[btasker]

dotorg being run by a private citizen who receives no payments does not exempt it from GDPR, because GDPR doesn't make that distinction.

There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.

Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".

It might be quite difficult to enforce against a private citizen, but that's not the same as it not applying.

[that_guy_iain]

> dotorg being run by a private citizen who receives no payments does not exempt it from GDPR, because GDPR doesn't make that distinction.

The dot org being run by an American citizen who does not operate within the UK that country 100% means UK courts do not having standing. Remember GDPR UK is not GDPR. It's based on it but case law is different and other stuff. Remember, just because one country does not allow something or requires something does not mean everyone whose website is accessible within that country has to follow that law. But for UK law to apply to someone there has to be a connection. Not just "I can connect to that website" or they're processing my data.

Furthermore, GDPR UK does make a distinction or at least the ICO does - https://ico.org.uk/for-organisations/data-protection-and-the.... Under UK law providing goods and services requires taking payment.

Legal opinion has also been shared from lots of sources that small businesses operating out with the EU aren't covered by GDPR. I believe there is EU law that says EU law only applies to companies with a significant number of customers who are EU citizens.

> There _is_ an exemption for household processing (recital 18) - which means that I don't need to worry about taking a neighbour's contact number etc - but wordpress.org wouldn't fall under that.

Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household. That is UK case law. But again, there is no standing for even the Data Protection Act to apply because there is no connection.

> Given Matt's actions (and statements made by his own team so far in the case), I think he'd struggle to claim that wordpress.org is not linked to "professional or commercial activity".

Yea, but there is no standing for the UK to apply its laws on Matt. The EU may have a better claim since he has servers in the EU. However, as pointed out GDPR does not apply for that person because he is neither an EU citizen or a resident as far as I can tell. Their entire claim would be to apply UK law to someone not operating within the country.

The entire point of commercial activity is that there would be a connection and would give UK courts standing is silly. It's basic law 101. Hence, why I said in my first comment that OP didn't understand the law.

[btasker]

GDPR (including the UK GDPR) is extra-territorial by design.

It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.

I suspect that you and I would agree about the wrongs of any law being extra-territorial, but it's where things on both sides of the pond have landed us.

You already linked to the relevant part of the ICO's guidance but *appear* to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.

That's not the case, it applies just as much to free services.

Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) *collecting and processing data* is offering a service.

> Fun fact, in the UK data protection laws will still cover cameras and whatnot taken from a household

They do indeed. In fact, it's not just cameras: as soon as you publicly share information you can't rely on the exemption because it doesn't cover it.

> Yea, but there is no standing for the UK to apply its laws on Matt.

You keep using the word standing, which is very much as US-centric term. I'm not, for a second, suggesting that anyone would try and enforce this in a US court.

Being able to enforce is (as I've already said) an entirely different kettle of fish.

> Their entire claim would be to apply UK law to someone not operating within the country.

Yes. Welcome to the intended design of GDPR.

Although you're right that EU GDPR and UK GDPR are now two seperate things, they're not actually particularly different things: we didn't really amend it after leaving the EU - the two are seperate since Brexit, but the way that they work is the same, albeit absent a few years of caselaw.

In fact, it's not GDPR that's extra-territorial (or intended to be). Have you seen the stuff they've been trying to bring it to make the internet "safe"? That's extra-territorial in nature too.

Ever since the US passed the CLOUD act, politicians on this side of the pond seem to have decided that what's good for the goose is good for the gander.

[that_guy_iain]

> GDPR (including the UK GDPR) is extra-territorial by design.

> It applies _by design_ to anyone or anywhere processing the data of an EU or UK citizen.

That is now how the law works. A court must have standing or jurisdiction or whatever word you want to use since you seem to think semantics are at the core of this issue here.

> You already linked to the relevant part of the ICO's guidance but appear to have misunderstood it: you've inserted an extra requirement - that it requires taking payment.

No, that's UK case law. Basic law 101. That is what the legal definition of goods and services is within the UK. If you don't understand that there are legal definitions for things then we're at the crux of your complete misunderstanding of law. And really we won't get anywhere.

>Wordpress.org (and more so the associated services - slack etc) being available and (more importantly) collecting and processing data is offering a service.

Not under UK law. UK law defines a service as something that is being paid for. This is hundreds of years old.

You would be heavily rebuked by a judge if you tried this nonsense in court of trying to redefine hundreds of years old case law to suit your opinion.

> Being able to enforce is (as I've already said) an entirely different kettle of fish.

No, that's the entire point. THE ENTIRE POINT. A court will not take up a case where it can't do anything.

Quite simply, your entire argument fundamentally depends on you not understanding UK GDPR, GDPR, or even basic law fundamentals.