> 2. Article 3(2): "This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union."
This doesn't seem to discuss intent at all? I mean, we could mince words about what offering a service means, but that doesn't seem productive and unless there is some other part of the law redefining this, won't make me comfortable.
The official EU guidance (not in the text of the GDPR) clarifies what offering means - it requires some evidence of intent to target the EU, rather than merely not blocking the EU.
While that point of guidance won't have region-wide binding force of law unless the European Court of Justice rules that way, I'd be extremely surprised if any national supervising authority or court system would contradict such a document, since the official guidance's reading is clearly among the possibilities consistent with the text (admittedly not the only one) and predictability of this kind of law is key to achieving its goals. Even if they do, they wouldn't likely penalize people with more than a warning if they haven't announced their weird interpretation in advance.
This is an excellent example of the problems people are worried about though.
Q: is it possible to be in violation of the gdpr in a situation where you could never know you needed to be compliant and have taken steps to avoid serving EU countries?
A, official: Yes.
A, unofficial: Most likely not if no one's having a bad day or has a bone to pick or is just being uppity.
The official answer isn't necessarily yes, though. The official answer is more ambiguous than that - "offering" can mean what you think it means, but it can also mean what the official guidance says.
Also, both answers are official and from the EU institutions. One is the law, and the other is meant to help interpret and apply the law. I'm not talking about third party compliance guides (except for the link I shared), of which there are many.
With all of that said... If you have both taken steps to avoid serving EU countries AND have also done things which they view as targeting EU countries, the answer would be murkier. For example, if you block European IP addresses but also use .de and .fr IP addresses and accept Euros, they might consider it to apply despite the IP block.
I'm also not sure what would happen if you took no explicit steps to target, but saw 80% of your customers coming from Europe on a sustained basis and did nothing to stop that.
Overall, the law will be interpreted with its own intent in mind: it should apply if you're engaging with Europe, but not automatically globally.
I understand if you want more certainty, but that's how computer programs operate, not laws.
a. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union."
This doesn't seem to discuss intent at all? I mean, we could mince words about what offering a service means, but that doesn't seem productive and unless there is some other part of the law redefining this, won't make me comfortable.