64 comments

[ 3.2 ms ] story [ 122 ms ] thread
I think one of the relevant passages is:

> Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.

This, combined with the <250 employees = lower obligations, seems to indicate one should worry about the GDPR but in proportion to the size of your company (outside the EU).

The bigger you are, the more seriously you should take it, I guess?

I don't understand how that meshes with the previous paragraph

> The Internet makes goods and services in far-flung places accessible anywhere in the world. A teenager in Cyprus could easily order a pizza online from a local pizza shop in Miami and have it delivered to a friend’s house there. But the GDPR does not apply to occasional instances. Rather, regulators look for other clues to determine whether the organization set out to offer goods and services to people in the EU.

If it applies or not us irrelevant, what only matters is to what degree is it able to be enforced (and in practice) against companies that have no assets under EU jurisdiction. From what I gather, it's very little, so most smaller companies simply don't care.
Careful. That's what they say about US laws, then your CFO gets arrested in Canada and extradited to the US...
Or New Zealand police raid your house at the behest of the US department of justice
this could turn out mega-embarrassing for NZ.
Pretty sure that both instances you're talking about (Huawei/Megaupload) are perfect examples of parent's point --- the US is capable of enforcing laws outside of its territory, the EU is not.
People sometimes ask "what backs the US dollar?" implying that nothing does.

The answer is the same as what extends US law to the entire world. 11 aircraft carriers.

What extends US law to the entire world is actually access to the US banking system and consumer base.
Unless you think the US is going to go to war with its allies, its military power has little importance in this context. The US is a large, wealthy market for imports and a supplier of many products and services that it exports. It's a huge financial centre. Despite the unfortunate state of its government and public services by the standards of a modern democracy, it's still broadly aligned with other modern democratic nations in terms of values and culture, which means it's still a much safer partner to trade and cooperate with than you'd find in some other large parts of the world.

This makes playing nice with the US a diplomatically and economically sensible policy, up to a point. I suspect the US will find it encounters that point increasingly often, partly because the rest of the world is also changing and partly because Trump did so much damage to international relations and the US may never fully recover. The ongoing negotiations about global corporate taxation are a good if rather dull example.

It depends if you have business in the EU. If you do, the EU has power over you. Indeed if you don't, Inspecteur Clouseau will be swatting your home !
Yeah, which is why the top comment is talking specifically about companies with no assets in the EU.
I don't know about assets, but Huawei definitely has business in the EU.
"both"? Sportingbet, betonsports...
Once the discussion on whether the EU can enforce laws over its territory is over, one can think about the content of GDPR and how its guidelines are good practices that your users will appreciate, even if GDPR doesn't apply to you.
> what only matters is to what degree is it able to be enforced (and in practice) against companies that have no assets under EU jurisdiction

This is exactly true. Now sure the nervous nellies will be all over what outlier things can happen as is typical. In a practical sense the EU does not have the resources to go after (other than perhaps a few test cases for publicity) anything but the juicy or most flagrant cases.

FWIW, I can’t access some US news sites from Europe because they “value my privacy and haven’t implemented GDPR yet.”
It's pity we're excluded from Freedom Tracking
Yeah, it's a bit funny how (Small Regional News Site) thinks they'll be the main targets of GDPR regulators.

While it's good they try to respect it, the fact that's there's an fundamental "local" nature to them, makes it very unlikely. Very very unlikely.

A lot of the blocks are down to "Small Regional News Site" really being "small regional front for a large news organisation running a single platform" that seems to have just made a blanket assessment. I don't think many genuinely small independent regional sites have bothered.

E.g. Lee Enterprises is one of the publishers who still blocks European users, and they own 75+ newspapers.

If you're in the EU and get "451: Unavailable due to legal reasons", it's a good chance it's a Lee Enterprises paper.

Understandable, it has been passed only five years ago and been applicable for three.
sometimes maintaining two systems is more trouble. also, CCPA closes this gap, as it's not only EU customers you have to worry about.
I think the pragmatic answer to this question is another question: do you have any operations that fall under EU jurisdiction?

If yes, then they have the ability to punish you and you need to follow the GDPR. If no, then the GDPR is just as irrelevant as any other EU regulation and can safely be ignored.

I love how even gdpr.eu has a cookie acceptance banner. Man, they really screwed the cookie law up.
The website has no relation with the law, and is not an authoritative source of information. It's not even a particularly good one. It's just a website run by some guys.
Ah, that makes more sense then.
Cookies per se have nothing to do with the GDPR. In fact, if your cookie is not tied to a natural person, the GDPR does not even apply. Also, cookies are under your control. You can alter and delete them whenever you want.

As an example: If your site allows different styles or languages and you want to store the setting in a cookie, you do not have to care about the GDPR. Only when you track your user's behavior with a cookie, the cookie banner thing becomes relevant.

I meant the cookie law. I'll update my comment to clarify.
Note:

"This is not an official EU Commission or Government resource"

Which explains idiocy like

> We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.

Is simply not on. You can't assume acceptance.

This is a violation of the regulator guidance for the ePrivacy Directive. So I wouldn't trust anything on this site when they themselves aren't compliant with EU directives and regulations.
To be fair the content is probably produced by a separate team which is not maintaining the actual website.

Law experts don't code webpages. But this is embarrassing nevertheless.

Its produced by protonmail.
Not true. You don't have to consent to set a cookie. It depends on what the cookie does. Gdpr actually doesn't care about technicalities like cookies, but about privacy. So if you achieve the same tracking using other techniques (like Etag) that needs consent as well.
(comment deleted)
That depends entirely on what they store in the cookies.
Why would anyone trust 'legal advice' on a complex piece of legislation from a site that can't even implement a straightforward regulation correctly.
This is a little unorthodox. But, a first party cookie that stores consenting data used for reasonably expected purposes, doesn't need to ask you explicitly for consent. [As Hacker News ostensibly doesn't need cookie consent for you to log in with a cookie.]

https://gdpr.eu/privacy-policy/ suggests they share data with third-party Google Analytics, which seems to breach guidelines - except that they respect Do Not Track in this case.

Sensitive topic, so I feel the need to state that I am not trying to troll by saying this:

I do not see this argument as idiocy.

Many stores have signs out front stating, "If you enter this building, you accept that you are being filmed". Many are recording you before you even enter. They do not require explicit consent from people willfully choosing to enter.

Should we really assume that the client has not taken any responsibility when they willfully type in https://www.somewebsite.com/ and hit enter?

Since users can block cookies/javascript, or simply not visit websites they don't trust, I genuinely do not understand at which threshold of manual intervention we can finally conclude that a user has accepted responsibility - if their voluntary decision to visit does not count.

I get that companies sharing data and doing nefarious things with your personal information is not great, but I don't see how this does anything to help with that.

There is a massive difference. A proper analog is stating that "web requests you make will be logged". If you don't want to be recorded as having walked in, don't walk in.

To make this a fair comparison, the sign would say:

  If you enter this building, you accept that you are being:

  - filmed
  - probed for all wifi and electrical emissions
  - weighed
  - measured
  - secretively (as much as can be managed) pinned with tracking beacons
  - lured into unknowingly entering other buildings w/o realizing it
  - fingerprinted by any surfaces you touch
  - associated with the means of transportation to arrive/depart
  - and on and on and on
Since people can just wear masks, electro-blocking hazmat suits, high heels, a fresh change of cloths for every outing and come equipped with high-resolution GPS and building blueprints... it's a perfectly reasonable assumption.
You forgot gait analysis [0] so remember to put a stone in your shoe.

What amazes me is how many people were worried about the distopian future of minority report [1] 20 years ago, yet (especially on HN) now it's here they welcome it. I guess Upton Sinclair was right: It is difficult to get a man to understand something when his salary depends upon his not understanding it.

[0] https://blog.ansi.org/2018/05/gait-analysis-walk-biometric-i...

[1] https://medium.com/context/personalized-advertising-is-an-ox...

Although it does depend a bit on what the cookies they are storing here are used for you cannot use implied consent to workaround the law.

Taking your example of signs in stores: if a store had a sign saying "if you try to steal from this store you will be shot on sight" it does not suddenly make that legal because a customer saw the sign and still decided to enter.

Additionally with a website you do not see the message until you have already entered and they have already placed the cookie so again, there can't be implied consent. It's just notification of what they have already done.

The EU cookie laws are basically, for non-essential cookies (e.g. mostly tracking/ad stuff) users must be given the option to reject them before they are enabled. Seems pretty simple + pretty fair to me. The problem is that most websites fail to implement it correctly. When they do implement it correctly it's really useful in my opinion.

>They do not require explicit consent from people willfully choosing to enter.

The GDPR however does require explicit consent.

>Should we really assume that the client has not taken any responsibility when they willfully type in https://www.somewebsite.com/ and hit enter?

I didn't type in anything or click enter to get to that site.

>Since users can block cookies/javascript,

Except when that breaks stuff.

> The GDPR however does require explicit consent.

I think you missed my point. I not asking about what the law says. I'm asking why a person willfully choosing to visit a site is not considered a form of consent, since it requires an intentional action from a user. If intentionally visiting the site isn't consent, how is it that clicking an "Accept" button magically is? Both are intentional actions by the user.

Feels like walking into a store and saying, "I don't consent to be here". That's fine, but you chose to be here, so now here you are. Feel free to leave and not come back. You have that choice.

Answered by another user: It depends on what the cookie is used for, and I understand this perspective to a degree.

Session cookies are required for a lot of basic functionality and have been around forever - people are used to them. But cross-site tracking and other telemetry tracking for targeted advertisement is a bit of an overreach, and very invasive. I get that people don't like it, but you can block a lot of that, and opt out of visiting the site entirely. I don't understand how adding an "Accept" does much. Feels like a superficial change.

> I didn't type in anything or click enter to get to that site.

Are you being pedantic...? If you clicked the link, you engaged in an intentional action - which is my point.

> Except when that breaks stuff.

Then don't visit?

This and the fact that uBlock detects 9 trackers on the site is quite puzzling given that its basically an ad/pr stunt by protonmail which itself generally doesn't have any trackers/cookie pop-ups
You can do a block for GDPR countries and avoid the issue entirely. We did that and its worked out fine.

This also helps avoid the cookie notice hell that you get if you design for the EU market - if you go to an EU page you can get a full page of cookie notices.

Cloudfront has a geo restrictions option that works well for this.

You don't need cookie notices for functional cookies (user preferences, load-balancing, session).
You don't know what you do and don't need to do. Literally the page linked here has lots of comments that they are doing cookie notices wrong / should be in jail etc.

Some people don't have time for all this lawyering just to post a few things online.

You could also just put in one pop-up, accept all, reject all, customize. No big deal, is it?
Because not exploiting your users is too much of a hassle for you?
Don’t be evil is only the first step. You also have to hire specialists and delay launches to continually prove to many bureaucrats’ satisfaction that you are still not evil. Opting out is much cheaper, and maybe safer since the “doesn’t target serving individuals in the EU” language is relatively clear.
Exactly. the EU is constantly changing the rules here. And penalties can be monumental. Users can also send you various data requests (and hackers can pretend to be users and do the same resulting in data breaches). Just not worth it.
Because users can control how their cookies are set, cleared etc etc?

Because it's not evil to not want to risk jail when giving away some stuff for free if you set a cookie by accident that is not approved?

Because most users don't care about these endless navel-gazing exercises?

Because there are much MUCH worse things online, from scam tech support folks who rip you off to ransomeware to endless other scams and hassles?

Because the cookie notice farce has done nothing about my ISP selling my browsing history, my TV reporting my viewing habits and showing me unwanted ads and seems to be designed to get self important folks who are technically clueless to jump around and pat themselves on the back.

Because while I never minded making stuff available to EU it's not worth jumping through a bunch of hoops to do so.

A lot of justifications. Would it really be to much to ask to just play nice instead of first coming up with a scheme to exploit users. Then trying to figure out how to stay within the law. And then finally, go out of your way on the internet to justify your behavior?
Note - IANAL

I deal with the question all of the time. My general, non legal view, is the following:

- If your economics operate outside of the EU (e.g. you accept money from non EU, have offices outside of EU, etc.) then you don't need to comply, however the process to comply isn't entirely all that hard to do (see point #2).

- GDPR is easy to comply with because you're either (1) at a scale where you have global operations so you're already or (2) you're at a scale where you don't really matter to the regulation, even if you have EU citizens in your DB.

- If you get acquired by another biz that has operations in EU (but you don't), then the overall entity likely becomes susceptible to GDPR

This is based on not a legal review, but rather a logistical one. In other words, if you don't have operations in the EU how on earth is the EU going to penalize you. Are EU cops (which don't exist?) going to show up at your door to collect money?

Browsing the internet in Monaco is a disaster as it is not EU but physically surrounded
(comment deleted)
Anyone know anything about that Horizon 2020 project REP-791727-1?

I can't find anything about it anywhere. There is a Horizon 2020 project with the ID 791727. But it is marked as closed, and is about funding of ProtonSuite and not disseminating information about GDPR.

https://cordis.europa.eu/project/id/791727

Suppose that there was a crypto-currency exchange with no assets or presence in the EU. Moreover, their TOS says "no EU residents" AND they IP-block EU IP addresses.

Some/many EU residents rent servers from AWS to do crypto-trading on this exchange. These servers are physically located outside the EU. These same residents also access the exchange's website using a VPN that says that that they're outside the EU.

[1] Is this exchange subject to the GPDR wrt said EU residents? [2] Does this exchange subject to tax-reporting requirements of the various EU countries?