GDPR doesn't apply for entities outside EU if they aren't specifically targetting services at individuals in the EU (which can be indicated by using EU domains, supporting EU currencies, supporting EU languages or mentioning EU customers in promotional materials).
mitjam|2 years ago
ekidd|2 years ago
Sure, I never tracked any information except what was absolutely necessary. No email address, no IPs, just logins, passwords, and data saved by the user. But that still means:
- I needed to respond to several kinds of emails within 30 days, even if I was on vacation.
- I needed to understand the frustratingly vague and abstract language of the GPDR.
- I was subject to 27 different data regulators, not all of whom provided information in languages I could read, I don't think?
As a non-EU resident, I have zero vote in any of this. I make zero money off of anyone in the EU. I would happily ignore the EU entirely, or allow EU users to download my stuff and to figure out their own laws.
But the EU claims jurisdiction over foreign nationals, even though we have no vote, no representation, and no commercial presence. There is precisely zero upside for me here.
And with the Product Liability Directive, it looks like the EU might impose personal liability on me as an open source author who occasionally consults for US companies. Which, since nobody in the EU is paying me a cent, I have no interest in assuming. If the final PLD is bad enough, I guess I can try to block downloads from European IPs or something.
If these laws were limited to real companies with an actual presence in Europe, I'd feel very differently. But extraterritorial laws for private citizens are gross.