[briandear]

Language is a horrible benchmark.

French in Canada, English and Spanish in the US, German among German expats (of which there are millions.)

Targeting a business for extortion because of the languages offered? Ridiculous. GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.

Europeans don’t have to visit US/Canadian/Chinese websites. If they want to “protect” themselves, they simply stop using services they find objectionable. GDPR is nonsense — individuals should be allowed to do what they feel is right for them.

Why not ban all junk food from Europe? Tobacco? Alcohol? Those harm people far more than targeted advertising. If we actually “cared,” we’d be banning those industries.

GDPR is nothing more than a trade barrier.

[downandout]

If you have a site in an EU language that is spoken in other countries as well (Spanish etc) but your site doesn't have an EU domain extension and your content and services are generally not targeted at EU residents, then GDPR likely does not apply. Language isn't the only test. If you have a site in German that is reporting German news though, you're likely going to have GDPR apply to you even if you have a .com extension and are not in the EU.

Unfortunately, I must use words such as "likely" here because there is a large amount of ambiguity in these tests, along with a major conflict of interest - it will essentially be up to the would-be beneficiaries of these fines to determine whether or not you are subject to them. The EU HN crowd seems to believe that their various governments will only fine "bad" companies "reasonable" amounts under this law, and that it will not be abused to extract government revenue from foreign companies and/or hobble foreign competitors of companies in their countries. I certainly hope they are correct, but this would be the first time in the history of the world that such a broadly worded statute was not abused. The only safeguard we have is that the world is watching. If/when the EU gets too out of control in their abuse of GDPR, hopefully countries like the US will implement legislation that makes it impossible to enforce GDPR fines within their borders.

Pakistan was once considering issuing an arrest warrant for Mark Zuckerberg because someone created a Facebook contest that offended some Pakistanis [1] [2]. The case would have carried a sentence of death by stoning. Even if charges had been filed, it is doubtful that the US would have extradited him to be stoned to death under the laws of another country. While GDPR fines are civil in nature, this case underscores the importance of not necessarily allowing the enforcement of other countries' laws in your own. If GDPR enforcement becomes abusive, one would hope that similar protections would apply in our home countries.

[1] http://www.adweek.com/digital/could-mark-zuckerberg-face-a-p...

[2] https://tribune.com.pk/story/342031/blasphemy-arrest-mark-zu...

[_o_]

Don't worry, I am sure it wont be abused. The whole fearfull effect was created by adtech companies trying to create public outrage and paranoia to pretect their money source. Be sure that there are going to be some nasty penalties for greatest violaters (like online dating sites) I have noticed a lot of them is packaging GDPR into terms and conditions and privacy policy changes and those will have to get a fine, but I am sure warning will come first. But as one of ICO said (UK?), "We will always try to use carrot instead of stick, but some companies are carnivores, they don't eat carrots."

Also I am sure, half of world will have similar laws in next few years. Private data invasion just went to far, this has to be stopped.

[downandout]

Don't worry, I am sure it wont be abused.

It would be the first time in history that such a law has not been abused. The fear is real and fully warranted.

I am sure warning will come first

There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.

[zaarn]

It's not a law it's a regulation and EU regulation is largely intended to be more of a carrot before the unpack the stick.

See the Smartphone Charger regulation. It requires all smartphones vendors to come up with a standard for charging, everyone picked microUSB (though moving to USB C now). The EU is fine with that and the smartphone vendors know that if they start pulling the "everyone has their own port" shit again that the EU will get out the stick.

Nobody wants the stick. The EU not and the Vendors not. The carrot was the EU Cookie law, which was largely ignored and the consent dialogs poorly implemented (not even asking for consent the majority of the time). So this is them getting out the stick. Now you can pick which one you want.

>There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.

Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.

[downandout]

Now you can pick which one you want.

I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it. I will not be dictated to or threatened by a foreign government.

Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.

People keep saying things like this, and yet neither article a) requires that a warning be issued before they seek a fine or b) limits fines in any way, except for a top cap of $10 million/$20 million (or percentages of revenue, but the caps are more than 100% of the revenue of most companies).

I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.

[zaarn]

>I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it.

Canada, Japan and some other countries and even the US have indicated to copy the GDPR if not in letter atleast in spirit, though the US response is a lot weaker.

>I will not be dictated to or threatened by a foreign government.

The US is a foreign government and does it all the time to me, why is it a problem now?

>I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.

You won't have that. The GDPR has a strict guideline on how to impose fines, it's not a law an won't be enforces as such. The regulatory bodies have bite because large players like Facebook or Equifax that leak large amounts of userdata require more than an angry letter in their mailbox.

As these articles mention, the agency imposing a fine should severely think about the level of fine and ensure it's appropriate. If you get hacked by a 0-day, you followed the advice of your regulatory body, your shit gets leaked and you inform your users immediately, it's very unlikely anything will happen.

If you get hacked because you didn't update your MySQL server in 5 years, you ignored what your regulatory agency said and you don't tell your users, don't expect them to go easy on you.

Easy as that. If you don't like it you can sue back and get the fine reduced or rescinded.

[SmellyGeekBoy]

> The fear is real and fully warranted.

Much like the cookie law or CAN-SPAM?

[fnord123]

>GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.

It covers the personal data of EU citizens. Similar laws exist going the other way. Betfair can't (or couldn't) give accounts to US citizens. IIRC, various poker sites had to close US citizens' accounts. The US even arrested a CEO of a UK company who was only changing planes on his way home to Costa Rica: https://en.wikipedia.org/wiki/David_Carruthers#Arrest_during...

>anything else is an attempt to assert extraterritorial jurisdiction.

Good. The EU should grasp the nettle and fulfil it's role as the leading global hegemony.

[downandout]

It covers the personal data of EU citizens

You're both correct and incorrect. It covers the personal data of EU citizens. However, not all sites are actually subject to the GDPR at all. EU traffic to these sites is considered incidental and no GDPR protections apply, even to EU residents, on those sites that are outside of GDPR jurisdiction. There are legal tests build into the GDPR (which I detailed in my original comment above) that determine this.

[kalleboo]

Targeted advertising is not being banned, just regulated. Tobacco and Alcohol are already highly regulated. Junk food is being increasingly regulated https://en.wikipedia.org/wiki/Sugary_drink_tax#Countries