[kuschku]

There’s no issue with that. If a person manually takes their information and mails it to the CIA, that’s also fine.

The issue is if a person visits a resource from a company in the EU, they should be able to expect that that information won’t be passed along to any third party that’s not absolutely necessary. Especially not to foreign governments.

You wouldn’t expect a visit to latimes.com to leak your information to the Chinese Party either.

[shadowgovt]

Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.

I wouldn't necessarily expect the CCP to be involved unless Internet routing is having a very bad day, but I'd expect the American government to be involved when hitting an American server.

[remus]

> Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.

Presumably you don't expect the american government to get involved after your request has reached latimes.com though?

[shadowgovt]

Technically, the only thing stopping them is SSH, and that can be handled (as Snowden publicized) by tapping latimes.com's systems on the other side of decryption.

Old-school me would not have expected that to happen. Post-Snowden? It's a definite possibility.

[martin_a]

> Old-school me would not have expected that to happen. Post-Snowden? It's a definite possibility.

And... Is that a "favorable" (hope that's the right word, non-native here) thing?

[shadowgovt]

It's neither favorable not disfavorable to me; it just is. Something I file away in the back of my head about how the Internet works right now. Individual uses can be favorable or disfavorable.

If I walk into a store and buy some gum, my face is on their security camera. If the cops are hunting for a murderer, they can pull that camera feed. Is this favorable? shrug. I like my privacy but I also like catching murderers. And I have no expectation of privacy when I step in someone's store; similarly, once I've shipped 1s and 0s to someone else, my expectation is they'll use them as they will, and if I don't like it I'll stop shipping 1s and 0s to them.

This is probably just my American sensibilities talking, but growing up in a culture where I was building a credit score before I knew what that was, I'm not surprised services like Google Analytics are e-gossiping on my preferences (any more than I'd have been surprised if two BBS owners, back in the day, gossiped about their users).

[throwhauser]

> The issue is if a person visits a resource from a company in the EU

Does it have to be a company in the EU? I thought the GDPR covered any website an EU citizen, resident, or visitor might use, in which case US-based websites might have contradictory obligations to the GDPR and US law.

[fenier]

It depends on Art 3.

https://gdpr-info.eu/art-3-gdpr/

Just because a website exists and may be visited by a EU resident, does not mean that the site automatically has to comply.

[morelisp]

It will be hard for a lot of US media making deals with European advertisers to claim they’re not intended for use by European residents, though.

[ensignavenger]

Is that not what 2(a) says- if a service is being provided to an EU data subject, that the regulation applies? At least, that is clearly what the EU seems to be claiming? Sure, if no EU data subject actually accesses the site, it doesn't apply, but the moment one does...

[fenier]

Well I mean think of a store which doesn't accept EU payment or ship to EU addresses, nor target EU residents with Advertising. You'd be hard pressed to say they service EU residents even if the site was able to be visited by EU residents.

[ensignavenger]

No where in Article 3 does it say anything about "targeting" them- it only says if the "service" is "offered", whether or not payment is required. So in broad interpretation, simply serving a webpage to an EU data subject is an act of processing personal data (IP address) of an EU data subject related to offering them a service (the web page itself). That is as long as it doesn't fall into one of the carve outs in Article 2- https://gdpr-info.eu/art-2-gdpr/

It could be argued that such an act "falls outside the scope of Union law;" but that seems to be a matter of contention.

[fenier]

I think we have to look at Recital 23 through 31 they clarify what 'goods and services' mean.

https://gdpr-info.eu/recitals/no-23/

[stickfigure]

The US isn't going to enforce GDPR violations, so why does it matter?

[nr2x]

Do they have a TikTok?