[nullbytesmatter]

I don't think the law has done much at all. I operate a business that serves as a data broker / processor under GDPR.

I have had a total of 66 data requests in 4 years. I handle data requests and follow the laws, but I also understand the EU/UK has zero grounds to enforce anything against my business if I were to flat out reject all requests.

They can't fine me, I don't have a physical or business presence in Europe, though I do have European customers.

The only reason I handle requests is to protect my customers, not myself.

[pc86]

This is an admirable position, and one of my biggest problems with GDPR. Honestly, my only problem with it.

The EU does not have the legal jurisdiction to tell any company based outside of the EU what to do with its data, whether that data is about EU citizens or not.

If I ran a SaaS I would probably do the same thing as you (out of respect for my customers) but I certainly wouldn't feel any legal compulsion to do so.

[stevenjgarner]

Is that really true? My understanding for example in the USA is that if you violate the laws in another country, you automatically violate the laws in the USA (under the Foreign Corrupt Practices Act - https://www.justice.gov/criminal-fraud/foreign-corrupt-pract...) - or is that really just limited to bribery? AFAIK some other countries have similar provisions.

[pc86]

The FCPA is incredibly specific.

What US law requires a US citizen to comply with EU law?

[stevenjgarner]

Yes thank you, a more detailed read of FCPA would indicate it is primarily restricted to bribery (or at least payments that could be interpreted as bribery). But could a non-EU website operator still be fined for non-compliance with GDPR if it were to collect personal data on EU citizens? Do website analytics constitute personal data?

[blip54321]

Jurisdiction issues are complex. In this case, the jurisdiction is defined by the location of the customer, not the business.

If your business ignores EU courts, that might not have an immediate impact, but in the longer-term, you have a liability if you ever do business in Europe, want to be acquired by someone with a business presence in Europe, and potentially in the future, travel to Europe.

GDPR is framed as a human rights law, and that has long-reaching claws.

It is currently not well-enforced, but there are many examples of clawbacks coming in. For US slavery, those clawbacks are coming 160 years later: buildings, businesses, and schools are being renamed. Statues are being torn down. In some cases, you're starting to see reparations (see Harvard). Milder versions of racism are subject to cancellations; things acceptable in 1980 are having repercussions on people's careers in 2020.

Then you've got issues of when you're persecuted for an unrelated reason, and the government is looking for an excuse or pretext to take you down. A famous mobster was taken down a century ago for tax evasion.

[pc86]

Jurisdiction is sometimes complex, but you don't have to be an attorney to see the disconnect in a court in say, Germany, claiming it has jurisdiction over the practices of a food blog run by someone in Kansas because someone in Berlin decided to sign up for their newsletter.

I want to be clear I think they have a moral and ethical obligation to delete that person's information if so requested. There's just no (legitimate) legal requirement. The huge jurisdictional overreach by GDPR is part of why you're seeing companies just outright ignore parts of it.

Reasonable people can disagree about whether or not GDPR actually covers anything in the spectrum of "human rights" but for the love of god slavery has nothing to do with anything about it.

[BlueTemplar]

Western powers did go around and forced various African polities to stop doing slavery under the threat of their cannons...

[blip54321]

Reasonable people cannot disagree about the framing of GDPR as a human rights law. The second sentence is "This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."

Reasonable people can disagree about the extent to which privacy is a fundamental, human right, or where the bounds are, but that is literally the phrasing of the law.

Reasonable people can argue about a lot of issues, and views on rights change with time. Ancient Greeks and not-so-ancient Afghans had sex with kids. Just over a century ago, women couldn't vote. It's hard to predict how views on human rights will evolve. Right now, there are huge cultural disconnect about a lot of things digital. It's not clear where they'll land.

[Rygian]

The one in GDPR trouble wouldn't be your company anyway, since you're a data processor. The data controller is the one who needs to make good on the data requests.