On Fri, Feb 16, 2018 at 03:27:57PM -0800, John Horton via gnso-rds-pdp-wg (gnso-rds-pdp-wg@icann.org) wrote:
I think some others have found that unless you are within the borders of the EU, you are not a data subject
That makes no sense to me. The GDPR speaks in places of "data subjects in the union" and other places of "data subjects" without such qualification. The only sensible interpretation is that when not so qualified it also includes people outside the union.
- First, recitals help in interpretation and provide important context -- so they are indeed relevant -- but typically aren't binding in the same way that what comes afterwards is. So I don't think legally you can rely on the recitals for the argument you are making.
Correct. That's why I quoted the (legally binding) Article text instead. So let's look at how "data subject" is formally defined in Article 4(1): "'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" There is no limitation based on location or residence of said persons.
- Your reliance on the second clause (after the comma) in Article 3, Paragraph 1 is (I'd respectfully submit) misplaced in the light of the definitions section. The clause says "...regardless of whether the processing takes place in the Union or not." Processing, however, is defined as "any operation or set of operations on...personal data..." which of course is defined in the definitions section as relating to natural persons. You appear to be interpreting "processing" to mean "no matter where your customers come from."
I'm not relying on that subclause. The first clause is enough: as there's no explicit mention of the location of customers, it applies regardless of their location. The second clause only adds that if you're a company in the EU, you won't get off the hook even by moving the actual processing outside EU. So if an European company sets up a facility in the USA for processing it's American customers, these can still sue it in Europe for GDPR violations.
I think you would all clearly agree: I don't, as a US citizen, have rights under the GDPR because...I'm not a Data Subject. I don't have what's known as "standing" to file a complaint, do I?
I certainly don't agree. I think it is obvious you would be data subject in GDPR terminology and would have standing to file a complaint, too, in the country where the data processor is located. The argument that "data subject" is limited Europeans, here and elsewhere, seems to me just an attempt to find loopholes in the text to work around clear intent of the law. I don't think it'll fly. Incidentally, I find it somewhat odd to find Americans arguing that Americans should not have a standing to claim their rights under European law against European companies. -- Tapani Tarvainen