[ysv2]

A lot of the GDPR's provisions are admirable, and fundamentally good for citizens. I'd like (some) similar rules in my country.

I just wish they'd drop the absurd pretense that the EU is somehow capable of imposing their provincial laws on foreign companies with no physical presence in the EU.

[thisacctforreal]

I think it makes sense when your activities infringe on the rights of citizens inside their borders.

It's not like the EU is saying "These activities must be abolished from the planet!"; the EU is saying "You can't do these things to our citizens without their explicit consent, and we will punish you if you do, regardless of where you host your website."

[ocdtrekkie]

Indeed. The idea that a country would zealously protect it's citizens' rights is practically unheard of these days, but that's what's starting to happen. GDPR is a great example, another one was Canada pushing a Right To Be Forgotten ruling worldwide as well.

It's a statement that someone's private data and intellectual property is theirs. You aren't free to steal it just because you're in another country. Google and Facebook have no divine right to people's personal data, and I am thrilled to see countries protecting their people.

[closeparen]

>It's a statement that someone's private data and intellectual property is theirs

Private data is data you don't share. Under some very limited circumstances, you might entrust private data to a third party for safekeeping, i.e. Dropbox, Google Photos, iCloud Drive, and it's important that they not leak or abuse it.

But that's only a tiny portion of what the GDPR is about. It concerns records of your interactions with others. It's a statement that one side of an interaction is entitled to force the other side to delete their memory of that interaction, or to dictate the situations under which they are permitted to remember it.

[ocdtrekkie]

You are anthropomorphizing companies here, and I think it's a pretty poor analogy. Corporations do not have a memory, they have records, and those records comprise the personal data of everyone who encounters them; data those companies don't own. You seem to be characterizing GDPR as unfair towards the corporate end of the interaction, but that ignores the massive power differential that currently exists.

Corporations have incredible power compared to the individual, and before GDPR, it was commonplace for services to require unreasonable privacy violations: And consumers had to either accept it, or be cut off. (In many cases, the companies doing this have monopolies, making this even more problematic.)

Realistically, this is not going to impact small companies a lot. This is about big ad and tech companies, and giving citizens some minor semblance of tools to resist them.

[closeparen]

>data those companies don't own

I don't know if it's possible to have a productive discussion about what seems to be a question of fundamental philosophy and values, but that's ridiculous on its face.

If I'm a shop owner and a customer buys something from me, the cash register prints two receipts: one the customer owns, one I own. If a customer writes me an email, I own my copy of that email. If a customer comes in and makes a scene, and I ban him from my stores's premises, the paper I generate telling my staff to call the police if they seem him is mine.

If I follow him around and write down everywhere he goes... at some point a line gets crossed, sure. If I start asking other shopkeepers if they've seen him or what he purchased, yeah, something's wrong. But to claim that my records of the interactions he knowingly, willingly had with me are his property just sounds bizarre.

>Realistically, this is not going to impact small companies a lot. This is about big ad and tech companies, and giving citizens some minor semblance of tools to resist them.

The GDPR does not discriminate by the size of the operation. It's large companies which can reliably afford the consultant, lawyer, and engineering time to understand and adapt to new regulation. The violators are going to be those without security and compliance departments.

[tscs37]

Receipts and (most likely) EMails will not be affected. The former since it has to be kept around for tax purposes and the later since they fall under freedom of expression, both are exempted from the GDPR.

The paper you printed to ban someone from you store falls under Art1, §1, Section f of the GDPR; your interest in keeping that person out of the store outweighs their interest in keeping their details private.

[JoshTriplett]

To which the entirely reasonable response from anyone without a legal nexus in the EU (or physical products to ship) is "we don't care and you have no legal right or ability to enforce that". And the entirely reasonable response from anyone thinking of creating a legal nexus in the EU without an extremely business-critical reason is "let's stay in our own country where it's safer and we only have one jurisdiction to care about".

For the record, when I build services, I personally don't intend to ever keep any records that aren't absolutely necessary to provide the service. That's a personal decision, a voluntary one, and also one that can be marketed to certain customers, though that isn't the reason. I also believe that if you send data to a website then it becomes subject to whatever terms they want to apply to it, and if you don't like how they use your data then don't send it to them, and block them.

[kuschku]

That'll get you an interesting interaction with your bank, which does want to have a branch in the EU, so they'll simply comply and freeze your accounts if the EU requests it.

The US has forced its laws on other countries in this way for decades, always to protect profits, it's great that now another actor enforces its laws the same way, for the public.

[arkh]

And the "reasonable" response to this is to act like China: block those services. China showed it is possible so now the "lol it is Internet you can't stop people accessing things, VPN, crypto blablabla" spiel is proven to do jack-shit for services which need a lot of people and their data.

[nemothekid]

If I'm a US company, with a non-GDPR compliant website, and a visitor from the EU visits my site, under what jurisdiction does the EU have to reprimand me? Or will my site just be blocked in the EU?

[ocdtrekkie]

It's unlikely foreign sites catered to foreign viewers would be impacted. When I buy something from a site that only sells in another country's currency, I know I'm probably going outside my own nation's protections a bit.

But if you're a company specifically soliciting EU customers, and especially if you have a presence in the EU physically, expect to have issues if you're collecting data on them without consent.

Bear in mind, the US will extradite people for committing crimes against US entities who live fully within other countries. Presumably if the act is bad enough... that sort of thing starts to play in. (Seriously, if the EU tried to extradite Sundar Pichai... that'd be something, wouldn't it?) The crime has to be befitting such effort though. One EU citizen's data sweeped up in your Google Analytics data does not make you worthy of a legal case. Do it several million times... maybe.

tl;dr: If you're an average company not operating in or marketing to the EU, this doesn't affect you. If you're the size it's likely to be an issue for you, you're likely big enough to handle the additional requirements and do fine.

[SAI_Peregrinus]

Extradition typically only applies to things which are crimes in both jurisdictions. Since these things aren't crimes in the US extradition is very unlikely.

[ysv2]

> the EU is saying "You can't do these things to our citizens without their explicit consent, and we will punish you if you do, regardless of where you host your website."

The EU has neither the right nor the ability to deliver on that threat. I will continue to ignore the GDPR, as I ignore the ridiculous cookie laws, without worrying about European police raiding my home at night.

[harryf]

Looking at the EUs antitrust fine for Google - https://www.google.ch/amp/s/www.bloomberg.com/amp/news/artic... it's clear it does have the ability. The message is "you want to profit from EU citizens? You follow the rules"

[ysv2]

No, you're confused. Google has a physical presence and business partners in Europe; I do not. (Profiting from EU citizens is beside the point.)

[akie]

Yeah, but what would you do if the EU decides that you cannot sell your product in the EU?

[ysv2]

I would continue to do nothing special to support the EU's provincial laws. If EU citizens want to send me money, fine. If the EU decides to block its citizens from doing so, that's also fine.

But I will take no actions on my end to implement EU laws, and it's laughable that some people in this thread imagine the EU has the power to coerce me to do so.

[doikor]

Against small companies with almost no footprint in EU maybe. But against huge multinational corporations that want access to the 500m+ people market they sure can.

[ysv2]

Exactly, that's the distinction.

[kuschku]

What is your website? And which bank do you happen to use for your company and personally?

Enforcing laws internationally is easy, considering that there are systems designed to allow the police of one country to freeze the assets of citizen of another country.

You might just wake up one morning with your bank accounts frozen and your credit cards revoked if you violate the GDPR.

Governments have previously seized entire airplanes to pay for a single $500 fee that an airline refused to pay, don't expect it won't happen to you.

[ysv2]

> You might just wake up one morning with your bank accounts frozen and your credit cards revoked if you violate the GDPR.

Please, spare me. I'm no more worried about EU laws than I am about China seizing my accounts for mentioning Tiananmen Square. You overestimate the EU's reach.

[Kiro]

How would they punish though?

[Vinnl]

> I just wish they'd drop the absurd pretense that the EU is somehow capable of imposing their provincial laws on foreign companies with no physical presence in the EU.

They aren't capable of doing that, if those companies do not do business within the EU. As soon as those companies have the power to negatively impact EU citizens, however, the EU has the power to protect those citizens.