Hacker News new | ask | show | jobs
by s_dev 2314 days ago
GDPR applies to EU citizens globally. It's just not enforced globally. The company will have to be large enough to have a presense (or future presense) in the EU for there to be an tangible impact.

>Declaring yourself Irish doesn't make you fall under GDPR protection if you live outside the EU.

I'm a DPO and this is absolutely incorrect.
3 comments
_-___________-_ 2314 days ago
Can you provide a source? All information I'm able to find says that it applies to EU & EEA residents, with no mention of citizenship being relevant.

Edited to add: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui... (it's not even residency that is key - just being present in the EU+EEA)

link
s_dev 2314 days ago
Here is the official source -- you aren't exactly providing many sources yourself beyond repeating what you've "seen":

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

link
vonmoltke 2314 days ago
That page has no reference to citizenship, and multiple to location. It contradicts what you claim it supports.
link
_-___________-_ 2314 days ago
It took a while to find a primary source, but there is a good set of guidelines laying out how the regulations should be interpreted here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...

They are very clear - the GDPR protections apply to those that are "in the Union", and the guidelines clarify that citizenship (and, in fact, legal residency) are irrelevant. One must simply be present in the territory that the regulation applies to (which is EU+EEA). Being a citizen of a EU country and being outside the union, the GDPR protections would not apply to you. Being a citizen of a third country and being inside the union, they would.

link
_-___________-_ 2314 days ago
Uh... did you read the page you linked to? The word "citizen" does not appear anywhere on it, and it finishes with this pretty clear line:

> Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

(note in the EU - no mention of citizenship)

link
PeterisP 2314 days ago
There's a big difference whether the company is in EU or not.

If your company is in EU, then according to Article 3.1 the GDPR applies to all your procesing of personal data, period - with no exceptions depending on citizenship. So if you're a DPO in a EU company, then that's what's true for you, you definitely have to apply GDPR protections to EU citizens (and also noncitizens) wherever they are.

If your company is not in EU, then according to Article 3.2. the GDPR applies only to people located in the EU - "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union"; no qualification on citizenship, but a qualification based on location.

link
briandear 2314 days ago
> GDPR applies to EU citizens globally. It's just not enforced globally.

Do American speed limits apply to American drivers in Europe? Or do the European speed limits apply?

Essentially you are absolutely incorrect. The EU has no legal jurisdiction outside of EU borders.

link
icebraining 2314 days ago
American tax laws (like the FACTA) do apply to Americans in Europe, for example. A sovereign entity has jurisdiction over anything it wants. The question is whether it can enforce it, but there are many tools for that, from simple treaties to sanctions to full-blown military invasions.

In any case, parent is in fact incorrect since the GDPR claims no such jurisdiction. It only applies to people in the EU, or to people whose personal data is processed by EU companies.

link