If a company has no official office in Europe, how does this affect them? All advertisement and business focus is say only in the US, is it business as usual? What if an EU citizen decides to sign up?
Are US companies forced to deny customers not par of say an IP block (half assed method I know, but just speaking in general)?
The guidance we have received is that if your business is not located in the EU, not targeting EU countries, you don't have parts of your site translated to languages spoken in EU countries, and do not have an EU-based domain name extension, your EU traffic is considered incidental and GDPR probably does not apply to you. But, as with everything in the GDPR, that is extremely murky. This law is subject to unique interpretations and degrees of enforcement in the courts and regulatory offices of 28 distinct countries. This is why we simply chose to block EU traffic - there's no need for us to take on the liability of EU traffic, and hope that some country over there doesn't need fines from us badly enough to decide that article 484208408 makes us subject to it.
With regard to enforceability outside the EU, that is anyone's guess. If you're in the US, there are already mechanisms that allow for the domestication of EU judgments in the US. Once domesticated, the judgment would have the same force and effect as if it had been issued by a US judge. However, the treaties that allow this are very complex, and allow for a large number of exceptions. So it would be up to a US judge in each specific case to decide whether or not a judgment for a fine issued under the GDPR can be domesticated. There are currently no treaties specifically relating to GDPR in the US, and I'd imagine there would be (very welcome) strong opposition to such a thing.
French in Canada, English and Spanish in the US, German among German expats (of which there are millions.)
Targeting a business for extortion because of the languages offered? Ridiculous. GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.
Europeans don’t have to visit US/Canadian/Chinese websites. If they want to “protect” themselves, they simply stop using services they find objectionable. GDPR is nonsense — individuals should be allowed to do what they feel is right for them.
Why not ban all junk food from Europe? Tobacco? Alcohol? Those harm people far more than targeted advertising. If we actually “cared,” we’d be banning those industries.
If you have a site in an EU language that is spoken in other countries as well (Spanish etc) but your site doesn't have an EU domain extension and your content and services are generally not targeted at EU residents, then GDPR likely does not apply. Language isn't the only test. If you have a site in German that is reporting German news though, you're likely going to have GDPR apply to you even if you have a .com extension and are not in the EU.
Unfortunately, I must use words such as "likely" here because there is a large amount of ambiguity in these tests, along with a major conflict of interest - it will essentially be up to the would-be beneficiaries of these fines to determine whether or not you are subject to them. The EU HN crowd seems to believe that their various governments will only fine "bad" companies "reasonable" amounts under this law, and that it will not be abused to extract government revenue from foreign companies and/or hobble foreign competitors of companies in their countries. I certainly hope they are correct, but this would be the first time in the history of the world that such a broadly worded statute was not abused. The only safeguard we have is that the world is watching. If/when the EU gets too out of control in their abuse of GDPR, hopefully countries like the US will implement legislation that makes it impossible to enforce GDPR fines within their borders.
Pakistan was once considering issuing an arrest warrant for Mark Zuckerberg because someone created a Facebook contest that offended some Pakistanis [1] [2]. The case would have carried a sentence of death by stoning. Even if charges had been filed, it is doubtful that the US would have extradited him to be stoned to death under the laws of another country. While GDPR fines are civil in nature, this case underscores the importance of not necessarily allowing the enforcement of other countries' laws in your own. If GDPR enforcement becomes abusive, one would hope that similar protections would apply in our home countries.
Don't worry, I am sure it wont be abused. The whole fearfull effect was created by adtech companies trying to create public outrage and paranoia to pretect their money source. Be sure that there are going to be some nasty penalties for greatest violaters (like online dating sites) I have noticed a lot of them is packaging GDPR into terms and conditions and privacy policy changes and those will have to get a fine, but I am sure warning will come first. But as one of ICO said (UK?), "We will always try to use carrot instead of stick, but some companies are carnivores, they don't eat carrots."
Also I am sure, half of world will have similar laws in next few years. Private data invasion just went to far, this has to be stopped.
It would be the first time in history that such a law has not been abused. The fear is real and fully warranted.
I am sure warning will come first
There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.
It's not a law it's a regulation and EU regulation is largely intended to be more of a carrot before the unpack the stick.
See the Smartphone Charger regulation. It requires all smartphones vendors to come up with a standard for charging, everyone picked microUSB (though moving to USB C now). The EU is fine with that and the smartphone vendors know that if they start pulling the "everyone has their own port" shit again that the EU will get out the stick.
Nobody wants the stick. The EU not and the Vendors not. The carrot was the EU Cookie law, which was largely ignored and the consent dialogs poorly implemented (not even asking for consent the majority of the time). So this is them getting out the stick. Now you can pick which one you want.
>There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.
Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.
I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it. I will not be dictated to or threatened by a foreign government.
Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.
People keep saying things like this, and yet neither article a) requires that a warning be issued before they seek a fine or b) limits fines in any way, except for a top cap of $10 million/$20 million (or percentages of revenue, but the caps are more than 100% of the revenue of most companies).
I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.
>I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it.
Canada, Japan and some other countries and even the US have indicated to copy the GDPR if not in letter atleast in spirit, though the US response is a lot weaker.
>I will not be dictated to or threatened by a foreign government.
The US is a foreign government and does it all the time to me, why is it a problem now?
>I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.
You won't have that. The GDPR has a strict guideline on how to impose fines, it's not a law an won't be enforces as such. The regulatory bodies have bite because large players like Facebook or Equifax that leak large amounts of userdata require more than an angry letter in their mailbox.
As these articles mention, the agency imposing a fine should severely think about the level of fine and ensure it's appropriate. If you get hacked by a 0-day, you followed the advice of your regulatory body, your shit gets leaked and you inform your users immediately, it's very unlikely anything will happen.
If you get hacked because you didn't update your MySQL server in 5 years, you ignored what your regulatory agency said and you don't tell your users, don't expect them to go easy on you.
Easy as that. If you don't like it you can sue back and get the fine reduced or rescinded.
People keep saying all of this. Again, there is absolutely nothing enshrined in GDPR limiting fines, other than $10/20 million. It says they should consider some things when determining the fine. But (for example) one of the 28 countries could decide that in their country, the lowest level fines are “only” $5 million, and they go up from there based on the factors they are supposed to consider. That would still be enough to destory most businesses.
You cannot tell me that there is anything limiting the fines (other than the cap) because it isn’t written. You’re saying that you hope and think that each of the 28 governments involved here will be reasonable, but in truth you have no way of knowing, and they have every incentive to not be reasonable.
I hope that my government won't do this. As a EU citizen I only have to care about the one in my country.
Again, if you think the fine you got is too heavy you can escalate this to the courts (even EU courts).
There is also no incentive for the regulatory agency to impose such fines if the business cannot pay them. In that case they would get less or even nothing as the business collapses and it has not been the modus operandi in any EU regulatory body I know or experienced.
If they aren't reasonable than the EU courts will make them reasonable or the EU will add additional paragraphs to the GDPR to prevent excessive fines. Simple as that.
>GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.
It covers the personal data of EU citizens. Similar laws exist going the other way. Betfair can't (or couldn't) give accounts to US citizens. IIRC, various poker sites had to close US citizens' accounts. The US even arrested a CEO of a UK company who was only changing planes on his way home to Costa Rica: https://en.wikipedia.org/wiki/David_Carruthers#Arrest_during...
>anything else is an attempt to assert extraterritorial jurisdiction.
Good. The EU should grasp the nettle and fulfil it's role as the leading global hegemony.
You're both correct and incorrect. It covers the personal data of EU citizens. However, not all sites are actually subject to the GDPR at all. EU traffic to these sites is considered incidental and no GDPR protections apply, even to EU residents, on those sites that are outside of GDPR jurisdiction. There are legal tests build into the GDPR (which I detailed in my original comment above) that determine this.
I work in the USA, as a sysad. The company I work for has a social media product.
We've have had European and African citizens who've signed up. And that was more than enough for us to discuss "How do we make our stuff comply with the GDPR?". If we ever considered in starting up in Europe, us ignoring the GDPR is tantamount to writing them off before even thinking of them.
We also do things the right way. Deletion requests aren't treated as "ignore kthxbai", but all data is zeroed out then nightly purged from the DB. And I really think, with how current society is slowly turning against orgs like facebook, the way we're approaching this is one avenue of right ways.
If you dont have money, materials, or employees flowing through Europe there is very little they could do to you even if you actively flaunted the law. They could always block access to your site, or even try to sanction your business but unless they are willing to invade your country to physically stop you they don't have very many options.
There is always the chance that your own government will enforce EU rulings against you but at that point either your own government thinks GPDR should be enforced or you're in a very weak country and are going to have to capitulate to the EUs power anyway, much like small Latin American countries were forced to follow US policies
If another company with facilities in the EU then buys the noncompliant company, could they enforce a judgement on the parent company?
If a noncompliant company is going through due diligence prior to being acquired, they be legally obligated to disclose that judgement? Even if they didn't, how hard would it be for an associate at a law firm to check public records about the company?
Yea they could, but this is basic politics and sovereignty. Nations are allowed to make rules for operating inside themselves. You don't just get to ignore all of those rules when working inside them because you said your home is another nation.
The other side of that is that you can tell foreign governments to fuck off if you aren't dealing with them at all. The only time the foreign governments matter is if they are a superpower able to bend your own country to it's will, and that point you are basically a colony anyway so there's not much you can do
The more likely problem will have to do with a US or Chinese company buying an EU company (given the scale imbalances in question). It'd be critical to maintain the existing GDPR compliance and keep the entities separate if the US or Chinese operations are not GDPR compliant per their domestic businesses.
Alibaba for example likely has no plans to concern itself with GDPR compliance in its domestic Chinese operations. They obviously will segment and comply with GDPR as it pertains to the EU operations / EU customers.
You're right, if a EU resident decides to visit your website and you're tracking them (Google Analytics etc) you have to comply with GDPR when handling his/her data. The IP block has a logic to it because the law applies to people in the EU rather than EU citizens.
It's the other way around. The law protects according to point of access (EU soil), not according to nationality. So an American tourist in France would be protected, but not a French tourist in the US.
This is just like most laws, when you're a tourist in a foreign country you have to follow the local laws, not the ones from your passport country.
This is technically true, however if the site is not targeting EU residents, the traffic is supposed to be considered incidental and the GDPR is not supposed to apply.
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
It's either "target", or it apples to all EU customers. "target" is far less of a problem for companies that don't consider their customers data to be important.
If a company has no official office in Europe, how does this affect them? All advertisement and business focus is say only in the US, is it business as usual? What if an EU citizen decides to sign up?
Are US companies forced to deny customers not par of say an IP block (half assed method I know, but just speaking in general)?