noss:
> Hi Tim,
>
> I took a quick look at your linkedin and did not see a legal
background. You may be right. But, that is not the view of our
inhouse counsel, our external counsel, two separate legal
positions that have been provided (publicly) to ICANN, nor the
view of DPAs who have come to successive ICANN meetings.
>
> I would also distinguish (in the example in your article)
between an EU citizen passing through the US and an EU citizen
living there. If you were responding here to the EU citizen
traveling through the airport than I agree and my reference was
confusing.
>
> Most importantly, the general approach is that questions like
this (and there are MANY) will not be answered dispositively
until something is challenged and takes the five years or so
that it will take to get to the highest European court. This
really requires companies to take a conservative view.
>
> EN
>
>> On Apr 19, 2018, at 10:05 AM, Tim Walters
<
<mailto: >>
wrote:
>>
>> Sorry, Elliot, that's not correct. The GDPR does not apply
to EU citizens (living outside of the EU). I wrote about it
here:
https://www.linkedin.com/pulse/three-biggest-lies-gdpr-tim-walters-ph-d-/
<https://www.linkedin.com/pulse/three-biggest-lies-gdpr-tim-walters-ph-d-/>
>>
>> tw
>>
>> On Thu, Apr 19, 2018 at 3:48 PM, elliot noss
<
<mailto: >>
wrote:
>> I cannot imagine how they can do this without massive tax
implications. I also think they cannot avoid the “ex-pat
European problem” (an eu citizen living in the us is covered).
>>
>> Sent from my iPhone
>>
>>> On Apr 19, 2018, at 9:43 AM, Doc Searls
<
<mailto: >>
wrote:
>>>
>>> 1.5, but yeah. That’s pretty much the whole thing, after
you subtract out the fake accounts.
>>>
>>> This, of course, is one gigantic hunk of evidence that
Facebook gives the opposite of a shit about privacy. Linkedin
too. Also the U.S. government, whose oversight of all this
resembles something between sleep and death.
>>>
>>> Doc
>>>
>>>> On Apr 19, 2018, at 9:28 AM, Joyce Searls
<
<mailto: >>
wrote:
>>>>
>>>>
https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law
<https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law>
>>
Archive powered by MHonArc 2.6.19.