Faceapp has been all over the news recently. The app has been around for a couple of years, but has gained sudden popularity over the last few weeks. With the popularity came the privacy concerns. The company behind Faceapp is based in Russia, or at least so it seems. It however subjects its terms to Californian law and chooses that state as venue for dispute resolution. How will European Data Protection Autorities (DPA) react to Russia based Faceapp & the territorial scope of GDPR.
Our question is how the EU regulators or the European Data Protection Board (EDPB) will deal with this (Russian) app? The governing body has elaborated on the territorial scope of GDPR and in our opinion this app would qualify to fall within that scope. It seems that Faceapp has all the intention to provide services to European citizens and that it places cookies on their browsers to monitor behavior.
The result would be that it needs to comply with GDPR and if it doesn’t it may be subject to disciplinary powers (including fines) of data protection agencies (“DPAs”).
How will European DPA´s enforce any action that it may take against this app and all other apps (or services providers) that fall within the scope of GDPR but are located in countries where enforcement is difficult? If the DPA´s do not take any action, how will that look when other companies do get fined and enforced over similar offences. The GDPR runs the risk that it will become a paper tiger for these kinds of cases.
If you are interested to know more about the material and or territorial scope of the GDPR and if your activities would fall within that scope and if so, what you should be complying with. Do contact us for further information and counsel or call +34 610 739 364.