GDPR and geoblocking

02018-05-27T11:21:50-05:00

I’ve seen it argued that GDPR prohibits geoblocking. The argument goes something like this:

The ECJ has ruled that IP addresses are personal data. The text of Article 4 of the GDPR says:

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

And Article 22 states:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The prefatory language in Recital 71 gives examples of what is considered significant:

The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.

I’m not a lawyer, but it seems to me that automated profiling which outright denies service is something which significantly affects you, as per the example given in the recital.

If that’s the case, profiling people as having a location in the EU based on their IP address and then automatically denying service — i.e. geoblocking — is illegal under GDPR, unless you give the subject the option to not be subject to the block. And if you give them the option to not be subject to the block, you have to comply with GDPR, right?

Conclusion: Geoblocking EU users doesn’t make you compliant with GDPR or in any way reduce your legal exposure.

Supplemental evidence supporting that this is an intended effect of GDPR: The EU has already banned geoblocking, with exceptions only being given for streaming services.