Yes, it's your right to block the EU users. But, if you want their money (and that's up to you to decide), you have to obey to their law, nothing new here.
You don't need any personal data to conduct most of the business.
I work in a place that would be beyond heavily affected by GDPR and I find the legislation a good change as companies should not hoard data they don't need - just in case... or just to sell.
Wouldn't you need personal data to accept payments? Or maybe a broker (like Stripe) would store these and the end business just a reference to payment.
For starters, if you don't take payment and aren't in the EU, EU enforcement power is going to be extraordinarily limited. And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?
I think the GDPR was basically aimed at some of the scummier adtech practices and businesses like Facebook, and for those, it will be very enforceable.
> You need an EU VAT ID to accepts payments from EU citizens.
This was mentioned before: No, you don’t.
Millions of business around the world accept transactions from EU citizens every day without collecting any VAT or having any relationship with the EU.
personal data in the GDPR has a very expansive definition, and definitely includes things like IP. Processing likewise has an expansive definition, including collection and recording. Lots of sites will be processing and storing this data for internal analytics.
Well, the point of the GDPR is to make you aware that collecting personal data of EU citizens requires their explicit consent. Just ask me for it, that's not a big deal, is it?
If you don't, you're effectively stealing from me and I shall expect my government to go after you to the full extent of the law.
What makes you imagine your government has any jurisdiction over me?
EU citizens can choose to use services offered under other countries' laws, or not. The EU can choose to implement their own Great Firewall to block such services, or not. Frankly I don't care either way.
Uh? This is already how the world works. It does not matter where you are located as long are you are transacting with EU citizens.
In extreme cases of non-compliance, avenues for enforcement that have been discussed reuse existing Anti Money Laundering mechanisms: once flagged in the system, banks will simply freeze your business assets connected to EU countries and you might be arrested upon crossing any EU border.
I have no business assets connected to any EU countries, and I don't have any desire to cross any EU borders. So I will continue to enjoy life in my home country and ignore your provincial laws.
So why are you so nervous? Just ban all those 500 millions "provincial" users and feel free to ignore GPDR. It's nothing new that countries extend protection for their citizens and business entities well beyond its borders, for example, US routinely extradites foreign citizens that have nothing to do with USA for DMCA violations, hacking and whatnot.
>What makes you imagine your government has any jurisdiction over me?
It doesn't. But once you enter Europe expect to be in trouble (if there is anything going on against you). Also forget to do business in Europe (with EU citizens).
So if you don't care about these, then you don't have to care about this law.
Right, hypothetically if I were to physically enter the EU I could expect trouble, and that's the EU's right. But in the meanwhile, if EU citizens wanted to do business with me, that's not my problem.
That is actually not correct, consent is one of several options (and usually not the best option because there are strict requirements for a valid consent).
If you're running a Chinese site aimed at Chinese you're good.
If you're running an Indonesian site aimed at Germans you need to honour the GDPR.