How do I keep my web site out of Europe?

Question

Say I want to publish a web page that includes URLs for for Google-hosted font files in its stylesheet. If your user agent deigns to, it can download those font files and display the page with them.

Someone was fined in Germany for "sending" a person's IP address to Google without permission, though, for an arrangement much like this, so this page could be illegal in Germany or other parts of the EU under the GDPR.

So say I choose not to make my page available in Europe. What methods of doing that are recognized as legally significant? If I move it from a public hosting service to a server I control and refuse access to all IPs likely to be located in Europe, what happens if someone standing in Europe uses a VPN to fool me and access my site that I am trying to keep them out of? Or if the person who sold me the IP address database made a good faith mistake? If I just put a big notice that the web site is not available in Europe on it (despite it being physically possible to access from Europe by being behind enough proxies, or in the case that I don't control the web host enough to institute technical access control measures), would that "count"?

How do I change the situation as seen by European courts from me collecting and processing someone's data to someone breaking into my web site which they are forbidden from using and planting their personal information in it?

This is related to this question, but instead of whether "filters and firewalls" can be effective technically at keeping IP addresses out of logs or whatever, I want to know what is effective legally at making something count as not available in Europe.

"Someone was fined in Germany...": Who was fined in Germany, and what did their site do? It may be entirely irrelevant to your circumstances. — phoog, Mar 14 '24 at 14:54
I think this is that case refered to. What I do not get is why not just host the fonts locally? This linking out to relatively trivial remote resources saves so little for the website provider but leaks so much user data. — User65535, Mar 14 '24 at 16:24

JBentley · Answer 1 · 2024-03-15T08:41:23.543

It's not relevant whether your website is available in Europe, so attempting to block Europeans from accessing it is not the right approach. It's possible to have a website be available in Europe without needing to comply with the GDPR, and it's also possible to have a website which tries to block European visitors but still needs to comply with the GDPR.

The actual rule is found at Article 3.2 of the GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

In other words, to fall within the scope of the GDPR, you either need to be offering goods or services (including for free) to people in the EU, or you need to be doing processing which is related to monitoring the behaviour of people in the EU.

If you avoid doing either of those, then it doesn't matter whether someone in the EU can access your website or not.

Due to the difficulty in enforcing the GDPR in foreign jurisdictions, you are unlikely to find much in the way of definitive case law to work out what does or does not constitute "offering goods or services" or "monitoring of their behaviour" for the purposes of Article 3.2. However, the following guidance from gdpr.eu may be worth considering:

Offering goods or services

The Internet makes goods and services in far-flung places accessible anywhere in the world. A teenager in Cyprus could easily order a pizza online from a local pizza shop in Miami and have it delivered to a friend’s house there. But the GDPR does not apply to occasional instances. Rather, regulators look for other clues to determine whether the organization set out to offer goods and services to people in the EU. To do so, they’ll look for things like whether, for example, a Canadian company created ads in German or included pricing in euros on its website. In other words, if your company is not in the EU but you cater to EU customers, then you should strive to be GDPR compliant.

Monitoring their behavior

If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.

Following the logic of that guidance, you can avoid Article 3.2(a) by making it clear in your terms and conditions (and in your presentation and marketing) that you do not offer goods or services within the EU, and you can avoid Article 3.2(b) by avoiding monitoring visitors (e.g. with cookies).

"So if I neither offer goods nor services, nor monitor the behavior of people, I can include as many embeds of things from other people who themselves track people as I would like?"

(edit in response to comment).

I think that is risky, due to the way Article 3.2 is phrased (emphasis mine):

This Regulation applies to the processing of personal data [...] where the processing activities are related to [...] the monitoring of their behaviour [...]"

It's the monitoring which triggers Article 3.2 and brings the website within the GDPR's scope, but the monitoring merely has to be related to processing to trigger it. Processing is a much broader concept than monitoring. It's defined at Article 4(2):

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

It's likely that even if you avoid doing any monitoring, you are still doing processing (e.g. with users' IP addresses). If you then provide a mechanism which enables a third party to do monitoring, then you risk that your processing is related to the monitoring.

So if I neither offer goods nor services, nor monitor the behavior of people, I can include as many embeds of things from other people who themselves track people as I would like? — interfect, Mar 14 '24 at 14:44
I wouldn't cite the gdpr.eu site since it is just a content marketing front for Proton, written by journalists who may not be experts. A better source would be Recital 23 GDPR which explicitly says that mere availability of a website in the EU doesn't mean that GDPR would apply, or the detailed and authoritative EDPB guidelines on the GDPR's territorial scope, which also summarizes the relevant case law. — amon, Mar 15 '24 at 13:53

How do I keep my web site out of Europe?

1 Answers1

"So if I neither offer goods nor services, nor monitor the behavior of people, I can include as many embeds of things from other people who themselves track people as I would like?"