- Henry Park
GDPR and extraterritoriality
The Register reported on November 19th that the UK Information Commissioner's Office (ICO) determined that The Washington Post violated the GDPR by tying cookie consent to access to their stories. That finding is not surprising given the definition of consent.
You would think the UK ICO would go after The Washington Post after finding it in violation of the GDPR because of the potential fines. However, the UK ICO appears to have said that apart from issuing the finding "there is nothing more [they] can do in relation to this matter."
What? Why would they not pursue The Washington Post given that the GDPR was written to extend outside of the EU (see Article 3)?
Probably because the UK ICO doesn't have the resources to pursue and win an extraterritoriality case.
This image is licensed by Ad Meskens under the CC BY-SA 4.0 license.