[Sir_Substance]

>there are provisions within the GDPR for it not to apply in those cases where you are not intentionally obtaining data from EU citizens.

I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.

Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.

How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.

[downandout]

It's a massive document so I'm not going to go through and find it, but here's an interpretation of what I'm talking about [1]:

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

So if someone is going out of their way to mask the fact that they are from the EU, and you aren't otherwise seeking out EU users, you're not going to get in trouble for that. One issue I have with it though is that translation may trigger GDPR exposure, and since Spain is part of the EU, many sites aimed at Spanish speakers (but not aimed at the EU) may have this beast of a law apply to them. I operate a few sites that have Spanish content, so that is deeply troubling.

[1] https://www.gtlaw.com/en/insights/2018/2/the-gdpr-deadline-l...

[jpetso]

Given that there is an entire continent whose people speak mostly Spanish (and with the remaining Portuguese speakers vastly outnumbering the ones in Portugal, too), I don't believe that providing a service in Spanish will go far as evidence that you're targeting EU citizens specifically.

[Sir_Substance]

response to: https://news.ycombinator.com/item?id=16870636

This thread is now too deep for me to respond to your comment.

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.

Read more here: https://gdpr-info.eu/?s=occasional

But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.

Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.

[downandout]

The experts that I talked to in this space in deciding to close my sites to EU IPs have all said that the GDPR probably doesn't apply to incidental traffic - especially if someone is actively trying to hide the fact that they are in a GDPR area. But nobody can guarantee a single thing, because it's so broadly written and is up for unique interpretations in each of dozens of foreign countries. It meets the very definition of a bad law - too broad and will cause decreased economic opportunity for those that are subjected to it.

FYI you can reply to other posts when the thread is this deep by clicking on the "X minutes ago" thing on the comment your want to reply to.

[Sir_Substance]

Ah, neat.

Experts say a lot of things on GDPR, one of the really interesting things about reading it myself is that I've found a lot of them seem to be wrong. I've heard a few people talking about a "social media exception" that doesn't seem to exist, for example.

It's possible that there have been preliminary rulings on GDPR that I'm not aware of, because I'm not a lawyer. So I'm not by any means declaring that your experts are definitely wrong, but I am nigh on certain that their source of information for making such statements is not the GDPR text itself.

I disagree that GDPR is an overly broad law by the way. The GDPR text is actually fairly specific. It encompasses a large domain, but it clearly defines that domain (Article 9 is an example of a large but specific definition, although it is only one of multiple such articles) and tells you clearly what you need to do within that domain to be compliant.

People just /think/ it's overly broad because it impacts a lot of tech companies and none of them have actually read the text. The human brain interprets this as "inspecific", whereas it's actually carefully targeted at a handful of specific things that lots of tech companies are doing (or not doing).

[tzs]

> This thread is now too deep for me to respond to your comment.

It probably wasn't depth that blocked you. It was probably time. There is a short interval after a comment is posted during which the reply link is not available in the thread. (You can still reply without waiting, but you have to figure out how to get a reply button instead of a reply link. The reply button doesn't have the delay).

> This statement seems to have misinterpreted article 27

I believe that statement is summarizing recital 23, not attempting to interpret article 27.