[grabeh]

Yes, that's right. Are you implying that our notional Guatemalan banjo seller is monitoring the behaviour of EU based subjects? I confess I was working on the basis that out the two potential options, Art 3(2)(b) would be inapplicable here, but you may know more than me about their activities!

[someguy2018]

They're responsible for whatever user monitoring their third-party ecommerce platform does, right? All the ones I've seen process and retain user data. And maybe their web analytics, A/B testing, email newsletter tracking, etc.

If your point is that static brochureware sites that don't target EU members at all and don't do anything interesting on the web probably don't have much to worry about... then I agree, but I don't think that's very insightful.

Your earlier comment said that GDPR required "at least some active targeting of EU users." But a less contrived example, say a US-based SaaS that accepts credit card payments, probably needs to be very worried about GDPR even with absolutely no active targeting of EU users.

[grabeh]

Heh, apologies for not being more insightful! I was simply rebutting your point over the GDPR applying once you’ve made a few sales to customers in the EU which is not the case on those facts alone.

Obviously each case should be dealt with on its own facts to assess the application of GDPR. In the example you give, GDPR may well apply. Some companies may be worried, others may see it as an opportunity.

I know lots of US SaaS companies are embracing GDPR rather than being worried about it. Clearly if you are looking to get business from EU customers but want to argue GDPR doesn’t apply due to the fact you are not strictly speaking targeting EU users then that might present an issue for certain potential EU customers (or maybe they could offer a cost discount because they haven't had to go through a GDPR compliance exercise). On that basis lots of companies outside the EU are pro-actively looking to comply with GDPR.

Arguments over the appropriateness of extra-territoriality applicability are a separate matter of course!

[someguy2018]

Assuming you actually do something with your user's data -- and virtually every online business does -- then I think it is true that GDPR comes into play as soon as you have a single EU user. How you market the service is no longer relevant.

I wish it were as easy as saying the law doesn't apply if your business doesn't target EU business. Unfortunately I don't actually think it's possible to escape GDPR. Even refusing to serve all EU IP Addresses wouldn't be completely effective.

I'm sure lots of companies view this as an opportunity. Especially the big ones with experience with compliance issues, in-house counsel, etc. It's going to be tougher on the small guy.