[Sir_Substance]

response to: https://news.ycombinator.com/item?id=16870636

This thread is now too deep for me to respond to your comment.

"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."

This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.

Read more here: https://gdpr-info.eu/?s=occasional

But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.

Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.

[downandout]

The experts that I talked to in this space in deciding to close my sites to EU IPs have all said that the GDPR probably doesn't apply to incidental traffic - especially if someone is actively trying to hide the fact that they are in a GDPR area. But nobody can guarantee a single thing, because it's so broadly written and is up for unique interpretations in each of dozens of foreign countries. It meets the very definition of a bad law - too broad and will cause decreased economic opportunity for those that are subjected to it.

FYI you can reply to other posts when the thread is this deep by clicking on the "X minutes ago" thing on the comment your want to reply to.

[Sir_Substance]

Ah, neat.

Experts say a lot of things on GDPR, one of the really interesting things about reading it myself is that I've found a lot of them seem to be wrong. I've heard a few people talking about a "social media exception" that doesn't seem to exist, for example.

It's possible that there have been preliminary rulings on GDPR that I'm not aware of, because I'm not a lawyer. So I'm not by any means declaring that your experts are definitely wrong, but I am nigh on certain that their source of information for making such statements is not the GDPR text itself.

I disagree that GDPR is an overly broad law by the way. The GDPR text is actually fairly specific. It encompasses a large domain, but it clearly defines that domain (Article 9 is an example of a large but specific definition, although it is only one of multiple such articles) and tells you clearly what you need to do within that domain to be compliant.

People just /think/ it's overly broad because it impacts a lot of tech companies and none of them have actually read the text. The human brain interprets this as "inspecific", whereas it's actually carefully targeted at a handful of specific things that lots of tech companies are doing (or not doing).

[tzs]

> This thread is now too deep for me to respond to your comment.

It probably wasn't depth that blocked you. It was probably time. There is a short interval after a comment is posted during which the reply link is not available in the thread. (You can still reply without waiting, but you have to figure out how to get a reply button instead of a reply link. The reply button doesn't have the delay).

> This statement seems to have misinterpreted article 27

I believe that statement is summarizing recital 23, not attempting to interpret article 27.