So what is your beef then?

Businesses that operate in the EU have to comply, businesses that don't interact with EU residents don't.

As the US has a special relationship with EU (Privacy Shield, ..), it recognizes GDPR as valid.

Don't like it? Focus on China, where WeChat is now your national ID card and is also linked to your personal credit score. Violate any government rules - your credit score goes down. Medical reps now have to register with the Chinese government before they're allowed to enter hospitals and their personal credit score is linked to their behavior. There you go, full data transparency nirvana.

The world is a big and complicated space and big regions define their culture differently. Europe is not business-focused, but puts the citizen first. The US considers businesses as citizens, data privacy a hindrance for profitability - and China wonders what this citizen thing is.

Some random EU resident visiting your website != operating in the EU, by any reasonable definition.

So, again, there is no big problem.

Easiest step: stop logging every single hit on your site (IP, browser, etc).

You want a bit more analytics?

Log general attributes, but not the IP. Just that a hit occurred, browser, general geo (country). that's it. Perfectly compliant.

Want them to fill out a form? Welcome to GDPR, as you should.

As Maciej Cieglowski (idlewords, pinboard) so eloquently states, over and over again, you don't have to store and hoard all this data. It's BS to begin with, and dangerous in the long run.

How would you then detect that there is a bot net messing with your service? How would you discriminate between bad actors from Romania? Are you going to mass ban huge chunks of possible customers because you dont have granulary enough data? The hard problem is that most of the data logged about you has very "good" uses, but in the same time it can be used for bad things. And there is no way to properly enforce only the good uses. Mass banning groups will only cripple the tech advances we see happening today.

Actually, easiest step: completely ignore this, just like I would any random law from some international bureaucracy that has no jurisdiction over me.

aka “The Burning Bridges” plan. It could work, assuming you don’t like to travel, and never do business in those countries, and the global geopolitical situation does not radically change. A bit short-sighted...

Maybe so, but I’m not going to let every random bureaucrat around the world with an inflated sense of their importance dictate how I do business. If their enforcement mechanisms become such that I need to worry about it, I’ll do so then.

Unless you think that the EU is going to monitor every website on the internet and magically divine who owns them and what they’re doing behind the scenes with user data, and then develop a blacklist for those people so they can’t travel or they can go after them after WW3?

I guess I’ll really regret it if that’s the case. Until then, I’ll ignore.

Not how it works, but you show an attitude that is clearly hobbyist/freelance, which is fine.

Enterprise and anything related to big money cares. Not like the EU is a small market.

You'll also be surprised how much the US and EU cooperate, legally and economically. MS, Google, FB,... endless legal resources and yet the EU hammer is inescapable.

The most interesting thing to me is how you don't see the opportunity that GDPR represents to MAKE money. We're all raking in contracts and work consulting clients and updating products - but hey, I guess you don't want to compete. Good luck!

Ouch. You’re probably right about the hobbyist mindset. If I were responsible for a large enterprise I’m sure I’d be more circumspect about the stewardship I’d have over the company, employees, and customers. I hope that wouldn’t mean I’d decide it was fair and reasonable, just that I’d be more constrained on a practical level.

But I’m not, so...

Regardless, I have no interest in consulting to help companies solve an invented problem based on a bad law. I make plenty of money without making the world a worse place.

Well, good luck with thst, but the world is full of random bureaucrats who can make your life massively difficult. It might or might not be right or fair, but it is and you play pretend at your own peril. Right now monitoring all sites can’t work, but how about five or ten years? Bureaucratic institutions can have very long memories.

And how will the legislator know what I'm logging and what not?

They don't.

GDPR kicks in once a EU resident files a complaint. GDPR also enforces a data report card - so if a EU resident (not just a citizen!) asks you about their data, you have to comply and give a complete answer. If you then reveal you store PII without their consent or fail to reveal everything and get caught, the fines will kick in.

Don't screw over EU residents and you're fine.

And if you think this laughable, remember that it was a single Austrian law student, Max Schrems, who went after Facebook and killed the EU-US Safe Harbor agreement.

EU pensioneers and students are what will kill you, endless time on their hands.

:)

What's the reasonable definition of operating in the EU?

- Being located in EU.

- Or in case where you aren't located in EU, providing services specifically to EU residents, which can be hinted by having a language choice mostly spoken in EU countries, allowing EU currencies (Euro, British pound and so on) or specifically mentioning supporting EU, for instance by saying that your website can deliver packages to European Union.

Facebook for instance has offices in EU, which makes it clear that they are under GDPR, but even if they didn't, they do provide Facebook in EU languages.

English is an EU language; the UK is still in the EU, and Ireland is not expected to leave.

Malta has English as official language, just so people remember.

So, for instance, you can pretend that you're not operating in France if your website is in English and you only accept payments in USD?

I would argue that this is a bad definition because what you described is just operating in a jurisdiction but without localization.

I prefer the definition where you're making money(directly or indirectly) by providing services in a jurisdiction.

An example would be collecting French users data and then selling it to ad agencies(or being acquired by Google?).

Yes. That's how the current GDPR law works. And it seems reasonable to me.

Accepting payments in USD is a pretty clear signal that a website mostly cares about US users, and if someone else uses the website, oh well, it happened, doesn't really change anything under GDPR.

(although you probably could have French support anyway, just expand the website to Canada as well ;), of course it isn't the same French as in France, but it's still French somewhat, EU currencies are trickier however)

French is widely spoken in Africa as well.

Why not? It would certainly be ludicrous for a brick and mortar establishment to be subjected to that, but if you’re offering a global product, welcome to the rest of the world.

> Any jurisdiction can already enforce their laws upon you if you affect their citizens.

Isnt't that already done by the US? The case against Kim Dotcom comes to my mind.

Kim Dotcom made the mistake of operating servers in the US jurisdiction. New Zealand made the mistake of complying with the US requests to extradite him. The US could not have effectively enforced its laws upon Kim Dotcom without New Zealand's assistance.

If China comes after me for something terrible I say about Mao (stray absurd example), and the US turns me over to China because they're influenced and or intimidated by China, that would be a similar premise: the US would bear immense, near total responsibility for capitulating, showing no backbone.

I'm definitely not defending US jurisdictional overreach.