What matters is whether or not you target users in the EU. If people in the EU use your services in spite of you taking no action to target them, then GDPR doesn't apply.
HN probably would not be considered to be targeting EU users because it is an English-only forum based in the US that does no marketing towards EU users. If they added a German-language forum, then they would probably need to start following GDPR because that would be interpreted as targeting users in the EU.
This is based on CJEU's interpretation of previous regulations[1]. Factors that they listed were:
> Use of the language of a Member State (if the language is different than the language of the home state);
> Use of the currency of a Member State (if the currency is different than the currency of the home state);
> Use of a top-level domain name of a Member State;
> Mentions of customers based in a Member State; or
> Targeted advertising to consumers in a Member State.
What GDPR says and what can be enforced are two different things. 20 million dollars are irrelevant if there's no way to extract them. (Hence my musing about YC companies.)
HN probably would not be considered to be targeting EU users because it is an English-only forum based in the US that does no marketing towards EU users. If they added a German-language forum, then they would probably need to start following GDPR because that would be interpreted as targeting users in the EU.
This is based on CJEU's interpretation of previous regulations[1]. Factors that they listed were:
> Use of the language of a Member State (if the language is different than the language of the home state);
> Use of the currency of a Member State (if the currency is different than the currency of the home state);
> Use of a top-level domain name of a Member State;
> Mentions of customers based in a Member State; or
> Targeted advertising to consumers in a Member State.
[1] https://www.wileyrein.com/newsroom-newsletters-item-May_2017...