> It's a foreign requirement that feels like a violation of sovereignty.
Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.
>Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
>EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
So what? If the EU wants to stifle competition, why should the US care. They are only hurting themselves.
> If I have a brick and mortar business in the US and some one from the EU decides to do business, do I have to follow EU consumer protection laws? Unless I have an physical presence in the EU why should I have to follow their regulations?
You don't.
If they're not In The Union, and you're not In The Union, then you're not required to comply with the GDPR.
> Further, why cannot the EU just allow its citizens just do business with other extra-national companies if they choose to? Meaning, if an EU citizen chooses to do business with a non-GDPR compliant website, why does the EU care?
It's impossible to give consent for something if you don't fully understand the ramifications of what you're consenting to[1].
What does it mean for a website to "cater" to just my home country? The internet doesn't know political boundaries and most sites cater to all visitors on some marginal level.
Even my simple blog with no ads has google analytics on it. I don't feel like I was doing anything wrong or abusive, but I guess there's a case to be made.
I assure you I have been against the DMCA since before it passed, though I don't think it's quite the same nor do two wrongs make a right.
DMCA is only one example. In the financial world, the extra-territoriality of US laws is widespread, such that for example even securities sold outside of the US, to non US customers, by non-US institutions, issued by non-US entities have long US laws compliance sections in their documentation. Non US banks outside of the US are reluctant to take US clients because of these laws (not dissimilar to the discussion on blocking EU IPs here).
I even read somewhere a while ago that the US claims jurisdiction on any financial transaction in the world as long as it's done using USD... Talk about overreach.
IP addresses are not PII unless you also have timestamps and a legal avenue for querying the ISP records to see which account and thus person was behind the IP address at that time.
As a small blog, no ISP is going to give you the time of day, so it's not PII because you have no avenue for converting it to a person. If you transmit that data (say to google analytics) it might /become/ PII because google (or any other person you transmit it to) may combine it with other data they have access to, to turn it into PII.
The reasons large organizations are fretting about IP addresses are thus:
a) They have IP/timestamp records going back years, maybe decades
b) They may have ISPs willing to talk to them about who had the IP address at a specific time
c) They can't confidently allow that data to pass to partners in case their partners have access to ISP records
d) That data is a ticking timebomb, because even if they don't have an agreement with an ISP now, if an ISP offers that service for free to all takers in the future, their trove of IP/timestamp pairs could suddenly become PII overnight through no action from them
So yeah, for businesses operating at a certain scale, IP/timestamp combos are now a toxic asset. That doesn't mean your log files for your blog are suddenly a GDPR violation, unless you share them with people or have an inside track with a local ISP.
> Tell that to this US law the whole world has to comply to called DMCA.
If a site has no US presence and blocks all users in the US, what negative repercussion can violating the DMCA incur? Maybe their domain can be siezed, but that can be avoided by not having a domain hosted in the US. The US could block all traffic to the site, but that should be moot if the site has no US users.
With the DMCA, if a US judge determines that a foreign company has broken the law, and someone associated with the company ever visits the US, that person is at a high risk of being orange-jump-suited in a barbaric punishment system.
This is outside the scope of my previous comment. If someone visits the US then they have a physical presence in the US.
I'm still failing to see how the original claim, that everyone has to abide by the DMCA, is true. This seems like claiming that everyone has to abide by Thailand's Lese Majeste laws (laws criminalizing insults to the monarchy). Yes people may face repercussion if they have an economic or physical presence in the country. But if they don't, then theres nothing Thailand can do to enforce this law .*
* not without cooperation with other countries at least. Some nearby countries are known to enforce Thailand's Lese Majeste laws abroad and extradite people. But in most countries, this isn't the case.
The "Pirate Bay guys" were persecuted in Sweden, nothing I can find on the coverage of their arrests and trials mention American copyright law. Extradition treaties are voluntarily made by the countries that establish them.
Again, if a country doesn't want to abide by the DMCA then they don't have to. Extradition treaties and the Pirate Bay do not disprove this claim.
The internet doesn't know, but e-commerce/data business pretty darn well knows where their customers/users are situated.
The old web was mostly static websites. We spoke of visitors. The new web is app-ified/interactive, walled off to logged-in agreement-abiding geolocated users, and even a single logged-out "visit" broadcasts this to 100s of trackers who will remember your every move online.
If you aren't collecting and storing PII, you have nothing to fear from the GDPR. Even if you are, you're fine as long as you only collect what you legitimately need to offer your services.
IANAL, but if your company is a targeted marketing company (think Groupon) and users sign up explicitly to get sent offers, then you're probably in the clear. If your company offers some other service, but you also want to sell your users' data for targeted marketing, the GDPR requires you ask for and get real consent.
I find it odd that people take issue with regulation, perhaps its been ingrained into the cultural consciousness of the west that regulation is always bad, but historical analysis shows that regulation has always had an overwhelmingly net positive effect for the members of a given society. You can link the stage of a country's development to how effective their government is in protecting it's constituents.
Sure, if you cater to users in your own country. If you cater (read: deal with data) to users from the EU, you should follow local consumer protection laws.
EU laws have always been more strict than US privacy laws: This caused unfair competition, where US companies were free to export their privacy-damaging business model overseas, while local companies were forced to respect privacy. Respecting privacy is just not very competitive/profitable at the moment.
Your viewpoint pushed to the extreme (sorry if you don't recognize your original view): China selling counterfeit goods or unsafe toys to the US, and feeling like any push-back is messing with their sovereignty of lax copyright -, trademark -, and health laws.