Hacker News new | ask | show | jobs
by solomatov 931 days ago
It's much more complicated than that. The article 3 (https://gdpr-info.eu/art-3-gdpr/) says two possible ways to get into a territorial scope of GDPR:

- the offering of goods or services

- the monitoring of behavior of data subjects

Offering doesn't mean that it's just available and/or sellable in EU. It's more complicated than that. EDPB has a guidance on this topic: https://edpb.europa.eu/our-work-tools/general-guidance/guide... In short, document shows examples where some services are available in EU, and sellable there but personal data isn't covered by GDPR.

On the other hand, my understanding is that monitoring of behavior is always covered by GDPR.

(I am not a lawyer and this is not a legal advice)
1 comments
akerl_ 931 days ago
I don’t think I dispute that the GDPR and related laws claim to apply to me if I have a website that EU residents access.

I dispute that they have jurisdiction to actually apply their laws to me, any more than the US can charge somebody with violating FCC regulations for a radio signal sent from Norway.

There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?

link
fenier 931 days ago
The U.S. and the EU signed the Data Privacy Framework over this past summer. https://www.dataprivacyframework.gov/s/ This offers methods for EU residents to exercise claims against U.S. businesses.

Among other requirements, a participating organization must provide you:

  Information on the types of personal data collected
  Information on the purposes of collection and use
  Information on the type or identity of third parties to which your personal data is disclosed
  Choices for limiting use and disclosure of your personal data
  Access to your personal data
  Notification of the organization’s liability if it transfers your personal data
  Notification of the requirement to disclose your personal data in response to lawful requests by public authorities
  Reasonable and appropriate security for your personal data
  A response to your complaint within 45 days
  Cost-free independent dispute resolution to address your data protection concerns
  The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means
https://www.dataprivacyframework.gov/s/article/My-Rights-und...
link
db48x 931 days ago
> There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?

Nope. Extradition only covers the case where you go to some other country and commit a crime there, then return to the US. If the crime you committed there is serious, and is also a crime here, then extradition can apply. There are other conditions as well, but the key is that it has to be a crime in both places.

Europeans can claim that you must follow their laws until they are blue in the face but it won’t magically become true. You can safely ignore it. Enjoy competing against European businesses without having to pay any of the same costs.

link
fenier 931 days ago
Even if you do not have to comply with GDPR, 12 States have passed data privacy regulations to date. You may still need to comply with data protection law regardless if you qualify for various State laws.

Even if State law doesn't apply - you have have HIPAA, GLBA, SOX etc.

link
db48x 930 days ago
All irrelevant to the question. But it of course true that we have plenty of our own laws to follow.
link