[throwhauser]

> The issue is if a person visits a resource from a company in the EU

Does it have to be a company in the EU? I thought the GDPR covered any website an EU citizen, resident, or visitor might use, in which case US-based websites might have contradictory obligations to the GDPR and US law.

[fenier]

It depends on Art 3.

https://gdpr-info.eu/art-3-gdpr/

Just because a website exists and may be visited by a EU resident, does not mean that the site automatically has to comply.

[morelisp]

It will be hard for a lot of US media making deals with European advertisers to claim they’re not intended for use by European residents, though.

[ensignavenger]

Is that not what 2(a) says- if a service is being provided to an EU data subject, that the regulation applies? At least, that is clearly what the EU seems to be claiming? Sure, if no EU data subject actually accesses the site, it doesn't apply, but the moment one does...

[fenier]

Well I mean think of a store which doesn't accept EU payment or ship to EU addresses, nor target EU residents with Advertising. You'd be hard pressed to say they service EU residents even if the site was able to be visited by EU residents.

[ensignavenger]

No where in Article 3 does it say anything about "targeting" them- it only says if the "service" is "offered", whether or not payment is required. So in broad interpretation, simply serving a webpage to an EU data subject is an act of processing personal data (IP address) of an EU data subject related to offering them a service (the web page itself). That is as long as it doesn't fall into one of the carve outs in Article 2- https://gdpr-info.eu/art-2-gdpr/

It could be argued that such an act "falls outside the scope of Union law;" but that seems to be a matter of contention.

[fenier]

I think we have to look at Recital 23 through 31 they clarify what 'goods and services' mean.

https://gdpr-info.eu/recitals/no-23/

[ensignavenger]

Thank you, that does seem to alleviate some of my concerns as above. I'm not as familiar with EU law, it seems that recitals aren't legally binding equally with the "operative" text. But given the context, it seems unlikely a small blog or web shop that doesn't target EU customers would be in scope.

[throwhauser]

It seems somewhat strange that a company selling a service to EU customers might be in trouble for using Google Fonts in a jurisdiction (e.g. Germany) where there are ways to identify a user by means of IP address [0]; but a weblog that was using Google Fonts might not be, since it's a blog and not a goods-and-services site. Google ends up with the IP address equally in both cases.

[0] https://news.ycombinator.com/item?id=30135264

[stickfigure]

The US isn't going to enforce GDPR violations, so why does it matter?