|
Jurisdiction issues are complex. In this case, the jurisdiction is defined by the location of the customer, not the business. If your business ignores EU courts, that might not have an immediate impact, but in the longer-term, you have a liability if you ever do business in Europe, want to be acquired by someone with a business presence in Europe, and potentially in the future, travel to Europe. GDPR is framed as a human rights law, and that has long-reaching claws. It is currently not well-enforced, but there are many examples of clawbacks coming in. For US slavery, those clawbacks are coming 160 years later: buildings, businesses, and schools are being renamed. Statues are being torn down. In some cases, you're starting to see reparations (see Harvard). Milder versions of racism are subject to cancellations; things acceptable in 1980 are having repercussions on people's careers in 2020. Then you've got issues of when you're persecuted for an unrelated reason, and the government is looking for an excuse or pretext to take you down. A famous mobster was taken down a century ago for tax evasion. |
I want to be clear I think they have a moral and ethical obligation to delete that person's information if so requested. There's just no (legitimate) legal requirement. The huge jurisdictional overreach by GDPR is part of why you're seeing companies just outright ignore parts of it.
Reasonable people can disagree about whether or not GDPR actually covers anything in the spectrum of "human rights" but for the love of god slavery has nothing to do with anything about it.