Hacker News new | ask | show | jobs
by downandout 2955 days ago
The guidance we have received is that if your business is not located in the EU, not targeting EU countries, you don't have parts of your site translated to languages spoken in EU countries, and do not have an EU-based domain name extension, your EU traffic is considered incidental and GDPR probably does not apply to you. But, as with everything in the GDPR, that is extremely murky. This law is subject to unique interpretations and degrees of enforcement in the courts and regulatory offices of 28 distinct countries. This is why we simply chose to block EU traffic - there's no need for us to take on the liability of EU traffic, and hope that some country over there doesn't need fines from us badly enough to decide that article 484208408 makes us subject to it.

With regard to enforceability outside the EU, that is anyone's guess. If you're in the US, there are already mechanisms that allow for the domestication of EU judgments in the US. Once domesticated, the judgment would have the same force and effect as if it had been issued by a US judge. However, the treaties that allow this are very complex, and allow for a large number of exceptions. So it would be up to a US judge in each specific case to decide whether or not a judgment for a fine issued under the GDPR can be domesticated. There are currently no treaties specifically relating to GDPR in the US, and I'd imagine there would be (very welcome) strong opposition to such a thing.
1 comments
briandear 2955 days ago
Language is a horrible benchmark.

French in Canada, English and Spanish in the US, German among German expats (of which there are millions.)

Targeting a business for extortion because of the languages offered? Ridiculous. GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.

Europeans don’t have to visit US/Canadian/Chinese websites. If they want to “protect” themselves, they simply stop using services they find objectionable. GDPR is nonsense — individuals should be allowed to do what they feel is right for them.

Why not ban all junk food from Europe? Tobacco? Alcohol? Those harm people far more than targeted advertising. If we actually “cared,” we’d be banning those industries.

GDPR is nothing more than a trade barrier.

link
downandout 2955 days ago
If you have a site in an EU language that is spoken in other countries as well (Spanish etc) but your site doesn't have an EU domain extension and your content and services are generally not targeted at EU residents, then GDPR likely does not apply. Language isn't the only test. If you have a site in German that is reporting German news though, you're likely going to have GDPR apply to you even if you have a .com extension and are not in the EU.

Unfortunately, I must use words such as "likely" here because there is a large amount of ambiguity in these tests, along with a major conflict of interest - it will essentially be up to the would-be beneficiaries of these fines to determine whether or not you are subject to them. The EU HN crowd seems to believe that their various governments will only fine "bad" companies "reasonable" amounts under this law, and that it will not be abused to extract government revenue from foreign companies and/or hobble foreign competitors of companies in their countries. I certainly hope they are correct, but this would be the first time in the history of the world that such a broadly worded statute was not abused. The only safeguard we have is that the world is watching. If/when the EU gets too out of control in their abuse of GDPR, hopefully countries like the US will implement legislation that makes it impossible to enforce GDPR fines within their borders.

Pakistan was once considering issuing an arrest warrant for Mark Zuckerberg because someone created a Facebook contest that offended some Pakistanis [1] [2]. The case would have carried a sentence of death by stoning. Even if charges had been filed, it is doubtful that the US would have extradited him to be stoned to death under the laws of another country. While GDPR fines are civil in nature, this case underscores the importance of not necessarily allowing the enforcement of other countries' laws in your own. If GDPR enforcement becomes abusive, one would hope that similar protections would apply in our home countries.

[1] http://www.adweek.com/digital/could-mark-zuckerberg-face-a-p...

[2] https://tribune.com.pk/story/342031/blasphemy-arrest-mark-zu...

link
_o_ 2955 days ago
Don't worry, I am sure it wont be abused. The whole fearfull effect was created by adtech companies trying to create public outrage and paranoia to pretect their money source. Be sure that there are going to be some nasty penalties for greatest violaters (like online dating sites) I have noticed a lot of them is packaging GDPR into terms and conditions and privacy policy changes and those will have to get a fine, but I am sure warning will come first. But as one of ICO said (UK?), "We will always try to use carrot instead of stick, but some companies are carnivores, they don't eat carrots."

Also I am sure, half of world will have similar laws in next few years. Private data invasion just went to far, this has to be stopped.

link
downandout 2955 days ago
Don't worry, I am sure it wont be abused.

It would be the first time in history that such a law has not been abused. The fear is real and fully warranted.

I am sure warning will come first

There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.

link
zaarn 2954 days ago
It's not a law it's a regulation and EU regulation is largely intended to be more of a carrot before the unpack the stick.

See the Smartphone Charger regulation. It requires all smartphones vendors to come up with a standard for charging, everyone picked microUSB (though moving to USB C now). The EU is fine with that and the smartphone vendors know that if they start pulling the "everyone has their own port" shit again that the EU will get out the stick.

Nobody wants the stick. The EU not and the Vendors not. The carrot was the EU Cookie law, which was largely ignored and the consent dialogs poorly implemented (not even asking for consent the majority of the time). So this is them getting out the stick. Now you can pick which one you want.

>There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.

Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.

link
downandout 2954 days ago
Now you can pick which one you want.

I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it. I will not be dictated to or threatened by a foreign government.

Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.

People keep saying things like this, and yet neither article a) requires that a warning be issued before they seek a fine or b) limits fines in any way, except for a top cap of $10 million/$20 million (or percentages of revenue, but the caps are more than 100% of the revenue of most companies).

I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.

link
SmellyGeekBoy 2954 days ago
> The fear is real and fully warranted.

Much like the cookie law or CAN-SPAM?

link
fnord123 2955 days ago
>GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.

It covers the personal data of EU citizens. Similar laws exist going the other way. Betfair can't (or couldn't) give accounts to US citizens. IIRC, various poker sites had to close US citizens' accounts. The US even arrested a CEO of a UK company who was only changing planes on his way home to Costa Rica: https://en.wikipedia.org/wiki/David_Carruthers#Arrest_during...

>anything else is an attempt to assert extraterritorial jurisdiction.

Good. The EU should grasp the nettle and fulfil it's role as the leading global hegemony.

link
downandout 2955 days ago
It covers the personal data of EU citizens

You're both correct and incorrect. It covers the personal data of EU citizens. However, not all sites are actually subject to the GDPR at all. EU traffic to these sites is considered incidental and no GDPR protections apply, even to EU residents, on those sites that are outside of GDPR jurisdiction. There are legal tests build into the GDPR (which I detailed in my original comment above) that determine this.

link
kalleboo 2954 days ago
Targeted advertising is not being banned, just regulated. Tobacco and Alcohol are already highly regulated. Junk food is being increasingly regulated https://en.wikipedia.org/wiki/Sugary_drink_tax#Countries
link