In the vast majority of cases that's not how laws actually work from one nation to the next. That isn't how legal jurisdiction works. If it were, any nation could impose its laws on any other nation at any time.
> So geolocation is not a satisfactory option.
In fact it is. I can safely disregard the EU and nearly all of its laws including GDPR and privacy laws in the EU. I don't operate in the EU, either physically or in terms of hosting. They have no access to me, my finances, my business, and have zero jurisdiction over me as a US citizen. I'm bound by US law, not EU law.
I can do anything I want to with data from EU citizens that visit my US-based services, so long as I obey US laws. The exception to that is if I need to operate in the EU, then I should comply with EU law.
The EU also does not rule China (1.4 billion people, world's second largest economy), for a strong reference on how the EU's laws don't actually apply globally. While you're in China, as an EU citizen, you are not governed by EU law, you are governed by Chinese law. Give that a test run, you'll find out instantly how it works. If you visit sites located in China, they're going to obey Chinese law, not EU law. Millions of Chinese sites are not concerning themselves with GDPR compliance, because it does not apply to them at all.
Of course, if you fly to Paris for honeymoon they get access to you and can hold you responsible. Just like bankers coming to Las Vegas and being held responsible for aiding tax fraud overseas.
EU residents, actually, and yes, geolocation is satisfactory -- you can hit EU residents as long as you're not intending to hit them, and are doing nothing in contradiction to that intention (like translating your content into Polish, for example).
> like translating your content into Polish, for example
There are Polish speakers that aren't Polish citizens. Translating to Polish doesn't prove an intent to sell to Poland any more than having a page in English implies trying to sell to England.
There is nothing in the law that says that translating into Polish or another language common in the EU results in GDPR being applied. The actual law says,
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union."
That's it. "Offering goods or services" can be interpreted in a variety of ways, but translating into a language doesn't mean anything. People speak German in communities all over the world. Even offering payment in Euros isn't necessarily targeting the EU. Plenty of EU expats have Euro accounts, particularly those based in Africa and Asia. So it's perfectly normal to have a German language site, selling products in Euros, targeting Germans in Shanghai and have that not be in GDPR scope. However, an English language site, selling in US dollars showing Berlin apartment listings targeting American expats in Germany -- that would be in GDPR Scope. The language and currency have nothing to do with it. It's the intended audience that matters and that can be often determined by the product/content being sold/delivered.
The point of my rant is that too many people are reducing GDPR into some ridiculously simplistic terms such as "can't use euros, can't use an EU language" or similar. However, the actual reality isn't so sophomoric.
Recital 23 digs into more detail about what is considered "targeting." Choice quote:
> Whereas [...] the use of a language generally used in
> the third country where the controller is established,
> is insufficient to ascertain such intention, factors
> such as the use of a language or a currency generally
> used in one or more Member States [...] may make it
> apparent that the controller envisages offering goods
> or services to data subjects in the Union.
You are correct that reality is a bit more nuanced, but I think that saying "language and currency have nothing to do with it" is not a supportable claim. Audience and intent matters, but if you have German-language content in a country without a large German-language population, you are going to need a very good excuse why you aren't targeting Germans.
People don't have time to type every single caveat and exception. Translating to Polish is going to be targeting Polish geography 99% of the time.
No, that not true. I am an EU citizen and live in the US. GDPR does not apply to me when I deal with US businesses! Likewise a non-EU citizen who lives and works in the EU is in fact covered by GDPR.
GDPR actually applies to companies which are doing business in the EU and storing personal data of anybody who resides in the EU.
> it applies to pages being served to EU citizens, wherever they happen to be at the moment.
So geolocation is not a satisfactory option.
Completely false. Citizenship has nothing to do with GDPR. It's all about location.
An EU resident visiting the United States is not covered by GDPR while in the United States. An EU Citizen living in Los Angeles is not covered by GDPR. A Tunisian illegal immigrant in Berlin is covered by GDPR.
The 2012 draft of GDPR founded jurisdiction on the passive responsibility principle, which, while highly controversial, would, in fact have applied GDPR protections based on nationality of the person and not the location. However, that's not in the final version of the law. In Article 3, "resident" has been replaced with "data subjects who are in the Union."
"In the Union" means, inside the European Union. Which means the law's protections do not extend to those not inside the EU. The jurisdiction is unambiguous and crystal clear. Not a single word in Article 3 suggests that a Frenchman in Peru is covered by GDPR. Which means that your statement "wherever they happen to be at the moment" is false.
It seems that there still exists an incredible amount of ignorance about GDPR. It feels like people are reading analysis from others who are reading analysis from others and very view have actually read the actual law themselves. Or worse, people are using their memory of years-ago discussions about provisions or language that isn't in the actual final regulation and contributing to this completely wrong narrative such as "The law doesn't just apply to pages being served to the EU, it applies to pages being served to EU citizens, wherever they happen to be at the moment." That's 100% false. It's the exact opposite of the truth.
The fact on territorial scope is that GDPR covers an identifiable natural person inside the EU. It doesn't care about nationalities. It only cares about location. Geolocation is absolutely a satisfactory option, because an EU resident, citizen or whatever sitting in a Starbucks in Seoul, is not covered by GDPR. No matter how badly people might wish that to be false, the words in the actual regulation say otherwise.
It only applies to sites outside the EU if the site "envisages" serving EU customers. The suggested test for this is if the site offers foreign language versions of the site for EU countries, allows payments in EU currencies, etc. For sites in the US that are intended for a US audience, compliance is unnecessary, regardless of the fact that some traffic may be coming from the EU.
From [1]:
Recital 23 provides a further clarification for cases where it’s unclear if a firm offers goods and services to EU data subjects:
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
So geolocation is not a satisfactory option.