GDPR Resources
-
The thing about the GDPR, is that it is SO broad, that if you are in the EU, it applies to... everyone. Even humans. Just overheaing a name or having a wifi access point falls under it. Everyone, even home users, are often included. It's so sweeping it's insane.
In the US, companies aren't affected by it unless they are receiving that data from a company in the EU and the EU company follows the law and has a contract with the US company binding it to the rules.
Your average US based website is under no obligation to do anything for the GDPR, but US based websites are something like 90% of the coverage cases.
-
It is very broad. They're basically leaning on case law to refine and define it.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
Imagine how this would play out in the real world. If countries could just make any law that they want to apply to other places that don't have access to their legal system... Bahrain could make some law, make it secret, and arrest everyone in France for breaking their laws. Doesn't make sense. Sovereignty is the barrier to legal exposure.
I am not sure what all the things are that underlie this law in terms of existing treaties, but there are some very reputable organizations that are assuming that it will be enforceable on US companies that interact with EU citizens without a physical presence in the EU.
That's a LOT of stuff and I can't find anything in it. Where do you see if saying that it would apply to US companies?
Section 1, bullet 2: "Second, a controller or processor not established in the EU will be subject to the GDPR 'where the processing activities are related to offering goods or services to data subjects in the Union,' even when the goods and services are offered for free." is the easiest to locate, but there are other statements that either explicitly or implicitly state that US companies without physical presence in the EU will be subject to GDPR.
You left out the part of the quote that makes it not matter to 99% of companies...
“where the processing activities are related to offering goods or services to data subjects in the Union,”
So that bullet point doesn't apply.
-
@kelly said in GDPR Resources:
It is very broad. They're basically leaning on case law to refine and define it.
Case law.... in countries that aren't under the law.
Doing that is no different than me making a law that says "if you talk to Scott, you have to obey him for life" and anyone who says "hi" to me I try to make my slave.
I can say that, I can even say that I am "relying on case law" to hopefully make it happen. but bottom line, the EU like me, is not a US lawmaker.
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
Imagine how this would play out in the real world. If countries could just make any law that they want to apply to other places that don't have access to their legal system... Bahrain could make some law, make it secret, and arrest everyone in France for breaking their laws. Doesn't make sense. Sovereignty is the barrier to legal exposure.
I am not sure what all the things are that underlie this law in terms of existing treaties, but there are some very reputable organizations that are assuming that it will be enforceable on US companies that interact with EU citizens without a physical presence in the EU.
That's a LOT of stuff and I can't find anything in it. Where do you see if saying that it would apply to US companies?
Section 1, bullet 2: "Second, a controller or processor not established in the EU will be subject to the GDPR 'where the processing activities are related to offering goods or services to data subjects in the Union,' even when the goods and services are offered for free." is the easiest to locate, but there are other statements that either explicitly or implicitly state that US companies without physical presence in the EU will be subject to GDPR.
You left out the part of the quote that makes it not matter to 99% of companies...
“where the processing activities are related to offering goods or services to data subjects in the Union,”
So that bullet point doesn't apply.
I merely quoted the text from the article. The absence of the text was not deliberate. In fact the bullet point actually does contain information that covers your comment.
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
Imagine how this would play out in the real world. If countries could just make any law that they want to apply to other places that don't have access to their legal system... Bahrain could make some law, make it secret, and arrest everyone in France for breaking their laws. Doesn't make sense. Sovereignty is the barrier to legal exposure.
I am not sure what all the things are that underlie this law in terms of existing treaties, but there are some very reputable organizations that are assuming that it will be enforceable on US companies that interact with EU citizens without a physical presence in the EU.
That's a LOT of stuff and I can't find anything in it. Where do you see if saying that it would apply to US companies?
Section 1, bullet 2: "Second, a controller or processor not established in the EU will be subject to the GDPR 'where the processing activities are related to offering goods or services to data subjects in the Union,' even when the goods and services are offered for free." is the easiest to locate, but there are other statements that either explicitly or implicitly state that US companies without physical presence in the EU will be subject to GDPR.
You left out the part of the quote that makes it not matter to 99% of companies...
“where the processing activities are related to offering goods or services to data subjects in the Union,”
So that bullet point doesn't apply.
I merely quoted the text from the article. The absence of the text was not deliberate. In fact the bullet point actually does contain information that covers your comment.
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
Right, except there is no law to cover them. It's as simple as "EU law doesn't affect outside the US"
It's really that simple. They have no jurisdiction. There is no GDPR in the US.
-
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
-
@kelly, @scottalanmiller already pointed out that the law is allowed to say whatever it wants, but that doesn't mean that it can be enforced.
-
@travisdh1 said in GDPR Resources:
@kelly, @scottalanmiller already pointed out that the law is allowed to say whatever it wants, but that doesn't mean that it can be enforced.
Yes, and I already admitted my ignorance, but pointed to reputable, learned sources who do believe it will be applicable in ways I stated.
-
@kelly said in GDPR Resources:
@travisdh1 said in GDPR Resources:
@kelly, @scottalanmiller already pointed out that the law is allowed to say whatever it wants, but that doesn't mean that it can be enforced.
Yes, and I already admitted my ignorance, but pointed to reputable, learned sources who do believe it will be applicable in ways I stated.
The supposed reputable source (Looks like New York School of Law, do I remember that right?) isn't making any sense if they claim a company based in the US has to be compliant. They may be law experts, and they're most likely correct about any company that has an office in the E.U., but unless their is already a treaty in place that lets the E.U. enforce this on US companies, it doesn't hold water.
-
@travisdh1 said in GDPR Resources:
@kelly said in GDPR Resources:
@travisdh1 said in GDPR Resources:
@kelly, @scottalanmiller already pointed out that the law is allowed to say whatever it wants, but that doesn't mean that it can be enforced.
Yes, and I already admitted my ignorance, but pointed to reputable, learned sources who do believe it will be applicable in ways I stated.
The supposed reputable source (Looks like New York School of Law, do I remember that right?) isn't making any sense if they claim a company based in the US has to be compliant. They may be law experts, and they're most likely correct about any company that has an office in the E.U., but unless their is already a treaty in place that lets the E.U. enforce this on US companies, it doesn't hold water.
I'm not disagreeing with your and Scott's premise, but your conclusion. I believe you're both right that a law in another country without the basis of treaty will be unenforceable in another country. The fact that people who are responsible for knowing if an international law impacts US companies are stating that it is leads me, as a layperson, to think that there may be something there rather than just dismissing.
I have emailed the authors of the article to see if they have any basis for their conclusions.
-
This doesn't address the legal jurisdiction question that we've been discussing, but here is a clarification from the European Commission on an example of a company not subject to the requirements of GDPR:
"Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR."
-
@kelly said in GDPR Resources:
@travisdh1 said in GDPR Resources:
@kelly said in GDPR Resources:
@travisdh1 said in GDPR Resources:
@kelly, @scottalanmiller already pointed out that the law is allowed to say whatever it wants, but that doesn't mean that it can be enforced.
Yes, and I already admitted my ignorance, but pointed to reputable, learned sources who do believe it will be applicable in ways I stated.
The supposed reputable source (Looks like New York School of Law, do I remember that right?) isn't making any sense if they claim a company based in the US has to be compliant. They may be law experts, and they're most likely correct about any company that has an office in the E.U., but unless their is already a treaty in place that lets the E.U. enforce this on US companies, it doesn't hold water.
I'm not disagreeing with your and Scott's premise, but your conclusion. I believe you're both right that a law in another country without the basis of treaty will be unenforceable in another country. The fact that people who are responsible for knowing if an international law impacts US companies are stating that it is leads me, as a layperson, to think that there may be something there rather than just dismissing.
I have emailed the authors of the article to see if they have any basis for their conclusions.
My feeling, from looking at the article, is that they treating the majority case as so obvious that it's not mentioned. They are talking only about companies that do data processing on behalf of EU companies that are collecting data on behalf of clients. I think that it's a case of assumptions. They are assuming a basis that includes getting EU data in the first place. but the wording is so broad that just mentioning EU residents would be covered. Or they are assuming situations where there is jurisdiction and just assuming we understand that.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
They key element in the link I shared above that goes to the EC site is that there is something that targets the good or service towards an EU member that is the delineating point of the regulation (leaving aside the enforce ability of the regulation). ML has nothing that targets EU citizens, but those things can be relatively simple and unassuming from what I've read, like language translation into an EU member language when that is not the native language of the country of origin.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
They key element in the link I shared above that goes to the EC site is that there is something that targets the good or service towards an EU member that is the delineating point of the regulation (leaving aside the enforce ability of the regulation). ML has nothing that targets EU citizens, but those things can be relatively simple and unassuming from what I've read, like language translation into an EU member language when that is not the native language of the country of origin.
Yeah, and it's SO loose that "we use English", or "we do tech and the EU is very technical", we are "pro business", we have a .it domain, etc. are all things someone might argue make us "target" EU citizens.
-
It's probably something that millions of US companies should join together and pressure the FTC to sue the EU on behalf of American businesses for extortion and threats; and make a law that makes it illegal to attempt to enforce or mention in the US.
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
They key element in the link I shared above that goes to the EC site is that there is something that targets the good or service towards an EU member that is the delineating point of the regulation (leaving aside the enforce ability of the regulation). ML has nothing that targets EU citizens, but those things can be relatively simple and unassuming from what I've read, like language translation into an EU member language when that is not the native language of the country of origin.
Yeah, and it's SO loose that "we use English", or "we do tech and the EU is very technical", we are "pro business", we have a .it domain, etc. are all things someone might argue make us "target" EU citizens.
From your response it sounds like you are not studying the topic very deeply and are making some unfounded assumptions. I might be misunderstanding what you're getting at, but in the things I've linked they talk about what targeting EU data subjects actually looks like. It is not a list of things, but it gives examples of things that would be considered targeting. It isn't concrete, and probably never will be. That is the way of legislation. It requires case law to flesh it out.
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
They key element in the link I shared above that goes to the EC site is that there is something that targets the good or service towards an EU member that is the delineating point of the regulation (leaving aside the enforce ability of the regulation). ML has nothing that targets EU citizens, but those things can be relatively simple and unassuming from what I've read, like language translation into an EU member language when that is not the native language of the country of origin.
Yeah, and it's SO loose that "we use English", or "we do tech and the EU is very technical", we are "pro business", we have a .it domain, etc. are all things someone might argue make us "target" EU citizens.
From your response it sounds like you are not studying the topic very deeply and are making some unfounded assumptions. I might be misunderstanding what you're getting at, but in the things I've linked they talk about what targeting EU data subjects actually looks like. It is not a list of things, but it gives examples of things that would be considered targeting. It isn't concrete, and probably never will be. That is the way of legislation. It requires case law to flesh it out.
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
That's the list I'm working from. Read it carefully, it's sweeping and can include absolutely anyone, anytime, anywhere.