Why the GDPR is a threat to a free internet and should be ignored by those outside the EU

Much has already been said about the EU's General Data Protection Regulation (GDPR). One of the commonly noted aspects of the GDPR is that it attempts to exert extraterritorial jurisdiction on any entity processing the data of an EEA resident, even if the entity itself has no assets in the EEA or other relation to it.

This is a direct threat to a free and open internet and it is my view that entities operating outside of the EEA and without assets in the EEA should disregard this entirely. In other words, they should hold the GDPR in contempt.

To see why the GDPR's extraterritoriality clause is a threat to a free and open internet, we need only see some of the reactions to its implementation by non-EU entities. In the wake of the GDPR, many non-EEA news websites chose to respond to the GDPR's attempts at extraterritoriality by simply blocking all EEA visitors via IP geolocation. In other words, because the EU passed law saying that a website becomes subject to their jurisdiction if any EEA resident visits it, some non-EEA websites responded by closing themselves to EEA residents.

One of the simplest moral principles that can be applied is the extrapolation principle: ask yourself “if everyone did this, does the world get better or worse?”. In this case, ask yourself: “if every country tried to claim extraterritorial jurisdiction over any website open to its residents, does the web get better or worse?”

It's perfectly obvious what would happen if this were to become the norm. If allowing people from country X to visit your website renders you subject to country X's laws, it stands to reason that it's legally unsafe to allow people from country X to visit your website until you have a lawyer determine what laws in country X you may need to comply with. This would ultimately lead to a situation in which websites cease to be accessible to anyone in the world by default, because in the above scenario it logically follows that by doing so you also at once expose yourself to the jurisdiction and law of every country in the world. If I allow people from North Korea to visit my website, does that entitle North Korea to pass laws with which I must comply? There is no difference between this and what the EU has attempted to do with GDPR.

Rather than websites being accessible to the whole world by default, websites will instead necessarily become accessible only to a list of pre-approved countries by default; countries for which due diligence has been done and lawyers have been involved to ascertain any compliance requirements. Whether a website is accessible to people in country X will depend not just on whatever requirements country X chooses to impose, but also whether it is worth the time and money of the website operator to do the precautionary legal research necessary to be able to serve country X. Even if country X imposes no extraterritorial jurisdiction on websites at all, it may still be denied access if it is a less major country and the website operator does not care to spend the time and money to safely ascertain that that is the case.

In short, any attempt by any country to render a website subject to its jurisdiction just by virtue of doing business with its residents constitutes an inexorable threat to a free and open internet; to an internet where your ability to access a website does not depend on from where you come.

Where a country does attempt to do this, it should simply be ignored by those outside of it, as it has no material recourse against those outside of its territory. At the worst it may attempt to block such a website, which will not be particularly successful and involves the expenditure of their own time and money rather than yours.

Ultimately, the notion that a resident of a country visiting a website gives that country jurisdiction over it can only gain real power and agency to the extent that it becomes more commonly asserted and an internationally popular way of thinking about law. This line of thinking — “people from country X visiting my website gives that country jurisdiction” — has in fact become much more common over the last decade, including, curiously, by people who stand to lose from it; for example a US website operator who attempts to comply with an Italian injunction against it, by blocking Italian visitors. Website operators may think that in doing so they are rebuffing excessive claims of jurisdiction by random foreign countries by only ceasing service in that country and not globally. In actuality they are implicitly validating, and going along with, the idea that a website becomes subject to country's jurisdiction if visited by its residents.

It should also be noted that the very idea of “blocking a country” is impossible, and attempts at it inevitably rely upon the fallacy of IP geolocation, which is not and cannot be accurate. Since it cannot be accurate, this inevitably leads both to collateral damage (overblocking) while also failing to accomplish the legal objective, due to underblocking.

As an aside, while it may be the case that the GDPR should be ignored by those outside of the EEA (or UK), this doesn't mean that you shouldn't extend your users many of the rights they might enjoy under the GDPR anyway; but you should do these things because they are the right thing to do, not because the GDPR demands it.