Article 3 of the GDPR sets its geographical scope. The general rule is that it applies whenever a controller or a processor is established in the EU regardless where the processing takes place. That is something expected. However, the GDPR also applies to people who are in the EU whenever they surf the web (“offered goods and services irrespective of payment” or “have their behaviour monitored”).
This unexpected addition is usually referred to as “the extraterritoriality effect of the GDPR”. It has, deservedly, attracted much attention in politics, practice and academia. By some it has been hailed as a worthy example of regulating the web in a meaningful way. By others it has been criticized as a blunt attempt by the EU to regulate the planet. How could the EU possibly force organisations that reside in the USA, in China, or in India to apply the GDPR in their processing?
Nevertheless, much less attention has been given to the point of view of the people actually concerned. As said, the GDPR applies to someone residing anywhere in the EU no matter what. Any European can feel confident that the GDPR protects his or her personal data at all times.
What happens, however, if that same individual does not want it to be so? How can one get out of the scope of the GDPR for whatever reason?
In the past people could get out of laws of the country they resided in by flying, driving or sailing away from it. The internet appeared at first to be adding a new option to the list. I may be living in one country, but through the internet I can surf to whatever other jurisdiction I wish without ever leaving my living room. It is not the same as travelling, but it is something.
I guess that this is ultimately connected with what surfing the web actually means for us. During its first, heroic, period the internet was dominated by sentimentalists: “Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind”. Now, apparently the realists took their revenge, considering it a mere tool for someone to pay the bills or equip an apartment without ever leaving it. I do not think that either is entirely correct: The same person can pay the bills online and surf the web in order to get a, rare, sense of freedom.
So, how can one voluntarily get out of the GDPR’s scope? If it weren’t for its extraterritoriality effect, I could visit a website in the USA and USA rules would apply to me. Although perhaps inconceivable to the GDPR’s drafters, I may be in my sound mind and still want to do this. People are unpredictable and usually wish to keep their options open.
I think that the GDPR applies an implicit paternalistic approach. It assures Europeans that it knows what is best for them, and that it will always be there. This is perhaps normal for a fundamental human right (as is personal data protection in Europe) however the GDPR is no 3-lines declaration in the constitution. It is a technical legal text of some 100 detailed articles, without an “off” switch.
The way the GDPR is drafted Europeans cannot get out of its scope when online even if they wanted to. There is no space for a “no-GDPR browsing”, similar to “incognito browsing”. In this way however the GDPR fails to understand what the internet really means to a lot of people. This is why I believe that the traditional list of the only things that are certain in life (death and taxes), needs to be updated, at least for Europeans, with the addition of the GDPR.