I hope not. I don't think HN should follow Indian or Cameroonian laws either. Why should it respect EU laws? Are EU laws more important than Republic of Peru laws?
It has nothing to do with more or less important. The EU does not obligate HN to follow European laws when serving users in America or in India. It is only the serving of European users that's under European jurisdiction. HN is free to choose not to follow GDPR, in which case it will not be allowed to serve users in the EU. I guess Peru and India can have similar laws, and if they somehow do conflict -- say, the Indian law says something about what HN should do in Europe -- then it's up to HN to choose which jurisdictions it wants to serve. When a website chooses to serve certain users, it chooses to place those transactions under certain jurisdictions.
If the website serves EU users and collects any personal data then it must follow GDPR. Fwiw, I think following Indian laws isn't an insane thing either seeing as tech is global and India is 4x bigger than the US - although I don't think there's any laws quite like GDPR in India that'd actually matter.
Well, it MUST follow Cameroonian law too then. What if they conflict? "GDPR in India that'd actually matter" Ah. There it is. The EU matters, others don't. Well, I think that is a terrible elitist opinion. I vote HN shouldn't bother enforcing other counties laws.
"""The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.[1] One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.[2] The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.[3] The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II.[4]""" - https://en.wikipedia.org/wiki/EU–US_Privacy_Shield
They must follow the law of countries they make business in.
The conflicts are a well known trouble. Between EU and US for example there is an ongoing dispute between US PATRIOT Act and GDPR, where (simplified) US say they got access to all data and GDPR forbids that. Different treaties which tried to allow some "safe harbor" between the regulations have been invalidated by courts so all operations crossing the atlantic is in a legally questionable state ...
Now for HN the question is if they target EU customers. There is no need for them to actively block Europeans, but the line is unclear. It'd be clear if they were selling swag with prices listed in € or would show europe-specific ads. In case of doubt it's the decision by a court.
Decision by a court then is the other dimension. A European court probably has a hard time to reach anybody for a fine or some other consequences. Companies like Facebook avoided that for a long while, but since they got stronger in their European ad business they are formally reachable by European courts in their subsidiary in Ireland. If a judge is really desperate they might try going via a European subsidiary to a company they invested in and put out arrest warrants against the managers in case they ever touch European ground ... but most judges will probably try to avoid that amount of work involved.
EU laws applies within the EU, as well as "what people do with EU citizen data online", which makes sense? If you have EU users, your handing of their data is bound by EU law, in the same way that if you have US users, your handling of their data is bound by US laws. (and yes, if Cameroon laws pertaining to data handling then yeah: you're bound to those laws for your Cameroonian users).
This isn't a matter of "the laws are making our life hard": by accepting user data you, as a service, are consenting to following all applicable laws. You have opted in, now you have obligations. Don't want to deal with GDPR? Ask users where they're from and go "sorry, can't let you create an account, we don't want to have to deal with GDPR".
Even if you pretended HN was a "for US only" website (which it of course very much isn't) you still have at least five state laws to comply with (California, Virginia, Colorado, Utah, and Connecticut), and that number's only going to go up.
If you handle data, the easiest way to deal with this whole "oh my god so many laws" is to know where your user data lives, not sell it on without express consent, and have data deletion built in from day one with a "delete all my data (including my account, obviously)" button that users can click themselves. And presto, without any further involvement from your side (unless you lie, and don't actually delete data) you suddenly comply with all data privacy laws, and users don't even need to fill in official request forms relating to specific laws that you then have to deal with within X days. You just have an FAQ entry going "Q: How do I delete my data? A: Go to your account page and click the "remove my account" button".
The population of Cameroon is 1/10th of the US so it seems less important.
The population of the EU is almost double the US, and the law encompasses all companies globally that store data of people living there. Seems sensible to follow it else you'll be paying GDPR fines out your nose. If India came out with some consumer-friendly law that Indians can ask Dang to delete their comments, and I'd bet a good percentage of HN are Indian, I'd agree it's something that should be included. This is part of the difficulty of a global website :)
> If the website serves EU users and collects any personal data then it must follow GDPR.
The EU really wants you to believe this, but national sovereignty is a real thing and I’m not aware of any law under which any country will extradite their own nationals to the EU for violating EU law. In general, you are only subject to a country’s laws if you are in their jurisdiction.
If you run a website that serves EU users without following GDPR, and you’re not a business with a presence in the EU, what exactly is the EU going to do to you? Arrest you when you vacation in Europe, maybe, but if you don’t do that, it’s not like they have a China-style firewall.
My question was, how would EU fine a company in the US? They have no jurisdiction there. The same way (referring to sibling comments) Cameroon has no power to fine anyone outside Cameroon.
The companies in your article all have presence in the EU.
> The GDPR has extra-territorial scope, which means that websites outside the EU that process data of people inside the EU are obligated to comply with the GDPR.
I see that site makes the same assertions about jurisdiction that the comments here are making. However, it provides no explanation for why the EU can actually claim that jurisdiction, which is my whole point. Why are they obligated? How does the EU have such authority?
I say it doesn’t, for the simple reason given upthread, and you have provided no evidence to the contrary.
One weird GDPR implication our team considered during initial implementation of our solution was US citizens traveling to Europe, and even people visiting embassies of EU countries in the US, would seemingly trigger all applicable constraints of the legislation.
Personally, I still view GDPR more akin to regulatory capture than actual consumer protections; although, I do admit, more than anything, the Internet needs more consumer protection.
