Should non-EU websites ban EU visitors under the GDPR?

On 2018 May 25, Europe's General Data Protection Regulation (GDPR) will start being enforced. The GDPR defines strict rules on how personal data should be handled. It is truly a privacy regulation designed for modern times in which privacy concerns run rampant.

But there is a lot of fear and controversy about the GDPR, not only from EU citizen but also from people worldwide. This is because EU declares that even companies outside the EU, who process personal data about EU citizen, must comply to the GDPR as well. GDPR concepts such as "the right to be forgotten" has spawned a lot of heated debate on the Internet about whether these concepts are a good thing at all. Combined with hefty fines that can go up to 4% of worldwide revenue or 40 million EUR (whichever is higher), as well as compliance overhead, is it a good idea for non-EU companies to simply ban all EU visitors from accessing their websites?

No

Betteridge's law of headlines applies. The answer is "no". There is a lot of scaremongering on the Internet about GDPR. Some people on Hacker News honestly spoke about banning EU visitors just in case. I am currently reading Handbook GDPR, Compliance in practice (Dutch: Handboek AVG, Compliance in de praktijk), written by Arnoud Engelfriet & co, a prominent Dutch IT lawyer who works at the law work ICTRecht. With this article – backed by the powers of aforementioned book – I hope to put some fears to rest.

Handboek avg compliance in de praktijk website
Handbook GDPR, Compliance in practice,
by Arnoud Engelfriet & co of Dutch IT law company ICTRecht

Fines are meant to encourage good behavior

The biggest fears revolve around hefty GDPR fines. It is important to understand that GDPR fines serve a purpose. They are meant to stimulate good behavior, rather than as heavy punishments. The fines are also meant to be reasonable and in proportion to the offense (neither too light nor too heavy), as well as meant to set an example for others. Source: page 9-11.

The United Kingdom's Information Commissioner's Office claimed a similar thing in GDPR – sorting the fact from the fiction:

"It's scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

[…] we intend to use those powers proportionately and judiciously."

Does the GDPR apply to non-EU companies?

Maybe, it depends. I know that some people find it ridiculous that an EU law can apply to companies in countries where they have no jurisdiction, and some people even see it as a continuation of European colonialism. This is understandable, but consider the following.

The Internet has made borders blurry. A company can be physically located in one location, but may serve customers from another location. This is a continuum. On one side, you have for example a Canadian web shop that simply accepts orders world-wide and allows shipping world-wide, and sometimes gets a European customer. This web shop does not have to comply to the GDPR.

On the other side, you have companies like Google or Twitter who are truly multinational. These companies do need to comply to the GDPR, even though their headquarters are based in the United States and even though the servers are located in the United States.

The criterium for whether a non-EU company needs to comply to GDPR is: does the company intent to seriously service EU citizen? This is determined based on multiple factors, such as the website's language (do they have e.g. German translations?), providing pricing in euros, testimonials from EU customers, or having a contract with a parcel company with the specific intention of delivering to EU customers. The mere fact that the website can be used by an EU citizen is not enough to have it fall under the GDPR.

Source: page 11.

Keep calm and carry on

If you are not structurally serving EU customers then you have nothing to fear. But if you are – e.g. you are like Google and Twitter – then I argue that you should think about complying to EU laws. Despite all its fault, I still stand behind the spirit of the GDPR. It represents a re-evaluation of our societal values on how to balance corporate profits with the rights of private citizen. This re-evaluation is much needed.