[kbart]

"How do I follow conflicting laws? One country says "keep all data for 90 days to aid law enforcement" the other says "delete it immediately" which is it?"

GDPR is EU wide regulation that trumps national privacy laws. It doesn't even need to be approved by individual members, so when it goes into effect on 25 May 2018, it will be working EU-wide on the same day. Furthermore, it affects companies all over the world that serves EU citizens. There's much skepticism on how EU will enforce this law worldwide, but for now it was quite successful dealing with big companies, remember: Microsoft vs EU (paid €561 million fine), multiple cases of Google vs EU (right to be forgotten, Ireland tax rulling, ongoing case vs Android), Facebook/WhatsApp vs EU (€110 million fine) etc. To answer your question: no, there will be no conflicting laws - if you serve EU citizens, you must follow GDPR. From my personal perspective, GDPR is one of those not-so-often moments that I'm proud of EU.

[wav-part]

> Furthermore, it affects companies all over the world that serves EU citizens.

No gdpr applies if companies target EU citizens [1][2]. My personal opinion of the law is that its as useless as cookie law but way more costly and unpredictable.

[1] (122), Pg 22, https://docs.google.com/viewer?url=http%3A%2F%2Fec.europa.eu...

[2] Pg 13, https://docs.google.com/viewer?url=http%3A%2F%2Fwww.linklate...

The mere accessibility of your website by individuals in the Union or use of the languages of one of the Member States in the Union (if the same as the language of your home state) should not by itself make you subject to the Regulation. However, the following factors are a strong indication that you are offering goods or services to individuals in the Union and so are subject to the Regulation:

> Language - You are using the language of a Member State and that language is not relevant to customers in your home state (e.g. the use of Hungarian by a US website).

> Currency - You are using the currency of a Member State, and that currency is not generally used in your home state (e.g. showing prices in Euros).

> Domain name - Your website has a top level domain name of a Member State (e.g. use of the .de top level domain).

> Delivery to the Union - You will deliver your physical goods to a Member State (e.g. sending products to a postal address in Spain).

> Reference to citizens - You use references to individuals in a Member State to promote your goods and services (e.g. if your website talks about Swedish customers who use your products).

> Customer base - You have a large proportion of customers based in the Union.

> Targeted advertising - You are targeting advertising at individuals in a Member State (e.g. paying for adverts in a newspaper).

[halflings]

All the big (and smaller) players in tech are working hard to implement all the requirements of this law (control over what data is stored, TTLs, encryption).

How is this useless for end-users? It forces companies to encrypt this data at rest, and allow users to delete it when they want.

[an27]

I can't really envision Facebook or Google removing all EU-only language options and doing away with targeted advertisements, so how come you think these criteria won't work?

[tajen]

Microsoft vs EU yielded €2bn fines. I had made the calculations myself in 2013, I can't find the source, but here's most of the details: https://www.neowin.net/news/since-2004-the-eu-has-fined-micr...

[rattray]

I think they meant eg; US vs EU.

EU law does not subsume US law.

[Tuna-Fish]

It is possible for there to be a situation where to offer some service, you have to either break the laws of one country or the other. In this situation, you simply cannot offer that service without exposing yourself to legal consequences.

[k__]

Well, nothing stops a company to implement different stuff for different countries.

Companies did this before the internet and even with internet they did it for China regulations.

I mean, even translation to different languages is basically "special implementation" for different countries...

[Tuna-Fish]

That's not always sufficient. You can end up in a situation where an American court demands records that concern European customers. In that situation, handing them over gets you penalized in an European court, and not handing them over gets you penalized in an American court. Both will have the ability to really hurt you, and "the other court tells me not to" is not a defense at either of them.