Written by Kurt Wimmer* and Danielle Coffey
As you have undoubtedly read, a new European privacy law will go into effect on May 25, 2018. The General Data Protection Regulation, or GDPR, is the most significant overhaul of EU privacy law in more than twenty years. The GDPR will be a sea-change in EU privacy law for many reasons, including fines that can amount to as much as four percent of a company’s global revenues, an expansion of the so-called “right to be forgotten” and the creation of a new privacy regulatory agency—and a new and more aggressive stance toward jurisdiction over companies outside of Europe. Because of this aggressive new approach, many American publishers are wondering whether the GDPR will apply to them, especially in light of new demands by Google for publishers to collect “consents” from EU users on Google’s behalf.
Before the GDPR, a company with no employees, offices or computer servers in the EU could generally be assured that EU law wouldn’t apply to its activities in the United States. However, the GDPR aspires to go further. It is intended to cover any company, anywhere in the world, that either (1) offers “goods or services” to EU users or (2) “monitors the behavior” of EU data subjects.
Let’s look at those two tests and the recent Google consent-collection requirement, and assess whether U.S. publishers are likely to be covered by European law.
1. “Offering Good or Services.” Offering “goods or services” isn’t as simple as having a website or mobile application that might be accessed by an EU data subject. The GDPR admits that “mere accessibility” of a digital service from Europe is “insufficient” to confer EU jurisdiction over that service (Recital 23). Instead, a regulator must determine that the digital service “envisages offering services to data subjects in one or more Member States in the Union.” This means that the digital service must actually be targeting European customers, based on factors such as publication in a language of an EU Member State or accepting the Euro or pound (for now, at least) as payment for services. In prior court cases, EU courts have established that the factors that should be considered include:
- Specifically mentioning that the service is provided to users in an EU Member State;
- Paying search engines to have its website favorably indexed in order to facilitate access by consumers in specific Member States;
- The international nature of the services;
- Whether the service provides local or international telephone numbers as contact information for users; and
- Whether the service uses an EU top-level domain (such as .eu, or country domains such as .fr for France).
In the absence of specific evidence that a service is targeting Europe, the EU should not find jurisdiction under this test.
- “Monitoring the Behavior.” So far, so good — but what about the broader test of whether a digital service is “monitoring the behavior” of EU data subjects? Do general internet advertising techniques, such as dropping a cookie on a user’s computer or serving an ad based on a device’s identifier, mean that the EU has jurisdiction over you?
The answer to this question should generally be “no.” The GDPR’s recitals provide important guidance on when this test should apply: “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques, which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” (Recital 24, emphasis added)
For this provision to confer jurisdiction over a publisher, the tracking of behavior and profiling about an EU user must be quite extensive. Only tracking undertaken with the intention of influencing the user based on an analysis and prediction of personal preferences should constitute the sort of tracking that might subject a site to EU jurisdiction. Internet advertising strategies that rely on data that does not contain contact or identifying information of “natural persons,” but might rely on device identifiers, IP addresses, cookies and other privacy-protecting proxies for identifying a particular advertising subject on the Internet would not seem to imply the extensive profiling intended by this provision of the GDPR. Although most major global advertising networks that engage in tracking and profiling believe that the GDPR will apply to them because of more extensive profiling efforts, it seems clear that general Internet advertising techniques undertaken by publishers should not confer jurisdiction over the publishers (as compared to the advertising networks themselves).
In addition, it is often impossible to know with any degree of certainty the country from which an online user is accessing an internet service, particularly if a U.S. publisher has not targeted EU data subjects specifically. For example, by advertising in a European language, using EU domains, specifically targeting advertising toward EU data subjects, or marketing subscriptions to European customers, a publisher would have a good argument on the facts that it is not “monitoring” EU data subjects.
- The Impact of Collecting a Consent for Google. All publishers that use a Google advertising network recently received notice that Google will expect publishers to ask any user with an EU Internet protocol (IP) address for “consent” for their personal data to be used to target advertising to them. Under this new request, Google will consider itself a “controller” of the user’s data along with the publisher. Being a “controller” means that Google will be able to “control” that data, including using that data for Google’s own purposes (subject to any contractual limitations a publisher may have in its agreement with Google).
Google has not yet provided language that it expects publishers to include in seeking this “consent” from EU users. Until that language is finalized, we will not know precisely how it will affect the arguments a U.S. publisher may have that GDPR does not apply to the digital services of the publisher seeking the consent for Google. But more generally, a publisher’s collection of a consent on behalf of an advertising network that the publisher does not control should not, without more, concede to European regulators that GDPR should apply to all of the U.S. publisher’s digital activities.
It is, of course, possible that an aggressive EU regulator could look at a publisher’s willingness to serve this sort of consent to a European user as evidence that the publisher knows that it is serving EU users and, indeed, targeting them with EU-specific advertising. Under this broad view, Google is exposing publishers to jurisdictional risk by requiring consent to be gathered, even by U.S. publishers that have no intent at all to target EU users. A publisher can avoid this risk in a number of ways.
First, Google intends to offer an option to publishers to serve only “contextual,” rather than targeted, advertisements to any EU user that happens to show up on a publisher’s site. Contextual advertising is served not on the basis of the personal data of the user, but on the basis of the user’s immediate behavior on the site (such as serving an ad for sporting goods to a reader of a sports story). Again, as of today, we do not have details on how this service would work. But because it would not require the collection or processing of personal data from EU users, it arguably should not result in any jurisdiction being exercised over U.S. publishers as a consequence of its operation.
Second, publishers may avoid this consent by simply blocking EU users entirely, or by not serving any targeted advertising (or any advertising at all) to EU users. This option would, of course, impose significant burdens on publishers, who would be required to write new code and program their digital services in new ways to accomplish it. It also raises practical issues, such as whether publishers can charge European users for advertising-free services without conceding, by offering such a service, EU jurisdiction. Any decision to abandon advertising revenue entirely, of course, implies difficult business considerations, regardless of how small a potential audience is at issue.
* * *
Overall, we believe that U.S. publishers with no interest in targeting EU users should not assume that European privacy law applies to them, or overreact to the passage of the new privacy law in Europe. Laws that have effect outside of their own country (so-called “extraterritorial” laws) are disfavored by courts, particularly when they interfere with local laws that apply to local businesses (in the ways that U.S. federal and state laws already regulate privacy in the United States). At least in the near-term, it seems unlikely that EU regulators will attempt to reach over the Atlantic to try to acquire jurisdiction of publishers with no European operations or aspirations. Of course, we will continue to monitor these issues as they evolve and let the membership know of developments. In the meantime, please don’t hesitate to contact us with questions or concerns that arise.
Read more here.
*Kurt Wimmer is a partner at Covington & Burling LLP, based in Washington, DC. He is the U.S. chair of Covington’s Data Privacy and Cybersecurity practice, and is past chair of the Privacy and Information Security Committee of the American Bar Association’s Antitrust Section. Mr. Wimmer represents major social media companies, global technology companies and multinationals on privacy, cybersecurity and technology law issues. Kurt is qualified as a Certified Information Privacy Professional for Europe (CIPP/E) and the United States (CIPP/US) by the International Association of Privacy Professionals. He focused on EU data protection law in Covington’s London office, where he was managing partner, from 2000-2003.