> But while the massive media blitz on the GDPR makes it appear terrifying; it doesn't magically grant jurisdiction over a local west virginia site. The enforcement agency isn't likely to bother, because they have no means to enforce any sanction.
Yeah, they do. The EU issues them a fine, and they don't pay. Okay, nothing happens to them. But now if any of the the executives or board members or anyone else who can be held liable for their failure to pay the fine can never visit an EU country without fear of being held accountable for their failure to pay that fine.
>Is a west virginia site "established" in the EU? That's dubious enough that I doubt they need to worry - for now.
This is false. GDPR applies to any company that collects data on customers in the US. If you run a site, and an EU user connects to it then GDPR mandates that you follow the GDPR rules for that EU user. [1] This is pretty screwed when you really think about it. Can Saudi Arabia outlaw Facebook from letting Saudi women post profiles without Burkas? Can they outlaw Facebook from allowing Saudi users from blaspheming Islam? Granted in practice, US companies are probably just going to tell the Saudis to eat shit. But that introduces the other gnarly question: which countries or pan-national organizations do have the right to govern beyond their borders (and, crucially, why do they get to do this and not others)?
> All in all: this sounds like an overreaction. Maybe it's a cultural thing too; lawsuits with huge punitive fines are much more common in the US, so the habit of avoiding liability is perhaps more deeply ingrained. But again, the risk seems trivial. And you know, if you don't care about overseas readers, would it kill you to be so polite as to say so? It currently says only: "Our European visitors are important to us. This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws." That's just a lie, likely both parts of it.
It's pretty clear that the EU wants tech companies, especially American ones, to bleed. Headline after headline in European articles from the Economist to The Guardian and others are calling for fines against American tech companies. You're right that showing a message, "This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws" is misleading. It should really read, "Your government has instituted vague and overly broad regulation on data collection which, coupled with a hostile attitude towards American tech companies, makes us unwilling to serve EU visitors".
> Yeah, they do. The EU issues them a fine, and they don't pay. Okay, nothing happens to them. But now if any of the the executives or board members or anyone else who can be held liable for their failure to pay the fine can never visit an EU country without fear of being held accountable for their failure to pay that fine.
If a long particular chain of events were to come to pass then it's theoretically possible a director might be issued a fine. But the sequence of events required is absurd and long; west virginia is more likely to be exterminated by meteor strike than this. And even then: that's assuming the website and director are actively self-destructive because even with this long chain of events you can't convince me there isn't some moment before then that they could intervene to avoid meaningful consequences. I don't think we will ever, in the history of the GDPR enforcement, ever see a case like the one you're describing leading to a meaningful fine. Sure, that's just my guess, and IANAL, and cultural differences in litigation and all that, but hey.
>> Is a west virginia site "established" in the EU? That's dubious enough that I doubt they need to worry - for now.
>This is false. GDPR applies to any company that collects data on customers in the US. If you run a site, and an EU user connects to it then GDPR mandates that you follow the GDPR rules for that EU user. [...]I confirmed this for myself in the GDPR text. If you insist, I'll dig it up for you.
> It's pretty clear that the EU wants tech companies, especially American ones, to bleed. Headline after headline in European articles from the Economist to The Guardian and others are calling for fines against American tech companies.
I don't think you're wrong here, but I think you're misplacing the emphasis. And as an American I can understand it feels hostile. But the actual emphasis here is not on bleed, nor on American, but on tech-company.
There's a definite feeling here that tech companies are acting with impunity, that they feel like they can do whatever they want without serious repercussions and ask forgiveness later. So far, by the way: even with the GDPR, that is true, because it was affected by lobbying and thus the large tech companies are not quite as helpless as they at first appear; the fines (even in the GDPR) are actually quite low given what's at stake (i.e. to the extent that large specifically-tech firms are likely to be willing to take a few risks and skirt the law), and furthermore the law is quite vulnerable to regulatory capture precisely because only one DPA has jurisdiction - if the tech firms do their paperwork, and then national interest means things get messy. Time will tell if they get away with it, I have no idea.
But the law isn't as crazy as you make it out. There is no personal mandate; so all you can do as an individual is refer it to the DPA, and that means that small and unclear cases are automatically going to be irrelevant - which is by design, because it means the goalposts will naturally shift as firms get their acts together. In short; nobody can sue you under the GDPR, fixing the most egregious cases is going to be fine for years. Yes - that's not a guarantee, so it's scary, and that too, is by design. If you don't need to have all that privacy sensitive stuff flying around, you shouldn't.
Don't forget that the damage isn't hypothetical here: all that PII obviously distorts democracy and enables identity theft. It's already happening on a massive scale; if anything the GDPR is years late and much too lenient.
But your focus on bleed and American is wrong. People want them to stop collecting PII. The GDPR isn't well suited to make companies bleed; it's too easy to avoid it; it's never going to amount to a significant tax. Nor is the focus on American - it just so happens the large tech firms are American. But people are more worried about Russia or China getting their hands on the American data on Europeans, than specifically Americans. Where activities were in the EU (e.g. Cambridge Analytica) it's not like the kid gloves are on.
Incidentally that's not to say people don't want a tax on tech firms; certainly France does. But that's a different issue and the only relation to the GDPR really is that the systematic tax-evasion techniques exacerbate the sense of impunity.
> You're right that showing a message, "This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws" is misleading. It should really read, "Your government has instituted vague and overly broad regulation on data collection which, coupled with a hostile attitude towards American tech companies, makes us unwilling to serve EU visitors".
That would be a much better message. Honestly! If that's there opinion I really respect that. I hope we can both agree that there are no easy answers on jurisdiction on the internet, and that the GDPR is at least understandable even if it's onerous to some, and certainly not an ideal solution.
I don't believe the current state of affairs - mass surveillance; extremely asymmetric power imbalance between collector and subjects; news filtered largely through tech-facilitated bubbles; democracy; an internet without any walls - is stable. Something is going to give. And I hope it's not democracy - but I'm not convinced.
Once something like this turns into a nationalist, patriotic issue, you can be absolutely sure that what's definitely going to die first is jurisdictional restraint and the wall-less internet. And that would be a shame.
Yeah, they do. The EU issues them a fine, and they don't pay. Okay, nothing happens to them. But now if any of the the executives or board members or anyone else who can be held liable for their failure to pay the fine can never visit an EU country without fear of being held accountable for their failure to pay that fine.
>Is a west virginia site "established" in the EU? That's dubious enough that I doubt they need to worry - for now.
This is false. GDPR applies to any company that collects data on customers in the US. If you run a site, and an EU user connects to it then GDPR mandates that you follow the GDPR rules for that EU user. [1] This is pretty screwed when you really think about it. Can Saudi Arabia outlaw Facebook from letting Saudi women post profiles without Burkas? Can they outlaw Facebook from allowing Saudi users from blaspheming Islam? Granted in practice, US companies are probably just going to tell the Saudis to eat shit. But that introduces the other gnarly question: which countries or pan-national organizations do have the right to govern beyond their borders (and, crucially, why do they get to do this and not others)?
1. https://www.forbes.com/sites/forbestechcouncil/2017/12/04/ye... I confirmed this for myself in the GDPR text. If you insist, I'll dig it up for you.
> All in all: this sounds like an overreaction. Maybe it's a cultural thing too; lawsuits with huge punitive fines are much more common in the US, so the habit of avoiding liability is perhaps more deeply ingrained. But again, the risk seems trivial. And you know, if you don't care about overseas readers, would it kill you to be so polite as to say so? It currently says only: "Our European visitors are important to us. This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws." That's just a lie, likely both parts of it.
It's pretty clear that the EU wants tech companies, especially American ones, to bleed. Headline after headline in European articles from the Economist to The Guardian and others are calling for fines against American tech companies. You're right that showing a message, "This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws" is misleading. It should really read, "Your government has instituted vague and overly broad regulation on data collection which, coupled with a hostile attitude towards American tech companies, makes us unwilling to serve EU visitors".