This has nothing to do with over-engineered infrastructure.
As soon as your side project processes and / or stores user data GDPR applies to you.
Good luck with providing the requisite documentation and data processing agreements if authorities ask for them and you didn’t prepare those in time.
That's not correct. As soon as you want to do business with someone currently located in the EU (doesn't even have to be an EU citizen), GDPR applies, no matter where your company is located.
EU can write any law it wants. It cannot enforce it on anyone who is not have a nexus to EU.
Any hobby that gets to a point of making money in EU gets a nexus. Everything else is a FUD. Facebook, Google, Apple, etc all have nexus which is why it is applicable to them. JoeSchmoeLLC from Delaware does not.
> The same applies to completely ignoring GDPR, whether it's enforceable or not.
It is as laughable as it gets. Let me guess:
1. You never cross a street not on a crosswalk
2. You never drive above speed limit
3. You never signup for the same website twice if their TOS say "you shall have only one account"?
...
And so many other silly statements.
Laws are only useful if they cab be enforced. This law cannot be enforced against any entity not in jurisdiction.
I have quite enough to do to comply with my own country's laws, thank you very much. Where would this end? Would I eventually need to know the laws of every nation so that I can do what you feel is ethical? Or do I just follow other countries' laws if they make headlines or get talked about a lot? I'll be following the IDGAF process on this one.
If you don't want to do business with someone from another country you certainly don't have to comply with other countries' laws. If on the other hand you do sell a product or service to businesses or people abroad you have to comply with the relevant laws of their respective home countries.
That's not a new or GDPR-specific situation but rather has been the case since pretty much the beginning of international trade.
Simpler: I put my dumb thing on the web. I do not care who you are. I do not care where you are. I don't waste my energy giving it another thought.
"I got a letter from your government the other day. I opened and read it. It said they were suckers..." On a serious note though, regulation is already onerous to small (and very small) business. The last thing a rational entrepreneur would do is tie themselves up with more of it voluntarily. Unless you can present a reason to do so that is not sanctimonious.
As soon as your side project processes and / or stores user data GDPR applies to you.
Good luck with providing the requisite documentation and data processing agreements if authorities ask for them and you didn’t prepare those in time.