> it applies to pages being served to EU citizens, wherever they happen to be at the moment.
So geolocation is not a satisfactory option.
Completely false. Citizenship has nothing to do with GDPR. It's all about location.
An EU resident visiting the United States is not covered by GDPR while in the United States. An EU Citizen living in Los Angeles is not covered by GDPR. A Tunisian illegal immigrant in Berlin is covered by GDPR.
The 2012 draft of GDPR founded jurisdiction on the passive responsibility principle, which, while highly controversial, would, in fact have applied GDPR protections based on nationality of the person and not the location. However, that's not in the final version of the law. In Article 3, "resident" has been replaced with "data subjects who are in the Union."
"In the Union" means, inside the European Union. Which means the law's protections do not extend to those not inside the EU. The jurisdiction is unambiguous and crystal clear. Not a single word in Article 3 suggests that a Frenchman in Peru is covered by GDPR. Which means that your statement "wherever they happen to be at the moment" is false.
It seems that there still exists an incredible amount of ignorance about GDPR. It feels like people are reading analysis from others who are reading analysis from others and very view have actually read the actual law themselves. Or worse, people are using their memory of years-ago discussions about provisions or language that isn't in the actual final regulation and contributing to this completely wrong narrative such as "The law doesn't just apply to pages being served to the EU, it applies to pages being served to EU citizens, wherever they happen to be at the moment." That's 100% false. It's the exact opposite of the truth.
The fact on territorial scope is that GDPR covers an identifiable natural person inside the EU. It doesn't care about nationalities. It only cares about location. Geolocation is absolutely a satisfactory option, because an EU resident, citizen or whatever sitting in a Starbucks in Seoul, is not covered by GDPR. No matter how badly people might wish that to be false, the words in the actual regulation say otherwise.
Completely false. Citizenship has nothing to do with GDPR. It's all about location.
An EU resident visiting the United States is not covered by GDPR while in the United States. An EU Citizen living in Los Angeles is not covered by GDPR. A Tunisian illegal immigrant in Berlin is covered by GDPR.
The 2012 draft of GDPR founded jurisdiction on the passive responsibility principle, which, while highly controversial, would, in fact have applied GDPR protections based on nationality of the person and not the location. However, that's not in the final version of the law. In Article 3, "resident" has been replaced with "data subjects who are in the Union."
"In the Union" means, inside the European Union. Which means the law's protections do not extend to those not inside the EU. The jurisdiction is unambiguous and crystal clear. Not a single word in Article 3 suggests that a Frenchman in Peru is covered by GDPR. Which means that your statement "wherever they happen to be at the moment" is false.
Here is the actual text of Article 3: https://gdpr-info.eu/art-3-gdpr/
It seems that there still exists an incredible amount of ignorance about GDPR. It feels like people are reading analysis from others who are reading analysis from others and very view have actually read the actual law themselves. Or worse, people are using their memory of years-ago discussions about provisions or language that isn't in the actual final regulation and contributing to this completely wrong narrative such as "The law doesn't just apply to pages being served to the EU, it applies to pages being served to EU citizens, wherever they happen to be at the moment." That's 100% false. It's the exact opposite of the truth.
The fact on territorial scope is that GDPR covers an identifiable natural person inside the EU. It doesn't care about nationalities. It only cares about location. Geolocation is absolutely a satisfactory option, because an EU resident, citizen or whatever sitting in a Starbucks in Seoul, is not covered by GDPR. No matter how badly people might wish that to be false, the words in the actual regulation say otherwise.