[lurena]

>After thinking long and hard about the GDPR the part that bothers me the most is the expectation from the EU that foreign entities enforce their regulations because the EU cannot bare the political consequences of doing it themselves.

That sort of thing happens all the time - except the US is usually the one coercing foreign entities. Remember the DMCA? ThePirateBay's raid in 2006? Or the Megaupload debacle? Or how Japan was pressured by the US to adopt stricter child pornography laws?

Note, I'm not saying the people behind these were supporting moral and noble causes that the US was wrong to clamp down on. I'm certainly not saying people should comply to China's expectations on free speech and flow of information. Simply, if you feel infuriated that a foreign power is enforcing its worldview and related regulations onto you, an American citizen, know that that's what literally everyone else has been experiencing for the last decades from the people you've put in power.

But then, what the EU is trying to enforce here - more power to Internet users, essentially - is fairly benign when compared to what other foreign powers would like to enforce. If there were matters of infuriation to be had on that account, I'd start with the Mariott debacle [1].

[1] https://boingboing.net/2018/01/15/willfull-liking.html

[dogma1138]

The DMCA does not magically apply extra territorially.

It’s applied through an established legal framework either through bilateral trade agreements or through WTO rules.

The majority of copyright enforcement outside of the US has nothing to do with the DMCA but rather copyright holders using local legal frameworks.

The problem with the GDPR is that it’s extraterritorial application as expected by the EU is also extrajudiciary.

I would have no problem with the EU seeking ways to expand GDPR through new legal frameworks which the people that would be impacted by these changes can actually control through their own political system.

What I have a problem with is the EU essentially forcing compliance through extortion and sooner rather than later it will employ the companies that the GDPR was in spirit intended to protect us from to enforce it.

I don’t see the EU being able to enforce the GDPR even internally without essentially deputizing the likes of Google, Amazon and PayPal to enforce it across all of their customers in order for them themselves to be compliant.

Even with the fines possible under the GDPR the EU can not enforce compliance by targeting 100,000’s of small companies without going essentially bankrupt. It can however effectively target the big ones and worse make it impossible to operate within the EU without using their “GDPR complaint” platforms.

The GDPR might be a great thing on paper and even in spirit but the uncertainty and the inability to enforce complex regulation on a mass of small entities would likely cause it’s real world repercussions to be quite different than from what was imagined or intended.

[lurena]

>The DMCA does not magically apply extra territorially.

>It’s applied through an established legal framework either through bilateral trade agreements or through WTO rules. >The majority of copyright enforcement outside of the US has nothing to do with the DMCA but rather copyright holders using local legal frameworks.

That means essentially the same, in effect. Very few countries have copyright laws that do not align with interests of US lobbies. If any country with significant partnerships with the US decided to tell "screw the MPAA, you can now download anything from the Internet" to its citizens, the said lobbies would pressure the US government to pressure that country through the trade agreements you mentioned, until it relented. This is something that actually happened, during e.g. the TPB raid. We can argue about the moral legitimacy of such things but the reality of the matter is, it's all power plays.

>What I have a problem with is the EU essentially forcing compliance through extortion and sooner rather than later it will employ the companies that the GDPR was in spirit intended to protect us from to enforce it.

>I don’t see the EU being able to enforce the GDPR even internally without essentially deputizing the likes of Google, Amazon and PayPal to enforce it across all of their customers in order for them themselves to be compliant.

>Even with the fines possible under the GDPR the EU can not enforce compliance by targeting 100,000’s of small companies without going essentially bankrupt. It can however effectively target the big ones and worse make it impossible to operate within the EU without using their “GDPR complaint” platforms.

Three objections:

-The use of 'extortion' is rather harsh - the EU isn't out there to suck money out of the poor American startups, they simply want them to treat user data in a sensible manner. Now you may object to what is considered 'sensible' just like someone in Sweden (e.g. anakata) may object to what is considered a 'copyright breach' but the point here is that they are not looking to make money from fines. If you are found to be noncompliant you wouldn't get sued by troll lawyers, you'd get a couple warnings along with guidance on how to be compliant again. Fines are simply there to say they mean business so people stop ignoring the regulations like they've done with existing country-specific ones for the last decades. Again, power play.

-I really doubt Google, Amazon and Paypal would cut off the entire EU market just to avoid going through the hassle of setting up an updated privacy policy. The EU population is 500 million, way more than the US. More likely, they'll do a cost-benefit analysis that will tell them it's worth paying their lawyers to do the compliance work. It's not actually a big deal. Also, these tech giants do have offices in the EU, usually in Ireland, so it hardly counts as extraterritorial extortion.

-As for the poor hundreds of thousands of companies - well, see the above. They don't want your money, they want compliance. A fine is the absolute worst case if you are repeatedly and outrageously negligent on a very large scale. The most likely case, however, is that the GDPR isn't going to care about these startups because the European public doesn't care about them either. I don't mean to be harsh or condescending, but while lurking HNs and reading headlines about such and such service shutting its doors to European user, I couldn't recognize any of the names. No one is going to sue your ten-man startup that develops a niche/superficial app whose use cases only fit twice that many people to a EU court. It is far more likely that it will fail by itself, because that's what startups do. Should it grow, however, and be in a position to deal with enough customers data that negligence or nefarious intent when handling it would cause significant harm - that's where actual GDPR enforcement would step in.

You may say: 'but there is no guarantee', 'it's all very vague', 'this much vagueness only opens the way to corruption and preferential treatment', but that's mostly how most of the law is written here in the EU - clarity of intent and concision over clarity of wording and exhaustiveness. Against all odds I'd say it's working out pretty well for us and the vast majority of people here do not feel any defiance toward their institutions (at least when compared to other countries), so I feel confident in the GDPR's enforcement, jurisprudence cases and their future effects on the handling of my data. You may feel slighted that a foreign entity, its views and its legal culture are being imposed on you, though, and I understand. Again, power play.