[tzs]

Roughly:

  def GDPR_applies(company, person):
    if in_EU(person):
      return True
    if in_EU(company):
      return True
    return False

There are various conditions, limitations, and exceptions that make the above not fully accurate, but its a good first approximation.

You can read the actual text of the territorial scope rule here [1].

Edit: slightly less rough, but still quite rough:

  def GDPR_applies(company, person):

    if in_EU(company):
      return True;

    if in_EU(person):
      if offering_goods_services_in_EU(company, person):
        return True

      if monitoring_behavior_in_EU(company, person):
        return True

    return False

[1] https://gdpr-info.eu/art-3-gdpr/

[amelius]

Ok, what if a EU resident goes on a holiday in the US? Will all their data now be open to malicious treatment for the duration of the trip? Or only the data they enter/view during the trip?

[chc]

You're still a resident of your home country while you're on vacation, so failing to cover any of that data would appear to be a breach of GDPR.

[sirclueless]

Dealing with companies outside the EU is only covered while you are currently inside the EU, regardless of where you reside.

[weinzierl]

This is a good answer. The question has been raised and answered (by tzs and others) on HN so often recently. It‘s interesting to watch how the answers get streamlined to the essential information over time.

[chimeracoder]

That psuedocode is inaccurate - if a company (including its parent's subsidiaries) is not in the EU and does not provide services to companies which operate in the EU, then the GDPR has no inherent jurisdiction.

[weinzierl]

From my understanding it is correct. It applies to companies outside the EU if they collect data about people inside the EU. If this is enforceable is another question.

> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.

[quantumwoke]

I think this is a bit of an oversimplification. How do Facebook's EU subsidiaries fit into this? Can Facebook US simply divest themselves of responsibility in this case?

[weinzierl]

in_EU(company) means the company is involved in

“offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.”

So Facebook US cannot divest itself as long as it serves customers in the EU or exchanges data about data subjects in the EU with its EU subsidiary.