It doesn't matter where your servers are, if you offer a service to people in the EU and you store their personal data, you need to safeguard that data and comply with GDPR.
It's a law, so it can be enforced through mutual international treaties.
However, common sense prevails in the EU and especially with GDPR, so no one will go after you because you use Google Analytics and didn't give an option to opt-out. But if you start collecting personal addresses, emails and phones disguised as a charity doubling their contributions and then sell that information to callcenters abroad for tax scams and upload it to 4chan, then yes, EU's reach will be tested.
This doesn't make any sense to me. So I'm German, I go to Thailand. I buy a Jet Ski to be used solely in Thailand? Is that Jet Ski under EU law now? Why is it different if I virtually go to Thailand?
or don't like the purchase aspect? Okay I go to Thailand and rent a car. To rent the car I need to give them my personal info. A copy of my passport, a copy of my international drivers license. If we follow the same logic that Thai car rental company somehow has to treat the PII under EU laws.
The EU has no jurisdiction is Thailand and the Thailand car rental company should not have to do things differently just because the person renting is from a different country. That they happen to be online, like say I reserved the car while in Germany before my travel, seems like it would have zero barring on this.
Can a restaurant in SE Asia take a reservation from an EU citizen? They need to store PII to do it. How does the EU send their enforcers over to that mom and pop restaurant to make sure their reservation system is protecting that EU citizen's PII?
I'm not trying to argue it's okay to use PII. I'm instead trying to understand how these laws actually work because they seem basically impossible to enforce or even implement.
I see the link above tries to cover this. Unfortunately it covers it in nonsense and doublespeak.
> Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
So I'm German, I go to Thailand. I buy a Jet Ski to be used solely in Thailand? Is that Jet Ski under EU law now?
No, not until you bring the Jet Ski though German customs.
Why is it different if I virtually go to Thailand?
Because now, the Jet Ski operator is operating in the EU, and the EU could always choose to null-route said website. There's plenty of precedent for that, even in the US (DHS seizing torrent sites under counterfeit regulation, ISP's de-listing pirate bay DNS entries).
Okay I go to Thailand and rent a car. To rent the car I need to give them my personal info. A copy of my passport, a copy of my international drivers license. If we follow the same logic that Thai car rental company somehow has to treat the PII under EU laws.
Perhaps, but as you say, the EU currently has no way to enforce its GDPR outside its jurisdiction.
How do you think the US enforces its take on copyright and patent law outside its borders? Through treaties and trade deals. If the EU wanted to, it could do the same with the GDPR.
The law applies to your non-EU company when you target EU citizens and people currently physically in the EU. E.g. if you sell goods and offer shipping to the EU, GDPR applies to you. If you do not ship to the EU and do not offer services to EU residents, GDPR doesn't apply to you.
There are some areas in need of examples:
For your restaurant in Bangkok that takes a reservation from the EU: not covered by the GDPR because they don't target EU residents, that a resident used their reservation page is incidental and an exception.
For some purely-online service, if you somehow target world-wide or all speakers of an official EU language, GDPR applies. That means your french language online newspaper in New Orleans is affected, if they have an international section. If it is chinese language, you are fine. Geoblocking helps.
Yes, there is a grey area as the guideline says, and "targeting EU residents" is interpreted very widely. We will have to wait for the courts for an exact interpretation there.
To add to this: while EU law might not be able to reach you in the US and extradition over such issues might not happen, travelling to Europe for you or your subordinates might be "interesting", at least after a successful court decision. Also, freezing assets and payments is possible, as well as forbidding doing business with you. But that all depends on the kind of exposure you have there.
It doesn't matter where your servers are, if you offer a service to people in the EU and you store their personal data, you need to safeguard that data and comply with GDPR.
It's a law, so it can be enforced through mutual international treaties.
However, common sense prevails in the EU and especially with GDPR, so no one will go after you because you use Google Analytics and didn't give an option to opt-out. But if you start collecting personal addresses, emails and phones disguised as a charity doubling their contributions and then sell that information to callcenters abroad for tax scams and upload it to 4chan, then yes, EU's reach will be tested.
https://gdpr.eu/compliance-checklist-us-companies/
https://gdpr.eu/companies-outside-of-europe/