> Second, I believe the law protects EU citizens regardless of where they are.
That's incorrect. That is the attempted naive reach of the EU in action. The correct formulation is: the EU would like for GDPR to apply to all EU citizen data globally.
US sites/services with no business reach into the EU, do not need to comply with EU privacy laws. 99% of businesses around the world (most small businesses), those outside of the EU, will entirely disregard GDPR - because they have no business dealings with the EU.
The EU has no jurisdiction over the US economy or its laws. That will remain the case. The EU also doesn't control China, or India, or Japan, or Brazil, or South Africa.
A simple example for illustration: I can establish a new US service that is ad based (with eg 100% of revenue being derived from the US market), I can keep all of my infrastructure & business operations outside of the EU, I can take on EU users at will, and I can do anything I want to - in compliance with US law - with their information without concern for GDPR: because the EU does not lord over the US, their laws do not rule the US. This is legally how GDPR actually works, despite the amusing propaganda campaign to pretend GDPR requires global compliance.
> the EU does not lord over the US, their laws do not rule the US. This is legally how GDPR actually works
The number of people who have lost sight of this is unbelievable. It actually seems especially rampant on HN, which is kind of surprising, to be honest.
I think it's because of a deep cultural divide. EU users who are big fans of the GDPR genuinely admire the law, both its intent and implementation, and also have a very positive view of the government. They believe that regulators will try to help companies comply, and will only fine as a last resort. Whereas in the US, we tend to be fairly skeptical of government. And as a consequence, since EU users think this law is a good thing for user privacy and the world at large, they want to see it applied globally by any means necessary.
But aside from that, I can't understand how EU users are unable or unwilling to separate the intent of this specific law from the broader principle that it represents, and how other countries might misuse this principle.
If any jurisdiction in the world can pass a law no matter how ridiculous that forces any business in the world with a website to comply with, on the chance that a user from that jurisdiction might stumble on that site, AND there's any kind of enforcement mechanism, then the Internet will cease to exist. Either that or become ultra-balkanized, where every user has an identifier that will ONLY give them access to sites which are fully compliant with their jurisdictions.
What if the US to passes a law that Americans are too fat and are no longer allowed to be sold gelato (they're allowed to buy gelato, but no longer allowed to be sold gelato), and then levy a multi-million dollar fine against every gelato shop in Italy where Americans visit on vacation?
Bear in mind GDPR seems to have become some sort of totemic issue for the small minority of people in Europe who are true-blue died in the wool ideological supporters of the EU project. They are flooding GDPR discussions with these sorts of views. A good give away is they say "speaking as a European" or use the term "EU citizen" (there is no such thing, the EU as an institution does not have citizens or issue passports, it's only member states that do that).
But Europe is full of people who aren't so in thrall to the EU as an idea, as evidenced by one of its most important countries voting to leave despite the population being threatened with massive chaos and severing of all cooperation and trade relationships with their neighbours should they choose to do so. Bad regulation was one of the most common talking points during the Brexit campaigns and GDPR is a good example of why.
These sort of people aren't posting so much on HN but they are quite common.
Yeah? Show me someone who's a citizen of the EU but not a member state.
They don't exist. The EU loves to dress itself in the clothes of nation states, that which it so desires to become, but ultimately the concept of "citizenship" in the EU sense has nothing to do with the normal concept of citizenship.
That's incorrect. That is the attempted naive reach of the EU in action. The correct formulation is: the EU would like for GDPR to apply to all EU citizen data globally.
US sites/services with no business reach into the EU, do not need to comply with EU privacy laws. 99% of businesses around the world (most small businesses), those outside of the EU, will entirely disregard GDPR - because they have no business dealings with the EU.
The EU has no jurisdiction over the US economy or its laws. That will remain the case. The EU also doesn't control China, or India, or Japan, or Brazil, or South Africa.
A simple example for illustration: I can establish a new US service that is ad based (with eg 100% of revenue being derived from the US market), I can keep all of my infrastructure & business operations outside of the EU, I can take on EU users at will, and I can do anything I want to - in compliance with US law - with their information without concern for GDPR: because the EU does not lord over the US, their laws do not rule the US. This is legally how GDPR actually works, despite the amusing propaganda campaign to pretend GDPR requires global compliance.