Gregory's Server@frankrausch But that applies only to data held on their EU based servers, surely?
|
18 comments
 @BritishTechGuru @frankrausch no, GDPR applies to all entities that process the data of European citizens - this was a meme back when GDPR was originally put into law and some US companies instead just blocked all IPs originating from the EU, or hardcoded to return "451 Unavailable For Legal Reasons" Not just citizens - actually it applies to the processing of personal data of all data subjects within the EU even if the processing is done outside of the EU. Article 3 sets the territorial scope, with recitals clarifying. https://gdpr-info.eu/art-3-gdpr/  @ptrc @BritishTechGuru @frankrausch Yep pretty much any local news site in the US does this - lazy devs/management don't want to pay for it so better to just block the traffic than fix their shitty advertising.  @tanepiper @ptrc @BritishTechGuru @frankrausch this is annoying 1-2 times a year for me, but as an USian I'd ask them WTF they are doing why my data @BritishTechGuru @frankrausch location of the data does not affect GDPR rules. If they operate in Europe, they have to follow the rules. Even if they contract the work to a 3rd party outside of Europe.  @dark_stang @frankrausch "operate" so if they have an office in Europe. I can't see somebody just selling stuff to people in Europe much caring.  @BritishTechGuru @dark_stang @frankrausch It becomes harder/impossible to enforce without an office but technically no, even if you are fully US company and you sell to Europe you are bound to GDPR. What we gonna do - throw executives on EU trips into jail until GDPR compliant? @juliank @BritishTechGuru @dark_stang @frankrausch Why not? It's not that the US wouldn't do it (ask Swiss bankers)  @goedelchen @juliank @BritishTechGuru @dark_stang @frankrausch Actually, not really a risk. GDPR is generally administrative law, so jailing people is atypical. And in most European countries, judges don't jail people just because they irritated them. So I don't think there is much of a risk of arrest. OTOH, the fines are painful, somehow generally the EU/MS get their money.  @juliank @BritishTechGuru @dark_stang @frankrausch As for enforcement, ask TikTok. The Italian regulator banned TikTok from processing data for children accessing dangerous content, resulting in a death, and TikTok scrambled to fix its age verification measures and re-verify all users in Italy. @Nickiquote @BritishTechGuru @dark_stang @frankrausch It depends on the country and whether they'd go order the ISPs to ban the services at the DNS level, ultimately that's not universal across them, but that's a pressure point. @BritishTechGuru @dark_stang @frankrausch The test isn’t “operate”. Companies with an “establishment” (subsidiaries, agents etc) in the EEA are caught. Companies without an establishment in the EEA but offering goods or services to EEA data subjects are separately caught and are required to appoint an EU representative for enforcement/liaison with regulators. If you do not comply the fines are up to 4% of global turnover. Identical rules apply in the UK. @Nickiquote @dark_stang @frankrausch That would lead to an ineresting situation if I set up some online business and shipped a packet of cards to a Paris customer. Then I get a nasty message that the gendarms are after me for my non compliance. When I eventually stopped laughing, I might even tell them to bring it on. @BritishTechGuru @dark_stang @frankrausch No, “operate” as in “provide service to those in the EU”. Simply go the EU for a day and call the companies. The law applies even if you don’t live here.  @BritishTechGuru @frankrausch if you're a EU resident and they serve you in EU, then all their global operations are covered and the EU branch is simply the easiest one for EU to extract the fines from if they don't comply. Plenty of companies with no presence in EU don't care because enforcement is impractical, but those who have physical branches here are much more motivated to comply once the regulator calls them |
@BritishTechGuru @frankrausch No. Act on the EU market, follow GDPR or else. Regardless where the servers are.