Testing the Extraterritorial Reach of the GDPR

A European privacy regulator has provided insight into a key feature of the General Data Protection Regulation (“GDPR”)—extraterritorial reach. Recall that Article 3(1) of the GDPR applies to EU-based organizations engaged in the processing of personal data (i.e., any information relating to an identified or identifiable natural person) belonging to EU data subjects. However, Article 3(2) goes a step further by extending the territorial scope of GDPR to organizations that are not physically established in the EU. Article 3(2) applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU where the processing activities are related to the offering of goods or services to those individuals inside the EU. Even with Article 3(2), there continues to be uncertainty around the GDPR’s extraterritorial applicability and its enforceability against non-EU based organizations.

On November 19, 2018, The Register (a UK-based technology news website) reported that the UK Information Commissioner’s Office (the “ICO”) issued a warning to The Washington Post over its approach to obtaining consent for cookies required to access the newspaper’s online service.

At the time the warning was issued, The Washington Post presented readers with three options to access its service: (1) free access to a limited number of articles conditioned upon granting consent to the use of cookies and tracking for the delivery of personalized ads; (2) a basic, fee-required subscription consisting of access to an unlimited number of articles, which was also conditioned upon consent to the use of cookies and tracking; or (3) a premium, higher fee subscription consisting of paid access to an unlimited number of articles with no on-site advertising or third party ad tracking.

The ICO concluded that since The Washington Post did not offer a free alternative to accepting cookies, consent could not be freely given and the newspaper was in contravention of Article 7(4) of the GDPR. Article 7(4) provides that “[w]hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

The ICO issued a written warning to The Washington Post to ensure access to all three subscription levels without users having to consent to the use of cookies. Despite issuing the warning, the ICO noted that if the newspaper decides not to change its practices for obtaining consent for cookies, there is nothing else the regulator can do on the matter.

The Federal Trade Commission (“FTC”) and the ICO signed a Memorandum of Understanding in 2014 to facilitate mutual assistance in the exchange of information in investigating and enforcing covered privacy violations. In the memorandum, “covered privacy violation” refers to practices that violate the applicable privacy laws of one participant country that are the same or substantially similar to practices prohibited by privacy laws in the other participant country. However, since U.S. privacy law does not address the issue of cookie consent, the issue does not fall under the scope of the memorandum. So while this warning to The Washington Post about consumer choice and consent provides a useful guidepost for companies navigating GDPR compliance, it is unlikely to mark a significant pivot in the enforcement direction of the ICO. The ICO appears to be watching U.S. company practices, and may seek to influence them. Its actual ability to do so, whether directly or with FTC assistance, remains to be seen.

The European Data Protection Board is expected to release guidance around the GDPR’s extraterritorial applicability in the coming weeks.

Grayson J. Derrick
Chair, Technology and Intellectual Property Section