[ysv2]

> This regulation is not limited to companies based in the EU—it applies to any service anywhere in the world that can be used by citizens of the EU.

That's fundamentally incorrect. As a non-EU citizen, I reject the notion that a foreign government has the right to impose their own laws on me, be it the EU or China or anyone else. If the EU thinks it's a problem that I'm offering a service to EU citizens that doesn't comply with laws I have no vote on, frankly they can sod off.

[marenkay]

You are aware that this does not make sense, since to do business with people from other countries you already have to comply with their laws in terms of taxes and accounting anyway.

Selling to EU customers as US business already requires you to have a VAT ID in EU, so what does this change for you? In the end the main provision is to only require and store customer data which is effectively needed for providing the services and goods you offer. If you are doing business responsibly, this should not affect you at large as it mainly formalises these processes and requires you to actually write down and document what data you need for what processing steps. If you can not do that, your business is already flawed and not because GDPR does not work for you.

[openplatypus]

> Selling to EU customers as US business already requires you to have a VAT ID in EU

That's not quite right. If you are digital service provider based in the US, no, you don't need EU VAT ID.

[zuppy]

Yes, it's your right to block the EU users. But, if you want their money (and that's up to you to decide), you have to obey to their law, nothing new here.

[TomasEkeli]

It's not their money, it's if you store or process personal data about individuals in the European Economic Area (slightly larger than the EU).

If you're running a Chinese site aimed at Chinese you're good.

If you're running an Indonesian site aimed at Germans you need to honour the GDPR.

[xxs]

You don't need any personal data to conduct most of the business.

I work in a place that would be beyond heavily affected by GDPR and I find the legislation a good change as companies should not hoard data they don't need - just in case... or just to sell.

[Shoothe]

Wouldn't you need personal data to accept payments? Or maybe a broker (like Stripe) would store these and the end business just a reference to payment.

[xxs]

You can get external ref to payment providers. Depending on the business you might need KYC and anti laundering procedures and then it's harder.

However if you have some direct business and do accept payments - by all means make it secure and transparent to your customers.

[smu]

In lawyers terms: a payment apparently is just a contract. So you can store the data needed for the payment under that legal basis.

IANAL

[x0x0]

Probably... not really? Maybe?

For starters, if you don't take payment and aren't in the EU, EU enforcement power is going to be extraordinarily limited. And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?

I think the GDPR was basically aimed at some of the scummier adtech practices and businesses like Facebook, and for those, it will be very enforceable.

[doikor]

> And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?

You need an EU VAT ID to accepts payments from EU citizens. So they will revoke that and then you can't accept payments from EU.

[tatersolid]

> You need an EU VAT ID to accepts payments from EU citizens.

This was mentioned before: No, you don’t.

Millions of business around the world accept transactions from EU citizens every day without collecting any VAT or having any relationship with the EU.

[yetanother1980]

Why are you storing and processing their data if not for profit?

[x0x0]

personal data in the GDPR has a very expansive definition, and definitely includes things like IP. Processing likewise has an expansive definition, including collection and recording. Lots of sites will be processing and storing this data for internal analytics.

[guitarbill]

> Lots of sites will be processing and storing this data for internal analytics.

Just because you can doesn't mean you should. And not asking that questions has got us where we are today.

[yetanother1980]

Did your customers consent to what is effectively someone following them round the store with a clipboard?

[bjl]

So just don't do internal analytics. Or, if you feel you must, ask consent first. Easy peasy.

[ysv2]

It isn't my responsibility to block them, or to take any action whatsoever to comply with another country's laws.

[athrun]

Well, the point of the GDPR is to make you aware that collecting personal data of EU citizens requires their explicit consent. Just ask me for it, that's not a big deal, is it?

If you don't, you're effectively stealing from me and I shall expect my government to go after you to the full extent of the law.

[ysv2]

What makes you imagine your government has any jurisdiction over me?

EU citizens can choose to use services offered under other countries' laws, or not. The EU can choose to implement their own Great Firewall to block such services, or not. Frankly I don't care either way.

[athrun]

Uh? This is already how the world works. It does not matter where you are located as long are you are transacting with EU citizens.

In extreme cases of non-compliance, avenues for enforcement that have been discussed reuse existing Anti Money Laundering mechanisms: once flagged in the system, banks will simply freeze your business assets connected to EU countries and you might be arrested upon crossing any EU border.

[ysv2]

I have no business assets connected to any EU countries, and I don't have any desire to cross any EU borders. So I will continue to enjoy life in my home country and ignore your provincial laws.

[chrisper]

>What makes you imagine your government has any jurisdiction over me?

It doesn't. But once you enter Europe expect to be in trouble (if there is anything going on against you). Also forget to do business in Europe (with EU citizens).

So if you don't care about these, then you don't have to care about this law.

[ysv2]

Right, hypothetically if I were to physically enter the EU I could expect trouble, and that's the EU's right. But in the meanwhile, if EU citizens wanted to do business with me, that's not my problem.

I basically agree with your assessment.

[chmars]

That is actually not correct, consent is one of several options (and usually not the best option because there are strict requirements for a valid consent).

[michael_storm]

It being fundamentally incorrect and you not liking it are two very different things.

[ysv2]

Yet it is fundamentally incorrect. I'm not an EU citizen, so I have zero reason to care about their laws. I will simply ignore them, and the EU has no recourse, other than possibly mandating that their ISPs block me or something. Which I also do not care about.

[hvidgaard]

If you want to do business with EU citizens, you have to follow EU law. Before the internet, you had to open a shop here, or send your goods over the border. The only thing that has changed is the fact that you provide a virtual service over the internet.

[ysv2]

No, if I want to have a physical presence in the EU I have to follow EU law. But if I'm residing entirely in another country, and EU citizens want to do business with me over the internet, I could care less what EU law says. And no amount of whining on this thread will change the fact that the EU has no leverage over me.

[xxs]

>I could care less what EU law says You need a way to sell to EU (if you wish to do business there).

Digital services (say from US) do require EU VAT registration. If you don't have that and your country has tax agreement with the EU (or some countries from EU), there is a risk to be prosecuted. It won't happen if you get like 1000 customers in each country of the EU (as the latter has no global tax organization like IRS).

Keep in mind also that if you have too much unexplained income your own tax authorities can investigate the case, incl. anti money laundering.

Bottomline is: it's rather hard to sell services (lest goods), in cases where you non-compliant with the laws. Internet is not a magic wand.

[pavelludiq]

If I break US law over the internet against a US company/person, even though I do no business in the US, have never been there, and don't plan to be there, guess how long before I'm dragged making license plates with words like "liberty" or "freedom" on them in an American rape gulag?

[hvidgaard]

So, you do not care one iota about laws, or security of PII and other sensitive information, unless there can be sanctions against you?

Regardless, businesses have been dropped from their payment provider for less, so there is certainly leverage.

[darrenf]

To me this reads with the focus in reverse. The EU's aim is not specifically to regulate or punish non-EU service providers - rather, that's (one effect of) the tool they are using to protect the rights of its citizens which is the real focus here. Since service providers the world over have been unwilling to voluntarily protect those rights, what alternative approach could they take?