Hacker News new | ask | show | jobs
by GlitchMr 1586 days ago
This is such a weird argument. Let's say those things are true (and I think they are reasonably true).

- When an EU citizen requests a US internet resource, they provide a US server with their IP address

- An IP address is PII (well, personal data as far GDPR is concerned, but that's a nitpick)

- The CIA could record that

I don't think how you would go to a conclusion from those that "it is illegal to provide any internet resource to anyone in the EU".

First, it's worth noting that GDPR only applies to companies that specifically target its services at individuals in the EU. Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies. If your service makes no effort to provide service specifically for European users there is no need to worry about GDPR - even if you are in the US.

Second, while US services targeting individuals in the EU are legally problematic, this doesn't affect other countries - so I see no reason to say "any" here. For example, a Japanese server is free to provide services at individuals in the EU provided they comply with GDPR as EU has an adequacy decision for Japan.

Also, I would like to point out you can replace US with North Korea in this argument. I think it would be ridiculous to say that if European Union were to disallow sending personal data to North Korea (including IP address) then it would mean that it's illegal to provide any internet resource to anyone in the EU.
1 comments
zeepzeep 1586 days ago
> Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies.

Nope. There's only a single requirement: having EU users.

link
GlitchMr 1586 days ago
GDPR recital 23 says the following:

> In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

link