But if they hold and manage data for users who reside in the EU (which they do), then I believe the rules apply too.
From what I can gather, if a user in the EU approaches HN and asks for their profile data and posts to be removed, then that falls under the GDPR laws.
This depends. Those laws could absolutely be enforced if, for example, Paul Graham tried to travel to Germany.
You may not agree with the ethics of that, but that's how it works in practice. Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.
You might learn that the GDPR only applies to businesses located in the EU or who pursue EU citizens. It does not mean that if you Google Analytics and an EU citizen stumbles upon your site you are suddenly in violation. It is not some sort of magical global law that applies to every business in the world.
The amount of FUD and ignorance and nonsense about the GDPR is getting out of control. Why not do some research? Or actually read the regulation?
Anyways I see it's a lost cause but I find it remarkable how much BS about this topic exists from a community that prides itself on its technology acumen.
None of what I said is nonsense. The EU absolutely could enforce GDPR regulations on businesses which are not based in the EU, if persons involved in those businesses attempted to travel to the EU. That's not FUD, that's why Edward Snowden isn't going to hop on a plane back to the US anytime soon.
Your argument about "pursue" falls under the umbrella of
>Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.
Pursue isn't currently a fully defined term. Is pursuing specifically advertising and marketing towards? Or is it simply allowing to register? If I use paypal as a payment service, that allows EU citizens to pay, am I pursuing them since they can now purchase my service?
Fwiw, I agree that its unlikely that HN is violating the GDPR, and its even more unlikely that HN will be chased for any violations it did commit. But calling others' more cautious interpretation of the law "nonsense" isn't particularly productive, especially when I wasn't even commenting on the GDPR in the first place, but instead on broader ways that international law works.
This is pure FUD. This is fully defined that's what makes it a binding legislative act.
Let's go to the actual law:
Article 3: Territorial Scope [1] spells out the explicit territorial scope.
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
Oh, sounds scary. The latter part is clarified [2]:
> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
There's a ton of nonsense about this on HN right now but anybody who's actually read the law should understand that the intention of the law is to prevent non-consensual surveillance of EU citizens. The idea that if somebody who stumbles upon your website and you log their IP address makes you subject is pure FUD. The idea that the EU will pursue American sites who don't target the EU is pure FUD. But the biggest FUD of all is this notion that the EU even has some sort of legal enforcement mechanisms independent of a Member State. As they say, that's not how any of this works. There are no "EU cops" waiting at the airport. Please.
I was wondering the same. I wonder where this falls if the EU resident is using a VPN. It'd likely still be on the site owner to prove that were the case.
Let's say Iran passed a law saying that it's illegal for anyone anywhere in the world to supply alcohol to a citizen of Iran, and that anyone selling alcohol must verify that their customers are citizens of not-Iran. When they attempt to enforce that against a German beer hall, they'll get laughed out of German court. Selling beer to adults is legal in Germany, no matter where they're from.
Likewise, the EU has no ability to enforce laws against American companies that don't have a physical presence in the EU.
Your analogy would be accurate if it went something like that beer garden in Germany decided to start selling beer online, and began taking international orders, including ones from Iran.
Your physical presence on the web is irrelevant. By putting yourself, or your business online, you are subjecting yourself to whatever regulations exist in the place your user is accessing your product.
As stated elsewhere here - enforceability is another topic.
Is there any reason why HN would be bound by EU laws, if it's not a European organization? What other countries laws should it be bound by, other than the ones it operates in?
Currently it may not be bound by them. But it could find itself in a situation where it matters - for example when working with / providing service to / getting service from another company in the EU which asks "so, are you GDPR compliant?" Given what HN does, that's not very likely though.
How would one manage to sidestep GDPR responsibilities? If it made sense, could you opt to block EU based IP addresses? You'd also have to ensure that any past data you have is cleansed of EU based users which could be tricky.
The EU government would certainly like that to be the case, but it's not clear why it would be. If the US passed a law that required citizens of other countries to pay a $20/year tax (say, a GPS license fee), would that be enforceable?
I was under the impression that it only affects businesses which do business in the EU, meaning they have an officially registered company within the EU.
If my random little website isn't GDPR compliant, what is their strategy for getting me to pay the restitution if I'm not doing business in the EU? Where do the fines go? How could they force me to pay them? The worst they can do is block access to the website, but I haven't read anything which suggests that is written in the law.
Okay, so now let's say your website is found non-compliant. You're a tiny operation in the US with absolutely no presence in the EU. The EU has absolutely no way to exert power over you.
From what I can gather, if a user in the EU approaches HN and asks for their profile data and posts to be removed, then that falls under the GDPR laws.