Consumer website says “no thanks” to the GDPR and the EU
In the months that led up to the GDPR coming into force on 25 May 2018, as we readied ourselves to enter into a brave new world of enhanced regulation that sought to afford better protection of our personal data, we were all asked the same question over and over again: “Are you prepared for the GDPR?”
For one website, however, the solution to avoid non-compliance with the GDPR was remarkably simple: stop publishing in Europe altogether.
The website www.ripoffreport.com is operated out of Arizona, USA, and its primary objective purports to be to provide a platform to consumers to make the public aware of individuals and companies that have acted unprofessionally, negligently, in a corrupt manner and/or in bad faith. According to the website there have been a total of 2,267,095 reports filed, with more than 9 billion views, since it was founded in 1997.
Defamation lawyers will be all too familiar with the website. Whilst no doubt many of the reports are made in good faith, consumer websites like this are open to abuse from disgruntled customers, former employees/partners and competitors. The long-established website performs well on search engines, thus any business or individual listed on the website is likely to face scrutiny when third parties perform due diligence using the world's favourite search engine.
When the GDPR came into force, www.ripoffreport.com immediately cut off all access to the website from countries within the European Union. The website's editors tweeted:-
Visitors from the European Union attempting to access the website are currently presented with a warning page which says: "Error 1009: Access denied. What happened? The owner of this website (www.ripoffreport.com) has banned the country or region your IP address is in (GB) from accessing this website."
One would be forgiven for wondering why a website based in Arizona would be caught by the GDPR at all. This is because the GDPR applies, in a territorial context, in two very different ways.
Firstly, the GDPR applies to the processing of personal data by a data controller established in the EU regardless of where the actual data processing takes place. For instance, an organisation established in the UK that processes the personal data of people based only in Peru would still be subject to the GDPR.
Secondly, it applies to the processing of personal data by a data controller outside the European Union where it offers its services to data subjects located within the European Union, such as www.ripoffreport.com, or monitors their behaviour.
The GDPR is clearly intended to have a wide territorial application and compliance with its far-reaching provisions is far from straightforward. Where you have a global audience, one solution is to simply take your business elsewhere.
Click here to find out how Brett Wilson LLP privacy solicitors can help if you think your personal data has been misused.
Articles are intended as an introduction to the topic and do not constitute legal advice.