Privacy professionals are repeatedly struggling with understanding the potential global reach of the EU General Data Protection Regulation. Here is one example of just how far it could go.
In June 2016, Israel’s Ministry of Tourism initiated an online campaign called “Two Cities – One Break.” It was designed to promote Israel’s two main cities, Tel Aviv and Jerusalem, to Europeans as a vacation destination.
The tourism campaign included an online video ad featuring model Shir Elmaliach, guiding the viewer through the country’s top tourist destinations. The video was translated into a number of European languages, and a representative example, targeting the German and Austrian markets, is available at:
As regards the goal of the ad campaign… I have lived and worked in Tel Aviv for many years, and think it is the greatest city in the world. And Jerusalem, of course, is clearly one of a kind. So, by all means, more Europeans should come and pay Israel a visit.
But as a privacy practitioner, I began to wonder: if Israel’s Ministry of Tourism ran the campaign again after May 25 this year, that is, after the GDPR takes effect, would it be in potential violation of Europe’s strict new privacy rules?
The idea might seem laughable, but for the Israeli government this might be no joke.
Consider the following:
- The GDPR’s material scope carves out policing and national security activities by competent authorities (Article 2(d) to the GDPR). There is no general exemption, however, for all government entities; namely ministries of tourism are not exempt.
- The GPDR applies to non-EU entities that process or control personal information about individuals who are in the EU in the context of offering goods or services to those EU-based individuals (Article 3(2) to the GDPR). In its video ad campaign, the Ministry of Tourism clearly promotes a vacation in Israel to EU individuals.
- The GDPR does not require that the offered goods or services be owned by the entity that offers them. In its campaign, the Ministry of Tourism promotes services and goods offered by other entities – travel booking services, airlines, hotels, tourist guides, etc. – as part of planning a vacation in Israel. Article 3(2) to the GDPR, therefore, may apply to the Israeli government ministry.
- Recital 23 to the GDPR states that “factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language … may make it apparent that the controller envisages offering goods or services to data subjects in the Union.” The Israeli campaign specifically targeted individuals in EU member states by producing the online video ad in English, German, French, Italian, Spanish, Dutch and Swedish.
- The GDPR also applies to those who monitor the behavior of data subjects when their behavior takes place within the EU. Where the Israeli government campaign reaches European online users, their activities and behaviors, for example, clicking the ad, may indeed be monitored.
- Recital 24 to the GPDR states, “In order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.” Here, the government’s ads are posted online and presumably track user engagement.
- Like most advertisers, the Ministry of Tourism likely received web-analytics data about the performance of the online ad campaign. In these cases, the advertiser, or an analytics service on its behalf, typically collects potentially identifiable information about users who viewed the online videos, including IP addresses, device IDs and other identifiers. Under GDPR, regulators could view such data processing as monitoring activities subject to European law
- Some EU-based users who watched the online video may have contacted the ministry directly to obtain further information, whether by email, phone, fax or through the ministry’s website. This too could be considered to be processing personal information under the GDPR.
Considering all that, it seems entirely plausible that the GDPR might in fact apply to the online campaign of the Israeli government ministry.
The next question, then, would be: For violations of the GDPR, could an EU data protection authority fine the Israeli government up to 4 percent of Israel’s annual global turnover? In 2016, the country’s GDP was $320 billion, which would make for a hefty fine imposed on Israeli taxpayers.
The answer, of course, is quite obviously no. Clearly, such legal overreach would violate Israeli sovereignty. But it is worth noting that we were recently asked the same question by an Israeli municipality. It bears thinking about: Would a non-EU city’s obligation to comply with the GDPR sound less absurd?
During recent informal talks with government officials in Israel, they agreed that the GDPR indeed has the potential to violate Israeli sovereignty.
Where, then, should the line be drawn? How far beyond the borders of the European Union will GDPR enforcement reach? This of course is not just a legal question but also a political one. Time will tell if EU regulators will show a degree of restraint when addressing non-EU entities’ compliance with the GDPR.
Top image: Screen shot from Israeli Ministry of Tourism video.
If you want to comment on this post, you need to login.