Hacker News new | ask | show | jobs
by mcny 2999 days ago
> EU residents, not citizens. It's an important distinction.

Sorry if this is obvious. I haven't been following the details of this.

Does that mean there is no protection for EU citizens while they are outside the EU?
2 comments
tzs 2999 days ago
Roughly:

  def GDPR_applies(company, person):
    if in_EU(person):
      return True
    if in_EU(company):
      return True
    return False
There are various conditions, limitations, and exceptions that make the above not fully accurate, but its a good first approximation.

You can read the actual text of the territorial scope rule here [1].

Edit: slightly less rough, but still quite rough:

  def GDPR_applies(company, person):

    if in_EU(company):
      return True;

    if in_EU(person):
      if offering_goods_services_in_EU(company, person):
        return True

      if monitoring_behavior_in_EU(company, person):
        return True

    return False
[1] https://gdpr-info.eu/art-3-gdpr/
link
amelius 2999 days ago
Ok, what if a EU resident goes on a holiday in the US? Will all their data now be open to malicious treatment for the duration of the trip? Or only the data they enter/view during the trip?
link
chc 2998 days ago
You're still a resident of your home country while you're on vacation, so failing to cover any of that data would appear to be a breach of GDPR.
link
sirclueless 2998 days ago
Dealing with companies outside the EU is only covered while you are currently inside the EU, regardless of where you reside.
link
weinzierl 2999 days ago
This is a good answer. The question has been raised and answered (by tzs and others) on HN so often recently. It‘s interesting to watch how the answers get streamlined to the essential information over time.
link
chimeracoder 2999 days ago
That psuedocode is inaccurate - if a company (including its parent's subsidiaries) is not in the EU and does not provide services to companies which operate in the EU, then the GDPR has no inherent jurisdiction.
link
weinzierl 2999 days ago
From my understanding it is correct. It applies to companies outside the EU if they collect data about people inside the EU. If this is enforceable is another question.

> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.

link
quantumwoke 2999 days ago
I think this is a bit of an oversimplification. How do Facebook's EU subsidiaries fit into this? Can Facebook US simply divest themselves of responsibility in this case?
link
weinzierl 2999 days ago
in_EU(company) means the company is involved in

“offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.”

So Facebook US cannot divest itself as long as it serves customers in the EU or exchanges data about data subjects in the EU with its EU subsidiary.

link
modernerd 2999 days ago
GDPR applies if:

- The data is processed by a company established in the EU (it does not matter where the person / “data subject” is).

- The person is in the EU (whether or not they are an EU national).

“Data subjects” are not protected outside the EU against companies established outside the EU.

From https://cybercounsel.co.uk/data-subjects/ under “Territorial expansion and applicability of EU law”.

link