[akerl_]

How would EU law compel a non-EU entity to delete content based on the residency of the user?

As an example of the opposite state, where this does definitely apply: Tarsnap complies with Canadian law around collecting names/addresses for users who are located in Canada, because Tarsnap is operated as a Canadian business. But if Tarsnap were located in the US, it would not be responsible for collecting that information from Canadian users.

[nabla9]

> How would EU law compel a non-EU entity

Because US and EU have singed agreements to that effect. It's the price US must pay for EU to allow American internet companies to serve EU customers.

It obviously applies to any company with direct business operations in any one of the 28 member states of the EU. But financial transaction is not nessesary for the extended scope of the law to kick in. Collecting personal data from EU citizen is enough.

[akerl_]

Which agreement between the US and EU mandates this?

[nabla9]

EU-U.S. and Swiss-U.S. Privacy Shield Framework.

It came to effect 2016 and replaced the Safe Harbor agreement.

[akerl_]

"While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law."

From https://www.privacyshield.gov/Program-Overview

[nabla9]

U.S companies have option to either do legally binding self-certifications or outside compliance reviews.

If they don't do that, they have no authority to collect data from EU Citizens (no user accounts or customers from EU).

[madez]

> But if Tarsnap were located in the US, it would not be responsible for collecting that information from Canadian users.

Responsibility is not defined by gut-feelings, but by law. So, with a suited law, Tarsnap could also be bound in Canada's jurisdiction even if it were located in the US.

[akerl_]

I'm not sure where you derived your comment about gut-feelings from.

Do you have an example of precedent for one country's laws being enforced on a company with no business presence in that country, without there being a law or treaty in a country the business does operate in that mandates compliance with the foreign law?

I don't think anyone would dispute that if the US were to make a law requiring US companies to comply with the GDPR for EU users, that law would apply to US companies. My point is that absent some measure by the US government, EU laws are not applicable to companies without business presence in the EU

[madez]

> My point is that absent some measure by the US government, EU laws are not applicable to companies without business presence in the EU

They are applicable if they say they are applicable. Effective enforceability is optional to applicability.

The case is pretty simple in my eyes.

We have separate, sovereign jurisdictions and governments. They can do about anything they want, if they have the means to do so and aren't bound by some treaty or law. For example, they can take legal or executive measures against anybody in the world, and it is irrelevant if that person agrees or disagrees. In fact, in the first place, it is also irrelevant what position the sovereign of that entity takes.

Now, can each sovereign entity enforce what they have decided? Well, that depends on many factors, but is optional to their decision.

The sovereign we are dealing with here is the EU. They can, within the bounds by their law and international treaties, judge and take measures against entities not residing under their jurisdiction. Who's stopping them?

See for example the sanctions on Russian officials currently imposed by the EU.

The EU has many tools to enforce it's decisions.

I don't see what's the difficulty of understanding this situation, besides not agreeing with it.

[akerl_]

I'll admit to what feels like a pedantic point: Yes, the EU can make a law saying it'll be very very angry if a non-EU entity does not do what it wants. But since this post is asking about HN's compliance with the GDPR, it seems practical to scope the conversation to "Can the EU make and enforce a law that affects non-EU entities".

Otherwise, it's fair to say that I can personally draft a document saying HN must give me $3.50, and sign it into law for the House Of Akerl. But my law is quite uninteresting to HN, given the low odds of any of the YC folks sending me $3.50.

[madez]

Well, it seems we agree that the EU can make a law theoretically-legally affecting non-EU entities.

Can that law be enforced? That depends on whether YC has a representation in the EU, or people from YC plan to visit the EU in the future, or many other things. Maybe the EU gets creative to find other ways of enforceability. I don't intend to give a full assessment of the ways of enforcement.

Either way, it is not a nice thing to have a big jurisdiction going after you.

One can avoid the GDPR by not handling data from or about European citizens or people in the EU, and having no presence there, and actively filtering out affected people.

Or one can implement the GDPR.