I mean, mild annoyance is nothing compared to the annoyance of war thorn continent, I wouldn't bet too much on the destruction of EU or even withdrawal of GDPR

Those are the only two options? Now that I know that, instead of what a practical person might deem as an option which is to repeal the law, the EU and GDPR proponents' mindsets make a lot more sense. I often wondered why new legislation was piled on older legislation that wasn't even enforced then, and why other statues wrt cookies and what not cannot be seen by legislators as more bad than good and worth removing. Now I know.

Please respect our laws and privacy or don't do business with us. We will be very sorry if your product is irreplaceable or we will use a competing product that complies with GDPR.

Obviously the last incarnation of the GDPR didn't work for multiple reasons, the most oft-cited one being non-enforcement. Was the option to repeal and take other approaches to the problem considered? Nope...double down. Since people agree with the intent, the approach often appears above reproach.

I see you're in Texas. Don't worry too much about EU, we are doing fine. We will figure this thing out if it turns out to be more bad than good.

Stop sending us your data and money? I don’t leave the US to deal with EU customers. You send requests to my server in the US. If you’re unhappy with me, stop doing that.

And it’s pretty rich to complain about companies not complying and leaving the market, while also using VPNs to use their service anyway. Apparently protecting your data isn’t as important as you say?

See, how browsers work is that they load this thing called HTML that describes the content and can load other stuff without asking me. Apologies if I accidentally sent any data or money, it wasn't my call. It was in the HTML that I loaded because I was offered to view a free article.

Regardless, whether you intended to send my server a request is your problem. The fact is that you did, and that hardly gives full control of my business to whatever legal jurisdictions claim you as their subject.

Anyway, don't be too upset about all this. The law is not banning you from collecting my data, you just need to be explicit and informative about it so that I can decide if I am going to send a request to your servers.

I'm often disturbed by the mindset that people are some business' god given a right to exploitation. It's the other way around really, that is, if you can find a way to serve me or solve a problem of mine I might choose to do a business with you if I decide that the compensation you demand fair.

If your business is unprofitable when you have to ask me for permission in plain English maybe it simply means that you don't have a profitable Business and you should consider doing something else.

We don't see business people complaining that government regulations are hurting their organ harvesting businesses, right? People decided that they don't want other people to sell their kidneys on open markets, so that business doesn't exist.

People at some point decided that they don't want to get cancer from Asbestos, regulations kicked in and the Asbestos businesses were destroyed.

This time around people seem to be in control of their data, if that makes your business unprofitable or impossible do what others did: Something else.

There you get it. If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.

It's not your god given right to violate user's privacy so that you can turn a profit.

In other words, if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business.

No need for hard feelings.

This is a false dichotomy:

1. Fully comply with the GDPR, no matter the cost, even if that's just legal and administrative because you're not actually doing anything in terms of data practices that would violate the law.

2. Go out of business, because you clearly are intending to do shady things that violate user privacy.

if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business

Perfect example.

Say I run a burger shop that is perfectly clean and in compliance with all local laws, but the EU passes a law that says I need to fully audit all my food safety practices, publish them in a public place with their format, appoint a food safety rep in the EU, and comply with other vague requirements that they deem necessary, just in case an EU citizen visiting the US comes and eats at my shop.

Now, if I ignore that, am I "breaking the law"? I guess so. Just like I might be breaking some Indian law by serving beef at all (hypothetical). But does it actually matter? Can the law be enforced? Should I care as a matter of civic duty? Very likely not.

Worse, should the entire citizenry of the EU suddenly decide that my small town burger shop in Iowa clearly intends to feed every customer tainted beef and deserves their opprobrium and any fines that can possibly be levied by the EU, just because I didn't fully comply with their law?

And if they do develop some enforcement mechanism to use against small town USA burger shop, how is it not my right to put up a sign that says "Sorry, EU customers, but please don't eat here, as I don't comply with your laws"? Is your argument seriously that I should comply with every law from every jurisdiction in the world, just because a customer from that jurisdiction might wander into my shop, even when I've expressly told them not to?

About the burger thing, we do not need to assume things here, we can examine the reality and the reality is that McDonald's complies with the EU regulations when doing business in the EU, local American burger shops that don't do business in the EU do not comply with the EU regulations. I hear that you have some amazing burgers in the USA, will definitely try few local shops!

Also, burger shops that do business in EU(usually chains, McDonald's and Burger King) do care about the EU food regulations, why shouldn't they and why shouldn't you? You are aware that McDonald's isn't steamrolling in the EU, right? They do follow the EU food regulations. And no, you don't have to be a big company to sell burgers in the EU, we have plenty of local independent burger shops all over the continent.

So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?

Or is your arguments something else, something selfish like all online businesses should operate according to the US laws or something like online businesses should not be bound by any laws whatsoever? Or something else?

If by "operate in the US" you mean that they are based in the EU and allow US residents to visit their website and purchase from them, then yes, absolutely. Why would it be any other way?

I just don't see how the alternative works at all. Why couldn't some city in France pass a law that if a citizen of their city buys something from your site based in Hong Kong, you owe that city a tax of $50k. That's obviously ridiculous and not enforceable, but why is it not based on the same underlying legal theory that a business is bound by the laws of jurisdiction where visitors or customers to their site originate from?

The USA too is going after foreign companies doing business with Iran or Cuba. The USA is not happy with cryptocurrency ICO's and it's enforcing it. The USA is forcing the world to respect DMCA.

The taxes are also an issue, even within the USA doe to different VAT in different states.

These are topics that have been in discussion since the beginning of the internet and the dust is just settling and the solution is not simple as "You obey to the laws according to the country you're based in". It's a huge huge topic.

Edit: And FYI, many countries do enforce a tax on foreign purchases. For example, Turkey will be forcing American internet giants to charge VAT to its Turkish clients and transfer that VAT to the Turkish government. Countries want to collect taxes, you can't really get away with "I am an American company so I operate tax-free" argument. Politicians will work out an arrangement like "I will make your tax law enforceable on my companies if you let me use your military base and purchase weapons".

The tax situation is a good example. Historically, sales tax has not been able to be levied by states against companies just because they have customers in that state. They have to have physical "nexus" in that state as well. There are a number of states trying to do an end run around that right now with "economic nexus", which will probably end up in the Supreme Court at some point.

Many countries try to say that VAT is due, but their ability to enforce is pretty limited. If you run a small business online and you WANT to pay attention to every single global tax jurisdiction and send them whatever tax they say is due, go for it. But if you don't, the practical reality is that there's nothing they can currently do about it.

I do agree that these issues are complicated and that the Internet has thrown a monkey wrench in a LOT of legal precedent in ways that will need to be sorted out.

I just don't think the GDPR is the right framework. Data privacy may be a human right, but so is democratic representation, and having governments all over the world pass laws that they say apply to my company is unjust.

EDIT: looks like economic nexus is being decided now: https://www.journalofaccountancy.com/news/2018/apr/supreme-c...

Anyway, it boils down to enforceability. EU is a huge entity and probably will be able to enforce the GDPR by forcing payment systems and gatekeepers like Google and Apple that legally operate in the EU not to do business with businesses that do not respect GDPR. Maybe it will be a bargaining point in some trade talks between other countries and the EU and EU will insist that the countries will help with the enforcement of the GDPR in exchange for something that other countries want from the EU.

As long as we don't live in some kind of libertarian anarchy world order, these things will be determined by the politicians.

Well, duh, businesses are subject to local laws! That is not an argument, but a fact. Don't take my word, ask your friendly lawyer.

What is your alternative? That online businesses are subject to the union of all the laws of all the countries whose citizens can reach them?! That's ridiculous. Do EU businesses follow Iranian regulations?

Of course, if they want to do business in Iran. The same goes for every company and country. Don't you believe me?

Go to your iPhone's Settings-> General -> About -> Legal -> Regulatory

There you'll see which regulation Apple follows. Despite being an US based company, Apple complies with the regulations of Canada, Europe, Japan, Singapure, Russia etc.

How do you even imagine that a company will be doing business in one country byt will be excepted from the regulations because it's based in some other country? That would not be possible, companies would simply move to the least regulated place with the lowest taxes. Oh and they do that wherever possible(i.e sell to EU from Ireland).

Availability of quality free content is not a problem, the content will just be available from other source.

The big problem on the ads-monetized web today is ranking high enough, and the site that don't want to apply GDPR will just have to compete with the site that do have the extra push the EU market give them. On the advertizer side, they make direct money from content accessibility so they will upgrade their tracker so it is GDPR compliant for EU-traffic with no work from the content publisher. That is a non issue, this is just day one of a big change.

Let's also not paint a rosy picture of the web either. GEO blocking is a common daily reality for people outside the US. Any valuable and popular content is locked already, despite being monetized quite directly (see Netflix, Amazon Prime, ...)

Only if all content on every web site around the world is equal. Which it is not.

If the quality was the same everywhere, and the same content was available everywhere, then people in Europe wouldn't have to go to web sites in other countries.

There are lots of reasons for companies in Europe to need to read the Chicago Tribune (PR clipping service, for example). But the Tribune's content is no longer available to the E.U., and will not be replicated elsewhere for copyright reasons.

As much as I dislike Tronc as an entity, I don't blame it for this decision. Within hours of GDPR going into effect, the lawsuits started flying. That's exactly why some companies decided it was easier to just opt out of Europe.

Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.

Because you would rather grow your market?

The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.

Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.

For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:

- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.

- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).

- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.

So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.

Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.

If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.

So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.

By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.

IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.

The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.

I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.

So no, that's not how it works.

So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.

That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.

Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.

So shouldn't the website's intent to block you from accessing it matter?

https://gdpr-info.eu/recitals/no-23/

Short version: GDPR does not apply if you happen to collect data on a few EU residents by accident (assuming you're not otherwise based in the EU).

Shouldnt you be the one sent to jail, as you are illegally accessing a computer that you were sepecially told not to access?

More like, sent a clear message you're not concerned of your user's data.

(Nothing personal, the signal may not necessarily echo the reality)

I'm all for it.

False equivalence. You can do nothing untoward with user data and still not be compliant.

Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.

One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.

What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?

It means that any future government, no matter how evil it is, could query your log and know precisely what I am doing on the internet right now. I might not want that.

Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.

The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!

But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??

Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?

Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.

That's optimistic ... but there is no reason to believe in many niche areas that another equally good product will do that. It is very plausible that in fact what will happen is that EU customers will be significantly delayed in accessing valuable services and products. And in many cases the web sites provide those would be making no meaningful intrusion on privacy in the first place.

Define "largest" in this context.

Please don't believe your own propaganda. EU/EEA revenue is a fraction of US revenue for all large multinationals. Small businesses probably make even less from the EU.

Good riddance, at least we know what websites we shouldn't have visited in the first place.

> smaller companies take their place with products that either cost money or will be a bit worse.

Or they will be better and still be free.

News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.

> small competitors will be to afraid of the law and shut EU users out

It's not a complicated piece of legislation, the short version is this simple: only collect data you actually need on your user to offer your service and be prepared to explain why, that's basically it.

> But we as a society are willing to accept that if the result is that more loans will be "reasonable".

The actual reason is that if you don't limit the loans, your economy will collapse.

Ah yes, the old "all regulations are equal" argument. It should come as no surprise to you that people view safety regulations on automobiles as vastly different than regulations on what a company can do with data about you.

Safety regulations exist because people wanted them, and the same is true here for privacy and data protections. Unless you can convince EU citizens en mass that they don't want the rights and protections afforded to them by this law then it really doesn't matter what anyone in particular person thinks.

You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge and I doubt any GDPR experts actually even exist today.

So you don't actually know anything, but you are going to pretend to know that it's "huge".

> I doubt any GDPR experts actually even exist today

Then why be so condescending and pretend that you are actually one?

Or the original news simply ceases to exist as is already happening at the local level in many cases. There's probably a continuing market for some global news organizations that are at least muddling through with subscriptions and other products. (Or not. See story on Time Inc. recently.) But I suspect the non-national/international journalism will continue to decline.