[joshuamorton]

None of what I said is nonsense. The EU absolutely could enforce GDPR regulations on businesses which are not based in the EU, if persons involved in those businesses attempted to travel to the EU. That's not FUD, that's why Edward Snowden isn't going to hop on a plane back to the US anytime soon.

Your argument about "pursue" falls under the umbrella of

>Now whether or not the EU will attempt to enforce the GDPR that strongly is another question.

Pursue isn't currently a fully defined term. Is pursuing specifically advertising and marketing towards? Or is it simply allowing to register? If I use paypal as a payment service, that allows EU citizens to pay, am I pursuing them since they can now purchase my service?

Fwiw, I agree that its unlikely that HN is violating the GDPR, and its even more unlikely that HN will be chased for any violations it did commit. But calling others' more cautious interpretation of the law "nonsense" isn't particularly productive, especially when I wasn't even commenting on the GDPR in the first place, but instead on broader ways that international law works.

[dnomad]

All of this is spelled out in the law.

> Pursue isn't currently a fully defined term.

This is pure FUD. This is fully defined that's what makes it a binding legislative act.

Let's go to the actual law:

Article 3: Territorial Scope [1] spells out the explicit territorial scope.

> the monitoring of their behaviour as far as their behaviour takes place within the Union.

Oh, sounds scary. The latter part is clarified [2]:

> Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

There's a ton of nonsense about this on HN right now but anybody who's actually read the law should understand that the intention of the law is to prevent non-consensual surveillance of EU citizens. The idea that if somebody who stumbles upon your website and you log their IP address makes you subject is pure FUD. The idea that the EU will pursue American sites who don't target the EU is pure FUD. But the biggest FUD of all is this notion that the EU even has some sort of legal enforcement mechanisms independent of a Member State. As they say, that's not how any of this works. There are no "EU cops" waiting at the airport. Please.

[1] https://gdpr-info.eu/art-3-gdpr/

[2] https://www.gdpreu.org/the-regulation/who-must-comply/

[phnk]

> ... the biggest FUD of all is this notion that the EU even has some sort of legal enforcement mechanisms independent of a Member State.

In that case, I'm not sure how to interpret Microsoft v. Commission (triggered by EC, ruled by ECJ), or how to make sense of the fact that the EU, IIRC, has its own (non-state) representative at the WTO, which in turn has its own (state-independent) dispute resolution system, with capacity to inflict trade sanctions.

The 'cops' analogy might be very misleading here, right?

[joshuamorton]

>Oh, sounds scary. The latter part is clarified [2]:

And according to that clarification, having paypal as a payment processor might make it apparent that the controller envisages offering goods or services to data subjects in the union. That's what I said. Or it might not. Its not fully defined. A cautious interpretation makes sense.

>There are no "EU cops" waiting at the airport. Please.

And to be clear, I never said there were. I was making the point that, contrary to g-g-great-grandparent, it is absolutely possible for a country to exert control over the actions of people outside its borders, assuming those people might have interest in international travel.

If you're going to keep yelling FUD about things, you should first confine yourself to calling out things people are actually saying, instead of creating ridiculous strawpeople. Its not productive to call people out for saying ridiculous things that they didn't actually say.

[dnomad]

> And according to that clarification, having paypal as a payment processor might make it apparent that the controller envisages offering goods or services to data subjects in the union. That's what I said. Or it might not. Its not fully defined

This is not true. Using a payment processor or accepting credit cards in no way constitutes targeting of EU customers. In that scenario you are neither data controller nor processor, in fact. I think, like a lot of posters in this thread, you've spent virtually zero time understanding the law and are just echoing FUD.

[joshuamorton]

And it's very courageous of you that you're willing to risk other people's money to that effect :)

It's quite odd that you're calling a statement that amounts to "in the presence of untested law, caution is warranted" FUD.

That's like not even controversial. You're entire argument is predicated on you understanding the law better than everyone else. And well, I'm not particularly confident in a person whose most used word is "FUD" and who began a conversation by misunderstanding what I was saying. What reason do I have believe you?