[downandout]

Just to clarify your point: it applies to users physically located in the EU. Fines assessed under it apply businesses that serve them anywhere in the world, which is what makes it so damned scary. The EU government has essentially declared itself the Emperor of the Internet.

[matthewmacleod]

Transactions with EU users should be expected to comply with EU law. What’s unusual about that?

[closeparen]

Money doesn't have to change hands to create a GDPR obligation. And if you mean "HTTP transactions," it's a fundamental shift in the nature of the internet to block countries by default and enable them only after studying and complying with local regulations. Maybe it's an inevitable or even healthy shift, but it's certainly not a "usual" dynamic today.

[seszett]

It's certainly not a recent development to require compliance with law even for products or services that are free.

Transactions do not have to involve money and in fact, the very topic of this entry on HN is about a website that was free, with transactions that did not involve money.

[closeparen]

>It's certainly not a recent development

Really? If it's a currently established practice, what are some prior examples of countries punishing foreigners on foreign soil over websites with no payments component?

Maybe each jurisdiction should be the business of regulating locally-accessible websites, not just locally-hosted ones, but that's a fundamental shift in the nature of the internet. "Not available in your country" is currently an anachronism. In that world, a prudent web publisher would start out local and enable specific countries for cross-border traffic only as its legal team expands. Internet communities like this one would splinter as people get tired of clicking links they can't follow.

The countries currently regulating available web content do so with network blocks, not extraterritorial enforcement actions against publishers.

[seszett]

The end of the sentence was "not a recent development to require compliance with law even for products or services that are free".

Free doesn't mean you are exempt from complying with law, that is all I'm saying. I did not comment on how this one applies to EU citizens even for foreign services.

In this regard though, it is similar to US law requiring foreign banks to go through special steps when they are dealing with US citizens so that's not anything new either. Money being involved or not in my opinion is not really significant (I actually think that private data is more important and needs more protection than money) but that was not the point of my comment.

[closeparen]

>Free doesn't mean you are exempt from complying with law

It doesn't, but free on the internet has so far meant you're only on the hook for your own jurisdiction's laws.

[downandout]

I was just clarifying that the Internet’s new Dear Leader will be trying to reach outside its borders to enforce this law. It doesn’t just apply to companies in the EU.

[matthewmacleod]

If you provide services to users in the EU, then you’re “in the EU” and should be expected to meet any regulations. Not complex.

[closeparen]

>If you provide services to users in the EU

All websites provide services to users in all countries unless they take positive steps not to. Framing this as a conditional, or a counterpoint to parent's claim about enforcement outside EU borders, is bizarre.

[downandout]

Which is why many of us will be blocking EU users.

[matthewmacleod]

Absolutely baffling. Unless you’re doing something malicious, compliance is minimal. So I guess that’s good for users?

[downandout]

People that say this have not actually read the law, talked to “experts” about how to comply, or attempted to comply themselves. I have, and you’re just flat wrong.

[_o_]

One thing is completely curious to me. All around the thread there are some people saying that they will block EU users.

I wonder how people from other parts of the world are understanding this and how do they look to the site like that? I mean, this legislation that is designed to protect people and their data is making them such a problem to rather block roughly 500 milion people. I personally would have a huge trust issue, but this is not about me, what do non EU, who don't run any site (conflict of interest) guys think?

I would for instance rather put a huge mark on all pages "GDPR compliant, protecting data even for non EU visitors" or something like that and try to get some money out of that. But that is just me.

[actuator]

@matthewmacleod GDPR in spirit is good for users as it tries to ensure that companies are following good practices wrt user data and users have control over data. But implementing it completely is not easy for small projects and startups.

[matthewmacleod]

I completely disagree. Implementing GDPR compliance should be straightforward for most startups and small businesses. Much easier, in my experience, than doing so at a large company.

[GordonS]

As a small business owner, I disagree - I was essentially compliant already, with the policy changes required taking an evening to implement. (OK, there was some time spend reading before then, but still).

[stef25]

How would they have the jurisdiction to fine a one man company established say in Panama?

What about companies like Alibaba?