18 votes

Why should any non-Euro companies care about the GDPR?

29 comments

  1. [5]
    Comment deleted by author
    Link
    1. [4]
      Deimos
      Link Parent
      I think you might just be misinterpreting it (and you cut off the next part of the sentence to make that easier). The full sentence is: To us in Canada and the US, the EU parliament is faceless...

      I think you might just be misinterpreting it (and you cut off the next part of the sentence to make that easier). The full sentence is:

      A new set of regulations passed by faceless, unelected bureaucrats in another jurisdiction isn’t going to magically put it there.

      To us in Canada and the US, the EU parliament is faceless people that we didn't elect.

      13 votes
      1. [4]
        Comment deleted by author
        Link Parent
        1. [3]
          GillyGumbo
          Link Parent
          To people not under their jurisdiction, another Country's parliament is pretty faceless, and also unelected (from there reference of those that literally did not elect them).

          To people not under their jurisdiction, another Country's parliament is pretty faceless, and also unelected (from there reference of those that literally did not elect them).

          5 votes
          1. [2]
            BuckeyeSundae
            Link Parent
            Not to mention the ingrained suspicion we Americans have for other people trying to tell us what to do. We did throw some tea around about that. We still prefer coffee to this day.

            Not to mention the ingrained suspicion we Americans have for other people trying to tell us what to do. We did throw some tea around about that. We still prefer coffee to this day.

            1 vote
            1. [2]
              Comment deleted by author
              Link Parent
              1. BuckeyeSundae
                Link Parent
                Only when other people apply tariffs to us, of course!

                Only when other people apply tariffs to us, of course!

                1 vote
  2. [5]
    Silbern
    Link
    Companies should care because if you ever want to expand into the EU, which has twice as many users as the US does, then you'll need to abide by these regulations anyways. And honestly, between...

    Companies should care because if you ever want to expand into the EU, which has twice as many users as the US does, then you'll need to abide by these regulations anyways. And honestly, between that much of these are things companies should have been doing anyways and that the EU has given everyone 2 years to implement them, I have very little sympathy for companies that didn't prepare themselves.

    12 votes
    1. [2]
      Luna
      (edited )
      Link Parent
      I've seen lengthy discussions over how backups need to be handled now because of the GDPR, in addition to how you need to treat PII that comes in through emails (including signatures). It's too...

      I've seen lengthy discussions over how backups need to be handled now because of the GDPR, in addition to how you need to treat PII that comes in through emails (including signatures). It's too vague, the fines are scary (especially for companies that can't afford to hire an army of lawyers), and there is way too much misinformation out about the GDPR. The EU really missed the opportunity to clarify their intentions through the official website or a press release, instead they've allowed fearmongering to run rampant about basic issues like disaster recovery. I can't say I really blame some smaller companies for having done nothing at this point. It'll be easier just to let large companies take the fall and let the courts decide the law.

      Edit: One point I have yet to find a solid answer on is who it applies to. EU citizens in the EU, sure. But what about EU citizens vacationing outside the EU? Or non-EU residents vacationing inside the EU? Or people with dual citizenship living outside the EU? You'll find different answers depending on where you look. And the EU's website had made no attempt at clarifying anything.

      Edit 2: I've also seen some people saying that blocking EU citizens from using your service is a violation of the GDPR, which really makes the EU seem heavy-handed and overreaching. I think that if you don't want to do business with the residents of a country because of their laws, that should absolutely be your right, but apparently that might be illegal.

      2 votes
      1. DanBC
        Link Parent
        It applies to: Any business in the EU Any business outside the EU who is doing business in the EU It protects natural persons who are residents of the EU. About your second edit: blocking EU...

        It applies to:

        1. Any business in the EU

        2. Any business outside the EU who is doing business in the EU

        It protects natural persons who are residents of the EU.

        About your second edit: blocking EU residents isn't a violation of GDPR. It's just a pointless thing to do. A company gathers my data in 2017, and it keeps that data. GDPR comes in, and the company geo-blocks my IP so I can no longer access their website. This shows they're not doing business in Europe. But they're still processing my data, and so they may still be non-compliant with GDPR.

        1 vote
    2. [2]
      GillyGumbo
      Link Parent
      Source on the "twice as many users" statement?

      Source on the "twice as many users" statement?

      1 vote
      1. Silbern
        Link Parent
        I seem to have mistakenly thought the EU's population was in the range of 700 million people, so twice as much is inaccurate, good catch. However, the USA is estimated to have around 287 million...

        I seem to have mistakenly thought the EU's population was in the range of 700 million people, so twice as much is inaccurate, good catch.

        However, the USA is estimated to have around 287 million internet users while the EU collectively is estimated to have around 434 million. The USA has a population of 330 million people and the EU around 511 million, so even assuming perfect penetration in both, the EU will still have significantly more users then the US does.

        6 votes
  3. [5]
    sid
    Link
    This is pretty interesting. There are several articles that claim that international law and the US-EU relationship means that the EU can fine US companies regardless of where they are...

    This is pretty interesting. There are several articles that claim that international law and the US-EU relationship means that the EU can fine US companies regardless of where they are incorporated, but I'm not a lawyer, so I need to read more to understand if that's true.

    Out of curiosity, what measures did you (@Deimos) take for GDPR compliance? It seems like tildes collects almost no data as it is, so they can't have been too onerous.

    4 votes
    1. [4]
      Deimos
      Link Parent
      Yeah, I thought it was an interesting take too, with so many other companies panicking to update their policies (and some small operations even shutting down because they say they can't handle...

      Yeah, I thought it was an interesting take too, with so many other companies panicking to update their policies (and some small operations even shutting down because they say they can't handle it). I think it will be interesting to see if—like the author mentions—we start seeing companies decide they're just going to try ignoring it because otherwise they'll lose basically their entire mailing list membership since everyone ignored their "you need to opt in now" email.

      For Tildes, I had to do very little. The large majority of it was already covered naturally just by trying to treat user data carefully in the first place. I was already intending not to retain user data for very long, delete things I didn't need to keep for functionality, and so on. There's no advertising, and I'm not sharing data with any other companies at all anyway. So that was almost all of it, and I think about the only things I had to add specifically was a note about the minimum age being higher than 13 in some countries, as well as the possibility for people to request their data to be fully deleted and/or exported for them. I was probably also a bit more explicit about exactly what data is collected and why than I normally would have been, but that wasn't a big deal (and is kind of nice for people to be able to read anyway).

      14 votes
      1. a_wild_swarm_appears
        Link Parent
        Yeah, I imagine that'd be the case, and the amount of emails I've gotten already is crazy, but I can honestly say that I really don't care. If I didn't respond then scrub my data. It's actually...

        we start seeing companies decide they're just going to try ignoring it because otherwise they'll lose basically their entire mailing list membership since everyone ignored their "you need to opt in now" email.

        Yeah, I imagine that'd be the case, and the amount of emails I've gotten already is crazy, but I can honestly say that I really don't care. If I didn't respond then scrub my data. It's actually saving me the tedious work of trying to remember every dumb thing I've signed up for in the past 20 years.
        I'm not responding BECAUSE I know they have to delete it if I don't.
        So where these companies may think it's lazy people not reading their emails or whatever, I'd imagine a large chunk of it is people who are just happy to let their subscriptions lapse.

        3 votes
      2. Skuld
        Link Parent
        Good answer. If you're treating data carefully then legislation like this isn't a shock, it's reinforcing existing best practice.

        Good answer. If you're treating data carefully then legislation like this isn't a shock, it's reinforcing existing best practice.

        2 votes
      3. ourari
        Link Parent
        (Most of) those e-mails were pretty useless and possibly illegal: https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts

        I think it will be interesting to see if—like the author mentions—we start seeing companies decide they're just going to try ignoring it because otherwise they'll lose basically their entire mailing list membership since everyone ignored their "you need to opt in now" email.

        (Most of) those e-mails were pretty useless and possibly illegal:

        https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts

        2 votes
  4. [12]
    Soptik
    (edited )
    Link
    --The article suggest that GDPR forces comanies to apply these rules even to non-EU users.-- This is not true. GDPR affects only EU users. It says, that companies have to be transparent (what do...

    --The article suggest that GDPR forces comanies to apply these rules even to non-EU users.-- This is not true. GDPR affects only EU users. It says, that companies have to be transparent (what do we do with your data, which data do we collect) and offer the user an option to get data that were collected about him and an option to delete these data.

    Edit: Consider the first sentence crossed out. I misuderstood the article and I'm not sure how to cross things out in Tildes.

    3 votes
    1. tyil
      Link Parent
      This, non-EU based companies aren't forced to operate within the EU. If they want to operate in the EU, they'll have to abide to EU regulations, just like they would have to abide to Chinese...

      This, non-EU based companies aren't forced to operate within the EU. If they want to operate in the EU, they'll have to abide to EU regulations, just like they would have to abide to Chinese regulations in China. This is nothing special, companies are just making a big fuss because they have to care about some user's rights for a change, and they're not used to that.

      It's interesting to note that this law was finalized about two years ago and companies are now complaining about it. The first draft was made about seven years ago. These "new" regulations aren't a surprise to anyone. Everyone had plenty of time to implement them, or close up shop if they feel that consumer rights are an absolute disgrace.

      11 votes
    2. crius
      (edited )
      Link Parent
      Exactly. The fact that I'm receiving tons of emails that only tells me "hey, we've updated our policies" without actually telling me something like "here is what changed, here is how you can...

      Exactly.

      The fact that I'm receiving tons of emails that only tells me "hey, we've updated our policies" without actually telling me something like "here is what changed, here is how you can request a delete" is already a breach and just show how much those companies either don't know what the gdpr is about, have been ill advised or just don't care and sent it to save face.

      There is a good article about how most companies don't know what they have to do, I'll try and find it

      Here it is: https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts

      Edit: just to laugh about it a little. In Italy, of course, we couldn't make it in time so we got a special permission to have the next deadline for August. I can't even.

      5 votes
    3. [9]
      Deimos
      Link Parent
      Why do you think the article suggests that? It says things like: That emphasis was even there in the original, so it seems pretty clear the author knows it doesn't apply to non-EU users.

      The article suggest that GDPR forces comanies to apply these rules even to non-EU users.

      Why do you think the article suggests that? It says things like:

      So why are non-European companies frantically running around, updating their privacy policies, trying to re-permission all their mailing lists, even to non-European users, trying to over-comply with something that at most only affects non-business customers in EU member states?

      That emphasis was even there in the original, so it seems pretty clear the author knows it doesn't apply to non-EU users.

      3 votes
      1. [7]
        tumbzilla
        Link Parent
        Part of the challenge with online services is that sometimes you don't necessarily know if a user is EU based. My understanding of the GDPR is that they consider it applicable to any company that...

        Part of the challenge with online services is that sometimes you don't necessarily know if a user is EU based. My understanding of the GDPR is that they consider it applicable to any company that interacts with or stores data about EU citizens. As a result, a US or Canada-based company may interact with EU users without even intending to.

        4 votes
        1. [6]
          Elusive
          Link Parent
          This is correct, as far as I understand it. GDPR covers all data collected about an EU citizen, regardless of where the company handling the data is based. So either you ensure that none of your...

          This is correct, as far as I understand it. GDPR covers all data collected about an EU citizen, regardless of where the company handling the data is based. So either you ensure that none of your users are EU citizens, or you'll have to comply for all users.

          4 votes
          1. [5]
            tumbzilla
            Link Parent
            Presumably the law still applies, even if an EU citizens opts not to identify as such. If that's true, then all companies that operate an online website are required to abide by GDPR. That seems...

            Presumably the law still applies, even if an EU citizens opts not to identify as such. If that's true, then all companies that operate an online website are required to abide by GDPR. That seems like pretty aggressive legislation to me...

            1 vote
            1. [4]
              Elusive
              Link Parent
              I guess it is supposed to be aggressive, since previous laws obviously weren't. But most of it just seems like common sense stuff. For example, being able to revoke consent at least as easily as...

              I guess it is supposed to be aggressive, since previous laws obviously weren't. But most of it just seems like common sense stuff. For example, being able to revoke consent at least as easily as giving it. Or being able to see/access what data is stored about you at all. Any company that wants to hide that kind of thing probably doesn't deserve your data anyway, regardless of nationality.

              2 votes
              1. [3]
                tumbzilla
                Link Parent
                I agree with 95% of the stuff in the GDPR. What I don't agree with is the requirement that data only be used for its originally stated purpose. Many improvements to the services we've grown...

                I agree with 95% of the stuff in the GDPR. What I don't agree with is the requirement that data only be used for its originally stated purpose. Many improvements to the services we've grown accustomed to in the past decade were due to the use of data repurposing. I worry the GDPR may be killing the plants, while dealing with the weeds.

                1. Elusive
                  Link Parent
                  This is a difficult one. On one hand, this kind of innovation can lead to great improvements, but on the other hand, data-repurposing like Facebook starting to auto-tag people in photos due to...

                  This is a difficult one. On one hand, this kind of innovation can lead to great improvements, but on the other hand, data-repurposing like Facebook starting to auto-tag people in photos due to facial recognition feels like it should require explicit consent to me. I guess the idea here is to err on the side of privacy.

                  1 vote
                2. ourari
                  Link Parent
                  It's not just about consent. It's about informed consent. A person can only give that informed consent if they know for what purpose that data is collected and used. It's not impossible for you to...

                  What I don't agree with is the requirement that data only be used for its originally stated purpose.

                  It's not just about consent. It's about informed consent. A person can only give that informed consent if they know for what purpose that data is collected and used.

                  It's not impossible for you to use that data for new purposes. All you have to do is inform the person and ask for their consent again. Is that so unreasonable?

      2. Soptik
        Link Parent
        Thank you, I misuderstood it. But I still find the article controversial, or at least part of it, as seen in paragraphs below the header "Why should any business outside of the EU care what the...

        Thank you, I misuderstood it.

        But I still find the article controversial, or at least part of it, as seen in paragraphs below the header "Why should any business outside of the EU care what the GDPR contains?". Just as @tyil said:

        non-EU based companies aren't forced to operate within the EU. If they want to operate in the EU, they'll have to abide to EU regulations, just like they would have to abide to Chinese regulations in China.

        1 vote
  5. acr
    Link
    I care because I own a .it domain and they don't allow private registration, but with this new GPDR are I'm hoping they finally allow it. I also care because I think who is information shouldn't...

    I care because I own a .it domain and they don't allow private registration, but with this new GPDR are I'm hoping they finally allow it. I also care because I think who is information shouldn't be publicly available like it is so the fact that Europe it's taking that stance makes me happy for their citizens.

    1 vote
  6. [3]
    Comment deleted by author
    Link
    1. [2]
      crius
      Link Parent
      This came out as a duplicated comment @silbern, you should delete it :)

      This came out as a duplicated comment @silbern, you should delete it :)

      2 votes
      1. Silbern
        Link Parent
        Ah thank you, I didn't see that. My apologies... (I guess now we can see what happens in Tilde if you delete a top level comment, here goes! :D ) Edit: looks like the devs thought of that, just...

        Ah thank you, I didn't see that. My apologies... (I guess now we can see what happens in Tilde if you delete a top level comment, here goes! :D )

        Edit: looks like the devs thought of that, just leaves a little deleted notice. That was a little anticlimatic, I was hoping it'd open a blackhole to a parallel universe at least...

        4 votes