If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.
How about email? If someone from the EU sends me an email, their IP address will likely be in one of the received-from headers, and will be in my SMTP logs.
Note that even if I don't have an email server, relying on my ISP to handle that, desktop email clients download the headers from the server.
A lot of small businesses have no idea that they are storing that information.
Well geo IP blocks are much easier than fetching those logs by user on request. This will happen if EU citizens overly burden companies with these letters... but not until then probably. I definitely wouldn't want to jeopardize my future EU prospects by ignoring the requests for info.
It may be a bit of an unlikely scenario, but people should remember their opinions on region-specific content blocking even if they think their region has enough leverage to make everyone bend to their will.
If I don't need an adblocker because all the adtech companies already preemptively block me, I personally could live with that and would consider the GDPR to be working as intended.
It doesn't have to come to this, at least from adtech's side.
Generally, your device is instructed via a publisher's site/app to reach out to ad tech servers either directly (firstparty), or indirectly (firstparty->thirdparty, firstparty->RTB exchange->thirdparty).
Due to the "chaining", GDPR is particularly onerous on the adtech industry. Granted all the data is keyed by semi-anonymous IDs (cookies, IDFAs, IPs), the concerns for consent, retrievals, deletions, in a cascading manner, are an industry-wide problem requiring collective action. The IAB proposed something for the RTB side, the publishers don't like it, and it'll be tense until and through May 25th :)
Having said that, nobody wants to shut-the-whole-thing-down. While all these servers may refuse service based on fuzzing the request as originating from the EU, they may also decide to serve as-best-as-possible and minimize logging of the sensitive fields - it may be better, for example, to lose some functionality for European devices (behavioural targeting, for example, the idea of showing you an ad for the Widget you just looked at over and over), than to serve nothing at all.
Um, nope. Go ahead, try applying EU law to a US website. I run a few, by all means, knock yourself out. It's hilarious and baffling at the same time that you think the EU can write laws for other countries.
If you are selling things to people in country X, you have to be very careful if you decide to ignore X's laws for such sales. You and your company may be beyond the legal reach of X, but your suppliers and service providers might not be.
For example, if you decide to ignore tax laws in X, X might put pressure on your credit card processors to stop aiding your tax evasion. If the credit card processors respond by cutting off your ability to processes card, they might not bother just cutting you off from accepting payments from country X. They might cut you off completely. That would be pretty annoying.
By your logic, you should be allowed to go to Ladbrokes.com and put some cash on tonight's NBA games. I could if I wanted to, and I'm sure Ladbrokes would love to take your bets if they could. But you can't, because countries can make laws about selling to their residents. Ladbrokes blocks you, because US law says they must.
I'm sure you can rely on your site being too small for EU regulators to bother with, and I'm sure it would be hard for them to enforce if you have no operations in the EU, but the fact you ignore the laws doesn't mean they lack jurisdiction.
Irrelevant. Ladbrokes is not a US firm, I don't know, need to know, or care what their legal system is. It's entirely possible their laws require them to comply with US law, or that they have assets in the US.
A website hosted in the US, owned by a US citizen, residing in the US, is not subject to laws written in other countries.
The reason I used the example of a gambling website is precisely because the US has history of prosecuting the operators of non-US websites for allowing US residents to join. There's nothing in UK law that says they can't let Americans bet. Didn't stop US authorities arresting several bosses of EU gambling websites. If you do a bit more research you'll learn that the US uses extra-territorial jurisdiction more than anyone.
Sure, that's true. It's a different subject. If one's country allows a foreign system to operate outside of it's own legal system, it's about as strong of a sign as I can think of that the people do not actually control their government.
As a US citizen, I am strongly against our interference in other countries, but even if/when we fix that, it wont matter if the root problem is not fixed, since another outside power could do the same thing.
I'm sorry but no, it's the exact same subject. It's country A prosecuting a website in country B because they did something that's illegal in country A but legal in country B. The US does the same for copyright laws. Or is it OK if it's team America thats acting as world police?
I live in the US, _good luck_ enforcing foreign law on me.
It's a sign that the people here have the most fundamental control over their legal system. It's not my problem if country B cant do that, but I would REALLY like country B to have the same power over their legal system.
I could go into the real tests and what it means to have a legal system where the individual has so much power, and how to achieve that, but you are ignoring the distinction between enforcing foreign laws on a US citizen and a citizen of country B.
You are implicitly admitting the asymmetry, but instead of fixing country B, do you want country A to weaken it's system so that it has the same foreign influence bug as country B?
Like I said, your argument boils down to "we're American: we'll enforce our laws on everyone in the world, but if you think you can tell us to obey your laws when we sell to your country, you can F off." Which is fine: you're welcome to say that because a law is hard to enforce you won't obey it. Just don't pretend you're not breaking the same principle that your government relies upon: that if you're serving a country's residents, you must obey that country's laws.
They can't enforce them on other countries but they can:
- Have their ISPs block access to your network
- Have their banks not process payments to you
And if you really want to generalize it to "laws" they can emit an arrest warrant: good luck ever travelling to another country that has an extradition treaty with any EU country.
They can't prevent a business in another jurisdiction from operating but they sure can prevent your business from being conducted with any EEA entities.
If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.