[CaptArmchair]

> Section 8.6 GDPR

> Part b. omg.lol does not believe its processing of limited personal data of those outside the United States (if any) brings it within the jurisdiction of these laws.

That's a hard disclaimer if there's any.

I read that as: if you're a European user, we do not believe you can legally enforce us to honor your rights, even though we operate within the EEA.

[ykonstant]

This is very disappointing, and automatically dismisses omg.lol as an option for me as a researcher and educator.

[jacquesm]

And is illegal to boot. If that's their attitude they should not allow Europeans to register in the first place because all it will do is set them up for a confrontation with the various Data Privacy Offices. And such wilful language rules out any apologies.

[niemandhier]

If you are affected file a complaint with the DPA.

If enough people do it they will act.

https://commission.europa.eu/law/law-topic/data-protection/r...

If one does not like EU law, one should just not do business here.

[CaptArmchair]

More to the point, the GDPR is quite explicit on here as well:

> Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior. (Article 3.3 refers to more unusual scenarios, such as in EU embassies.)

https://gdpr.eu/companies-outside-of-europe/

Which is pretty much what happens given that they allow EU citizens to buy a 20 USD subscription.

[hnbad]

That's also a sovereign citizen level of legalese. It doesn't matter what omg.lol states it believes. If anything, this demonstrates clear intent to violate users' privacy and be non-compliant with international data protection laws.

This is largely a moot point as long as omg.lol remains some guy's side project but given that the ToS explicitly mentions the possibility of a merger or buyout, this feels like it's poisoning the well a bit. If there's any upside to this, it's that this makes a buyout far less likely because he's essentially saying "yeah, we collect a ton of personal information but we don't have the legal consent for any of it and explicitly told users we're not complying with their regional data protection laws when it comes to gathering, processing or storing their personal information". Fair enough for the MySpace era of Web 2.0 privacy abuse but no longer workable in a world with the GDPR and its many regional equivalents.

[agos]

your comment is spot on. an acquisition is also the perfect time to have someone trigger an investigation by the local privacy authority for breach of GDPR and I can tell with reasonable certainty that the wording on that ToS is enough to get fined. Until they have a legal presence in the EU they might get away with it, though.

[rusk]

Worth a shot I suppose