[takeitto]

> It's a foreign requirement that feels like a violation of sovereignty.

Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.

[agensaequivocum]

>Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.

If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?

Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?

>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.

So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.

[geocar]

> If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?

You don't.

If they're not In The Union, and you're not In The Union, then you're not required to comply with the GDPR.

> Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?

It's impossible to give consent for something if you don't fully understand the ramifications of what you're consenting to[1].

[1]: https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...

[eli]

What does it mean for a website to "cater" to just my home country? The internet doesn't know political boundaries and most sites cater to all visitors on some marginal level.

[askmike]

Most websites are products nowadays. If you have a simple blog without trackers and ads this is really not going to effect you that much.

> The internet doesn't know political boundaries

Tell that to this US law the whole world has to comply with to called DMCA.

[eli]

Even my simple blog with no ads has google analytics on it. I don't feel like I was doing anything wrong or abusive, but I guess there's a case to be made.

I assure you I have been against the DMCA since before it passed, though I don't think it's quite the same nor do two wrongs make a right.

[AnaniasAnanas]

> Even my simple blog with no ads has google analytics on it.

I would suggest that you remove google analytics then. It only causes harm.

[ForHackernews]

Maybe you aren't, but Google probably is. You're helping Google monitor individuals everywhere they go online.

[cm2187]

DMCA is only one example. In the financial world, the extra-territoriality of US laws is widespread, such that for example even securities sold outside of the US, to non US customers, by non-US institutions, issued by non-US entities have long US laws compliance sections in their documentation. Non US banks outside of the US are reluctant to take US clients because of these laws (not dissimilar to the discussion on blocking EU IPs here).

[Lev1a]

I even read somewhere a while ago that the US claims jurisdiction on any financial transaction in the world as long as it's done using USD... Talk about overreach.

[guelo]

A simple blog without ads still collects IP addresses. It's as if the EU is trying to legislate that the web needs to behave like Tor.

[Sir_Substance]

IP addresses are not PII unless you also have timestamps and a legal avenue for querying the ISP records to see which account and thus person was behind the IP address at that time.

As a small blog, no ISP is going to give you the time of day, so it's not PII because you have no avenue for converting it to a person. If you transmit that data (say to google analytics) it might /become/ PII because google (or any other person you transmit it to) may combine it with other data they have access to, to turn it into PII.

The reasons large organizations are fretting about IP addresses are thus:

a) They have IP/timestamp records going back years, maybe decades

b) They may have ISPs willing to talk to them about who had the IP address at a specific time

c) They can't confidently allow that data to pass to partners in case their partners have access to ISP records

d) That data is a ticking timebomb, because even if they don't have an agreement with an ISP now, if an ISP offers that service for free to all takers in the future, their trove of IP/timestamp pairs could suddenly become PII overnight through no action from them

So yeah, for businesses operating at a certain scale, IP/timestamp combos are now a toxic asset. That doesn't mean your log files for your blog are suddenly a GDPR violation, unless you share them with people or have an inside track with a local ISP.

You can read more here: https://www.whitecase.com/publications/alert/court-confirms-...

[eli]

Doesn't point (d) apply equally to organizations of all sizes?

[pilsetnieks]

> still collects IP addresses

It doesn't have to.

[manfredo]

> Tell that to this US law the whole world has to comply to called DMCA.

If a site has no US presence and blocks all users in the US, what negative repercussion can violating the DMCA incur? Maybe their domain can be siezed, but that can be avoided by not having a domain hosted in the US. The US could block all traffic to the site, but that should be moot if the site has no US users.

[isostatic]

With the DMCA, if a US judge determines that a foreign company has broken the law, and someone associated with the company ever visits the US, that person is at a high risk of being orange-jump-suited in a barbaric punishment system.

It's been this way for nearly 20 years.

[manfredo]

This is outside the scope of my previous comment. If someone visits the US then they have a physical presence in the US.

I'm still failing to see how the original claim, that everyone has to abide by the DMCA, is true. This seems like claiming that everyone has to abide by Thailand's Lese Majeste laws (laws criminalizing insults to the monarchy). Yes people may face repercussion if they have an economic or physical presence in the country. But if they don't, then theres nothing Thailand can do to enforce this law .*

* not without cooperation with other countries at least. Some nearby countries are known to enforce Thailand's Lese Majeste laws abroad and extradite people. But in most countries, this isn't the case.

[number6]

You want to get all political about this? What about extraordinary rendition? And the pirate bay guys?

[isostatic]

But that's the same with the EU rules - nothing to fear if you don't go to the EU.

[takeitto]

The internet doesn't know, but e-commerce/data business pretty darn well knows where their customers/users are situated.

The old web was mostly static websites. We spoke of visitors. The new web is app-ified/interactive, walled off to logged-in agreement-abiding geolocated users, and even a single logged-out "visit" broadcasts this to 100s of trackers who will remember your every move online.

[eli]

Odds are whatever you were using on the old web to measure visitors would be a data processing activity under GDPR.

[ForHackernews]

If you aren't collecting and storing PII, you have nothing to fear from the GDPR. Even if you are, you're fine as long as you only collect what you legitimately need to offer your services.

[brassattax]

including targeted advertising campaigns?

[ForHackernews]

IANAL, but if your company is a targeted marketing company (think Groupon) and users sign up explicitly to get sent offers, then you're probably in the clear. If your company offers some other service, but you also want to sell your users' data for targeted marketing, the GDPR requires you ask for and get real consent.

[meko]

I find it odd that people take issue with regulation, perhaps its been ingrained into the cultural consciousness of the west that regulation is always bad, but historical analysis shows that regulation has always had an overwhelmingly net positive effect for the members of a given society. You can link the stage of a country's development to how effective their government is in protecting it's constituents.

[JBSay]

Aww that's cute!