That situation is quite different. The US is using its significant power and weight to coerce those non-US banks into compliance with FACTA. Those banks don't have to comply, but they want to do business with the US and US companies, then they don't have much of a choice.
It's not like they just made a law and now insisted it applies globally, which is what the EU did.
Isn’t it actually exactly the same? The website doesn’t have to comply (and many don’t), but if they want to do business in the EU, they have to. How is that different?
The US is using the fact that people want to do business with them to coerce compliance, and as written the law only applies to US persons.
The EU claims the GDPR applies globally, regardless of if people want to do business with the EU, or even if people ever set foot in the EU. It's amusing nonsense.
it's effectively the same, small banks just shove you out of the building and refuse to open a bank account for you if FATCA applies to you, their compliance is through just not accepting US tax payers.
This is a real issue that leaves US citizens only able to open accounts at bigger banks (with shittier services but enough budget to hire a FATCA compliance department)
I haven't changed the meaning, I simply stated things accurately.
Here, though, you've misstated things inaccurately. You seem to think the points are interchangeable, and the only issue here is semantics. You couldn't be more wrong.
Perhaps you should re-read what you wrote. You specifically stated that US law does not apply to US citizens abroad.
In addition, one of my examples specifically allows the prosecution of non-us citizens for their actions abroad toward US citizens. This directly contradicts the point you claim you were making but didn't accurately state.
You're right, I noticed the inconsistency due to my error, but I had no way to edit and refine it.
I didn't know that it is illegal to pay bribes overseas, and as someone who has traveled extensively and knows it is necessary sometimes, I'm curious how enforced that law actually is. Either way though, that example and the illegal sex one are both US law applying to US persons, not US law applying to non-US persons.
> In addition, one of my examples specifically allows the prosecution of non-us citizens for their actions abroad toward US citizens.
I apologize for not giving this specific point more attention. That law is interesting, and to quote the wiki page, "The law is quite specific in that it is intended to be extraterritorial in nature".
This seems to be the first law of its kind, as unlike the other examples you gave, it explicitly applies worldwide o any foreign officials.
In response to this law I would make two points. One, it hasn't been signed into law yet, and two, this is significantly more narrow in scope than the EU law which applies to anyone running a site that an EU citizen visits.
Enforcement of the anti-bribery laws isn't really targeted at individuals traveling for fun. It is more meant to stop businesses from bribing officials.
> this is significantly more narrow in scope than the EU law which applies to anyone running a site that an EU citizen visits.
If you are looking for broad scopes, copyright and espionage are both areas where the US asserts it's right to prosecute non-citizens for acts committed outside the country. For specific high-profile examples, look at Kim DotCom and Julian Assange.
In the age of the internet, pretty much every country would like to be able to prosecute non-citizens for acts they commit while outside the country. Hackers, scammers and fraudsters frequently commit crimes against citizens of other countries and the countries where the victims reside have a clear interest in prosecuting those criminals. The limitations of doing so depends on their ability to get that criminal expedited.
With this understanding, the EU laws aren't really any different.
> Enforcement of the anti-bribery laws isn't really targeted at individuals traveling for fun. It is more meant to stop businesses from bribing officials.
That's fair enough. But then it isn't really comparable, is it? If I host a site for fun in the US that targets as much data as I can about EU citizens and targets EU citizens but doesn't break any US laws, I would still be targeted, right?
Not to mention, bribery is likely illegal in all or at least most countries.
> If you are looking for broad scopes, copyright and espionage are both areas where the US asserts it's right to prosecute non-citizens for acts committed outside the country.
These still are not good examples. Every country has laws to prosecute spies, and copyright has numerous international treaties.
These areas still don't compare, at all, to the EU saying EU law applies to anyone in any country if a EU citizen visits it and the site collects their data and targets them in a way Europe doesn't like.
> With this understanding, the EU laws aren't really any different.
You say in the age of the internet a lot of countries would like to persecute people outside their borders for offenses that take place, to some extent, in their borders.
The thing is, the EU is the first to actually claim the power to do so. The other examples you or anyone else gives just don't map for one reason or another.
> These still are not good examples. Every country has laws to prosecute spies, and copyright has numerous international treaties.
You are just moving the goal post yet again. I fail to see any difference between laws that govern forieng citizens movement of copyright data and laws that govern foriegn citizens movement of private data.
If anything, I think privacy laws are MORE ethically defensible than copyright laws since they tend to protect the powerless against the powerful rather than vice versa
> The thing is, the EU is the first to actually claim the power to do so
Again you are saying things that have been already shown to not be true.
No, I'm not. I've been consistent from the start. Seriously, go look at my earlier replies.
All your examples are either laws that have treaties backing them, or don't apply to most people, or only apply in very specific circumstances.
None of them, absolutely NONE, are as far-reaching as the EU law. The EU claims it applies to ANY entity in ANY country so long as ANY EU citizen visits, and that entity collected data and targeted EU citizens in a way the EU didn't like.
That's what makes it different. That isn't moving the goal posts, that's pointing out very clearly that this apple very clearly isn't like your orange.
> Again you are saying things that have been already shown to not be true.
Only if you remove all relevant details that show everything I've said is absolutely correct.
Enough with the tribalism. There is no shame in admitting the EU made a far-reaching law, a first of its kind, that it has no hope of enforcing.
I did, you mentioned 'treaties' for the first time in your last comment.
The ability of the USA to prosecute Kim DotCom didn't depend on any treaty. The extradition process did, but that is a question of custody.
In addition, there ARE numerous trade treaties that cover privacy, the right of countries to implement privacy regulation on international trade and specific protections that allow data exportation from the EU.
> The EU claims it applies to ANY entity in ANY country so long as ANY EU citizen visits, and that entity collected data and targeted EU citizens in a way the EU didn't like.
This is false. The entity has to be based in the EU or be offering goods and services to people in the EU to have the GDPR apply.
> There is no shame in admitting the EU made a far-reaching law, a first of its kind, that it has no hope of enforcing.
While it is a far reaching law, it is not the first of it's kind and there are thousands of fines and penalties issued under it each year.
> Only if you remove all relevant details that show everything I've said is absolutely correct.
I've already provided several examples that disprove your statment. The "relevant details" are the qualifications that you keep making up but conviently still leave off when making your false claims.
You've said so many false things throughout your comments, starting with the "US law as written is entirely reasonable and doesn't try to claim the law applies to US citizens anywhere in the world." which you even doubled down on with a double "absolutely" when I first called you on it.
At this point, I suggest you put far more effort into verifying the accuracy of what you say or nobody will take anything you say seriously. I certainly don't anymore.
I said "go look at my earlier replies" not specificly to say I had mentioned treaties earlier, but to say I hadn't been moving the goalposts. My point is the exact same.
> The extradition process did, but that is a question of custody.
This is the key point though. Plenty of western countries and especially AU/NZ are super buddy buddy with the US and happy to cooperate. Especially when they agree with the laws.
Most countries won't extradite someone for a (from their point of view) silly GDPR violation.
> In addition, there ARE numerous trade treaties that cover privacy, the right of countries to implement privacy regulation on international trade and specific protections that allow data exportation from the EU.
There is not a single treaty that covers allowing the EU the extraterritorial jjurusdiction they claim for the GDPR.
> This is false. The entity has to be based in the EU or be offering goods and services to people in the EU to have the GDPR apply.
You're right, my apologies - I should have added "offering goods and services to people in the EU" to be more specific, I had thought you would infer that from our discussion as I'd made that point previously, multiple times.
SO, here you go, a refined point: The EU claims it applies to ANY entity in ANY country offering goods and services to ANY EU citizen, and that entity collected data and targeted EU citizens in a way the EU didn't like.
That's what is ridicukous, that is what is entirely unlike any US law you've tried to compare it to. They have no ability to prosecute foreign violations and that's why, since teh GDPR came into effect, they never have.
> it is not the first of it's kind
It is. Specifically for declaring it's extraterritorial jurusdiction in the legislation, and because that can be aimed at anyone operating the 'wrong' type of website, not just officials or people commiting a specific crime.
> I've already provided several examples that disprove your statment.
No. You provided examples of laws that are not analogous, and I explained why that is.
> The "relevant details" are the qualifications that you keep making up but conviently still leave off when making your false claims.
I have not made a single false claim. Not one. You either have a misunderstanding of the GDPR, or you are going out of your way to defend and downplay the issues.
> you even doubled down on with a double "absolutely" when I first called you on it.
Yeah. I really suspect you are deliberatlly taking thing literally instead of just inferring what is obvious from the context so you can make these kinds of points, but instead of assuming bad faith I'll assume it's a misunderstanding.
> At this point, I suggest you put far more effort into verifying the accuracy of what you say or nobody will take anything you say seriously. I certainly don't anymore.
At this point, I suggest you do a little more research before jumping into these kinds of discussions. Sure, you caught me out with lacking a few qualifier, but my overall claim is absolutely correct.
No other western country has a law as far-reaching and widely applying as the GDPR, and no other western country has such a toothless law that has been so publicized that could never hope to be enforced.
I'm not lying and you know I wasn't. You can't support your point so you were looking to get points in any way you can. It's OK, I called out tribalism earlier on in the thread. I'm pretty used to it at this point. All good, no hard feelings.
The EU claims their law applies globally regardless of if people set foot in or do business in the EU. According to the EU, an EU citizen just needs to visit a site and the law applies, regardless of where the site is hosted.
According to the EU, the GDPR applies to some small shop owner in China with a website that harvests all data it can that isn't advertising in the EU, courting EU citizens in any way, has no business with the EU, etc.
Once privacy is considered as a fundamental human right, everything makes sense. When an EU citizen visit a site and the site collects their data in an unbounded way, their privacy is violated and any goverment should be responsible of protecting its citizen.
In my point of view, this is a difference of how much we define privacy as human right and what data are considered private.
> Once privacy is considered as a fundamental human right, everything makes sense.
Does it? I agree it should be, and I want to work towards a better world also, but pretending you have jurisdiction when you clearly do not, doesn't seem helpful in any way.
> If the EU didn't try to claim EU law applies globally, those sites might still be up.
It doesn't; it applies to EU residents. Your non-EU business is free to do whatever it wants, but as soon as you do business with EU residents EU law applies.
This is more or less how it works everywhere (with some exceptions).
And deciding not to do business with EU residents (i.e. block in EU) is of course perfectly valid and reasonable choice. But not because "EU laws apply globally".
> It doesn't; it applies to EU residents. Your non-EU business is free to do whatever it wants, but as soon as you do business with EU residents EU law applies.
See, you say it only applies to EU residents, but that isn't the case.
The real issue is where you say but as soon as you do business with EU residents EU law applies., and, well, that's just nonsense.
I have a US site. I can operate my business any way I like as long as I don't break any Federal or State laws, and I can break every single EU law that doesn't have an equivalent US law.
The EU can't touch me. EU law doesn't apply to me, even if I advertise the hell out of my site to try and attract as many EU citizens as possible.
All the Eu can do is firewall me off, prosecute me if I come to the Eu and police or punish its citizens.
> This is more or less how it works everywhere (with some exceptions).
It's really not. The EUs claim of global jurisdiction is unique and a first. There may have been loosely similar things, but nothing quite like this.
> But not because "EU laws apply globally".
You should inform the EU they should correct their legislation then.
Sure, but if some Little Whinging news from North Arizona (fictional newssite) starts spamming me, because some grandma there can't remember his email address, and won't let me unsubscribe, I'll do everything I can do within my five minutes of anger to make them rethink.
Claiming jurisdiction by server location is the stupidest thing ever if you trying to have any kind of customer protection laws. You have to go by customer location.
However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
> However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
The GDPR makes no jurisdictional claims at all based on citizenship, despite a lot of inaccurate summaries saying otherwise. For those cases where the GDPR cares about individuals being EU or non-EU, it only cares about their location, not about their citizenship / nationality or their residence.
> Claiming jurisdiction by server location is the stupidest thing ever if you trying to have any kind of customer protection laws. You have to go by customer location.
I disagree, because that's impossible. That's why the EU's attempt is largely a joke. Literally - it seems to get mocked a lot when I tried reading up on the credibility and practicality of what they claim.
> However, the claim that they have jurisdiction over EU citizens abroad is very questionable.
It's the claim that they have jurisdiction over non-EU citizens and businesses in their own countries which is so laughable.
> Literally - it seems to get mocked a lot when I tried reading up on the credibility and practicality of what they claim.
[...]
> It's the claim that they have jurisdiction over non-EU citizens and businesses in their own countries which is so laughable.
Most of this mockery is based on misunderstandings that overgeneralize what the EU is asserting and overlook what most other countries assert.
Most countries have some laws that under some circumstances purport to apply to foreign non-citizens located outside the country, not just the EU.
A key example is defamation law. If you are a Brazilian citizen located in Brazil and you specifically target publications online to UK or Canadian or US audiences in ways that are viewed as defamatory in those jurisdictions, you could very well get sued in those countries' courts, and there are absolutely cases where those courts would uphold their jurisdiction based on the specifically targeted publication.
Similarly, when asked to decide if they have jurisdiction to enforce local consumer protection law against a foreign defendant, the courts in the Canadian province of Quebec will consider whether the foreign defendant has tried to target Quebec consumers, should know that it has ongoing substantial sales to Quebec consumers, et cetera - not only whether it has a business establishment in Quebec.
Conversely, if you are a hotel in New Hampshire, USA and someone located in an EU country visits your US-based English-language USD-only hotel website and books a room for their upcoming visit, the GDPR probably does not apply, since there is no attempt to target the EU. Among other exceptions, the conclusion could be different if the hotel website allows bookings in EU currencies or languages (not counting English and maybe not US/Latin American Spanish because of their use in the US), since that shows an intention to target EU visitors.
If merely being foreign allowed EU-focused businesses to avoid the GDPR, that would be an extremely huge loophole, and EU businesses would make deals with those foreign businesses to shift as much as possible of their data processing stream outside the scope of the GDPR. It would pretty much swallow the whole law. It's not a viable approach.
Similarly, monitoring the behavior of visitors in the EU can also lead to the GDPR applying, since otherwise EU businesses would pay foreign businesses to track their visitors on their behalf, doing whatever legal ownership transfer shenanigans they have to in order to make that work. ("Oh no, this is not a European-owned website, it's an American website to which we've licensed our brand content and which shares 99% of its subscription and ad revenue with us as their license fee... they are allowed to track you even if we can't...")
Of course, you're quite right if you view it as a mockable idea that the EU would be going into foreign countries to bust down doors and collect fines from foreign businesses. Just as clearly, they aren't pretending they can do that.
But if a foreign company does get assessed with a GDPR violation fine in the EU, it certainly gets harder for them to continue to engage in business dealings with anyone in the EU without that fine becoming more possible to collect - and in some cases there are established mutual legal assistance treaties through which EU countries can get foreign countries to help with collecting a judgment outside of the EU.
My guess as to why these non-EU companies prefer to block the EU instead of comply with the GDPR is simply that they don't view the risks of being found in violation as worth the benefits of the additional audience - not because they would necessarily be found in violation. Most of the local news channels would probably not be found in violation if they excluded visitors in the EU from behavior monitoring, but many of those sites don't consider it worthwhile even to take the risk.
> Most of this mockery is based on misunderstandings that overgeneralize what the EU is asserting and overlook what most other countries assert.
I think that mostly assumption. Much of the mockery was in legal journals for example - an audience that would be more familiar with the ext of the legislation than most.
> Most countries have some laws that under some circumstances purport to apply to foreign non-citizens located outside the country, not just the EU.
Maybe a few other countries have something in the same general category, but none as far reaching as GDPR law tries to be. And certainly it's a minority of countries that have such laws, not most.
> A key example is defamation law. If you are a Brazilian citizen located in Brazil and you specifically target publications online to UK or Canadian or US audiences in ways that are viewed as defamatory in those jurisdictions, you could very well get sued in those countries' courts, and there are absolutely cases where those courts would uphold their jurisdiction based on the specifically targeted publication.
I'm not exactly clear what you are saying here, but in any event, at least in any interpretation I can think of, the analogy doesn't map. If a UK entity sues a Brazilian in a Brazilian court, that's all pretty normal. That's just the UK entity doing something they are able to do in compatible courts, that's not UK law applying to Brazilians.
> Similarly, when asked to decide if they have jurisdiction to enforce local consumer protection law against a foreign defendant, the courts in the Canadian province of Quebec will consider whether the foreign defendant has tried to target Quebec consumers, should know that it has ongoing substantial sales to Quebec consumers, et cetera - not only whether it has a business establishment in Quebec.
And how is this relevant? That foreign defendant would be present in Quebec to be tried, so it's quite a bit different from the EU claiming Joe Schmoe halfway around the world who has no interest in the EU or Europe and has never been there, is subject to EU law because an EU citizen visited their data collecting site.
> Conversely, if you are a hotel in New Hampshire, USA and someone located in an EU country visits your US-based English-language USD-only hotel website and books a room for their upcoming visit, the GDPR probably does not apply, since there is no attempt to target the EU.
The attempt to target the EU would be simply be having online advertising that would show up in the EU.
> Among other exceptions, the conclusion could be different if the hotel website allows bookings in EU currencies or languages (not counting English and maybe not US/Latin American Spanish because of their use in the US), since that shows an intention to target EU visitors.
I don't think this is the actual text of the law. The EU claims GDPR applies to a small data collecting site, say, in Vietnam, that wants to store and retain and sell all the data it can about anyone that visits its site. That's what is ridiculous, that's what is incomparable to anything else you have listed.
But in any event, let's say that is the law. Let's say this site in my Vietnamese example goes out of it's way to target the EU, having French and Spanish as default languages, having language flags for every EU country, and paying for advertisements (but only on US sites with US companies, lets say, just to reinforce the point that no business has been done in the EU) - well, in that case, it's still bonkers that the EU thinks they have any jurisdiction over the operator of that site.
The ONLY thing they can do is firewall it off, like China does. That's it. Claiming to have global jurisdiction as they do just makes them look foolish.
> If merely being foreign allowed EU-focused businesses to avoid the GDPR, that would be an extremely huge loophole,
This is already reality, though. Any business in the world can court EU consumers, and only the EU can prevent that by further policing its citizens. They are powerless to stop foreign businesses any other way since they only have jurisdiction in their own borders...yet they claim the opposite.
> Of course, you're quite right if you view it as a mockable idea that the EU would be going into foreign countries to bust down doors and collect fines from foreign businesses. Just as clearly, they aren't pretending they can do that.
It's mockable that they claim they have any jurisdiction outside their borders in the contexts they do, period.
> But if a foreign company does get assessed with a GDPR violation fine in the EU, it certainly gets harder for them to continue to engage in business dealings with anyone in the EU without that fine more becoming possible to collect - and in some cases there are established mutual legal assistance treaties through which EU countries can get foreign countries to help with collecting a judgment outside of the EU.
There is absolutely no instance of a foreign court upholding a GDPR fine and I don't expect there ever will be, nor is there any treaty that would allow for that as far as I know. If you know otherwise and could name such a treaty I would appreciate it.
The only thing the EU can do is get a judgement against that person or company and arrest people if they enter the EU, firewall off hosts, or police and punish its own citizens.
> I think that mostly assumption. Much of the mockery was in legal journals for example - an audience that would be more familiar with the ext of the legislation than most.
There's lots of bullshit in legal journals too, partly due to how most of those journals are student-reviewed rather than peer-reviewed, and partly due to how politicized the legal academy is. Care to provide a cite?
> I'm not exactly clear what you are saying here, but in any event, at least in any interpretation I can think of, the analogy doesn't map. If a UK entity sues a Brazilian in a Brazilian court, that's all pretty normal. That's just the UK entity doing something they are able to do in compatible courts, that's not UK law applying to Brazilians.
No, I'm saying that a UK entity can sue a Brazilian for defamation in UK court, not Brazilian court, and win jurisdictional arguments in the UK court based on the Brazilian's publications being targeted to the UK - even if the Brazilian has never been to the UK. And all of this would be based on UK law, not Brazilian law.
> And how is this relevant? That foreign defendant would be present in Quebec to be tried,
I said nothing about the foreign defendant being present in Quebec, no. Everything I said applies even when that is not true.
> so it's quite a bit different from the EU claiming Joe Schmoe halfway around the world who has no interest in the EU or Europe and has never been there, is subject to EU law because an EU citizen visited their data collecting site.
> [...]
> The attempt to target the EU would be simply be having online advertising that would show up in the EU.
This is among the common global misinformation about the GDPR that does not reflect the EU's actual legislation or their actual guidance about the GDPR. Read Article 3 of the GDPR or Recitals 23 and 24 of the official guidance about it.
(Note, that website is not an official source, but it's a more convenient way for me to link to the relevant sections than the official sources.)
Merely not blocking online advertising from showing up in the EU does not cause GDPR to apply. Nor does merely receiving a visit from an EU citizen.
However, monitoring behavior by visitors where that behavior occurs in the EU does. So if a website's preferred online advertising model depends on monitoring the behavior of their visitors and they don't want to make an exception to that for visitors in the EU, that's the source of the GDPR applicability - not the online advertising itself.
And I already explained why this is necessary to avoid a huge truck-sized loophole.
> I don't think this is the actual text of the law. The EU claims GDPR applies to a small data collecting site, say, in Vietnam, that wants to store and retain and sell all the data it can about anyone that visits its site. That's what is ridiculous, that's what is incomparable to anything else you have listed.
Again, read Article 3 of the GDPR and Recitals 23 and 24 of the official guidance. The EU does not claim the GDPR applies there.
> But in any event, let's say that is the law. Let's say this site in my Vietnamese example goes out of it's way to target the EU, having French and Spanish as default languages, having language flags for every EU country, and paying for advertisements (but only on US sites with US companies, lets say, just to reinforce the point that no business has been done in the EU) - well, in that case, it's still bonkers that the EU thinks they have any jurisdiction over the operator of that site.
You would be amazed at how many countries would apply their jurisdiction to foreigners with respect to how many laws in this kind of scenario. People have been persuaded otherwise by anti-GDPR propaganda by the industries that depend on routinely violating the GDPR, but it's really true.
In particular, look at this summary on Wikipedia of personal jurisdiction in Internet cases in the United States:
Many, many, many of those scenarios can happen when the out-of-state website operator has never been to the US and is not a US citizen or company. The phrase "purposely availed itself" in that US jurisprudence is very similar to what I was calling targeting the EU in my previous comments.
More information on the underlying principles and laws, again from the US perspective:
> The ONLY thing they can do is firewall it off, like China does. That's it. Claiming to have global jurisdiction as they do just makes them look foolish.
They claim just as much jurisdiction as most countries do - but most countries don't have privacy laws like the GDPR, so the industries who are crying about the GDPR aren't crying about most other examples.
> There is absolutely no instance of a foreign court upholding a GDPR fine and I don't expect there ever will be, nor is there any treaty that would allow for that as far as I know. If you know otherwise and could name such a treaty I would appreciate it.
Small correction to my previous comment: while there are indeed some multilateral treaties about the recognition of foreign judgments such as can happen for unpaid GDPR fines, you're right that the US isn't part of those treaties.
However, US state laws do allow recognition of many foreign judgments, with the details varying widely. There is a federal law which prohibits US enforcement of foreign libel judgments that would violate the First Amendment if they had been from a US court, but there is no federal law restricting states from recognizing most other foreign judgments they might choose to recognize. And again, in many cases states do so choose.
I would be quite surprised if all US states would never enforce a court judgment from an EU country resulting from a GDPR violation. Said differently, I expect that at least some US states would enforce such a judgment under at least some facts and circumstances.
> The only thing the EU can do is get a judgement against that person or company and arrest people if they enter the EU, firewall off hosts, or police and punish its own citizens.
Even when the company has no assets in a jurisdiction that allows recognition of EU judgments resulting from GDPR violations, they can also seize movements of money or goods into or out of the EU which belong to the company that isn't paying the judgment.
Anyway, "police and punish its own citizens" isn't the scenario being discussed here - nobody violates the GDPR by accessing or using a website that violates the GDPR. The violation is the website's alone.
> There's lots of bullshit in legal journals too, partly due to how most of those journals are student-reviewed rather than peer-reviewed, and partly due to how politicized the legal academy is. Care to provide a cite?
I do't care to provide a cite, but this seems rather dismissive. Plenty of peer reviewed legal journals also found the idea mockable.
> No, I'm saying that a UK entity can sue a Brazilian for defamation in UK court, not Brazilian court, and win jurisdictional arguments in the UK court based on the Brazilian's publications being targeted to the UK - even if the Brazilian has never been to the UK. And all of this would be based on UK law, not Brazilian law.
Oh, sure. There's nothing really special about that. I can sue anyone in the world if I want to, it won't matter much if they are not in the same country as me and never come. A best case scenario would be getting a default judgement that couldn't be enforced and if they ever did come would be overturned instantly, so basically worthless.
That doesn't mean US laws apply to everyone in the world though.
> I said nothing about the foreign defendant being present in Quebec, no. Everything I said applies even when that is not true.
OK. Then like your previous example it isn't relevant or analogous.
> This is among the common global misinformation about the GDPR that does not reflect the EU's actual legislation or their actual guidance about the GDPR
Except it does. They explicitly assert extra-territorial jurisdiction for cases like this. That's why there was so much written about it.
> However, monitoring behavior by visitors where that behavior occurs in the EU does. So if a website's preferred online advertising model depends on monitoring the behavior of their visitors and they don't want to make an exception to that for visitors in the EU, that's the source of the GDPR applicability - not the online advertising itself.
Right, and that's nonsense. It still all boils down to the basically zero possibility of practically enforcing any of their laws against, say, actors in developing countries with no relationship with the EU, or worse, hsotile to the EU.
> And I already explained why this is necessary to avoid a huge truck-sized loophole.
And I responded explaining why I think you're explanation is incorrect.
> Again, read Article 3 of the GDPR and Recitals 23 and 24 of the official guidance. The EU does not claim the GDPR applies there.
Instead of just quoting the GDPR, which we've both read, how about sharing the text you think applies and your interpretation? Something I can actually refute.
> You would be amazed at how many countries would apply their jurisdiction to foreigners with respect to how many laws in this kind of secnario. People have been persuaded otherwise by anti-GDPR propaganda by the industries that depend on routinely violating the GDPR, but it's really true.
I don't think it has anything to do with "anti-GDPR propaganda", more the GDPR being uniue. The examples you gave didn't map to the GDPR, can you give some that do?
> They claim just as much jurisdiction as most countries do
This is false. They claim more than any other western country does.
> Everything and everyone is mockable, even me, even you, even everyone we know. That doesn't mean what you think it does.
It means exactly what I think it does. To try and dismiss the meaning I intended and suceeded in conveying and that you understood, you are taking the meaning literally when you know that isn't the meaning conveyed here - "mockable" here means, having something juicy and rich to milk for material, the results of which are relateable and appreciated by the intended audience. Not everything meets that definition, certainly not everything and everyone.
> while there are indeed some multilateral treaties about the recognition of foreign judgments such as can happen for unpaid GDPR fines,
Can you name one non EU country that has a treaty that specifically covers the GDPR?
> However, US state laws do allow recognition of foreign judgments, with the details varying widely.
They sure do, and the details as to why can be interesting, but usually it's going to be a case of there being an equivalent US law. There isn't in this case, and several judges would be repulsed by the suggestion that the law should apply in the US at all.
> I would be quite surprised if all US states would never enforce a court judgment from an EU country resulting from a GDPR violation. Said differently, I expect that at least some US states would enforce it in some scenarios, dependent on the relevant facts and circumstances.
I don't really see that ever happening, to be honest. Well, to be fair, maybe states with data privacy legislation like CA might, as long as only parts that map to CA's own legislation were being enforced. Although even then they would have to be present in the state. I can make a site in the US, target it as much as I can to EU citizens, blatantly violate the GDPR as much as I can, and the EU can't touch me if I didn't break any US laws. I can do what I like with that EU citizen data I collected, sell it to whoever I want, etc - as long as I don't break any US laws.
> Even when the company has no assets in a jurisdiction that allows recognition of EU judgments resulting from GDPR fines, they can also seize movements of money or goods into or out of the EU which belong to the company that isn't paying the judgment.
Sure, like I said, they have power within their borders and that's it. If the entity never goes through EU borders, then they can't really be touched.
> Anyway, "police and punish its own citizens" isn't the scenario being discussed here
I mentioned it because it's one of only 3 things the EU can do to try and deal with a website violating the GDPR outside their borders. The other is dealing with it any way they can if anything physical, or any money goes through their borders, and the final is what I suggested - to police and punish its own citizens. This nonsense of claiming global jurisdiction is nothing but theater.
> The violation is the website's alone.
And when that website is firmly out of EU jurisdiction, they can't do a damn thing about it. Sometimes, they might get a country to enforce a fine, but that has yet to happen despite fines being issued.
I can’t force you to see parallels you are very firmly convinced don’t exist, nor can I force you to provide new evidence or arguments instead of rehashing conclusions I’ve already refuted as best I can.
This is especially true when you’ve declined my open-ended request to provide one of the “plenty of” peer-reviewed legal journal citations you say exist and don’t engage substantively with the evidence I do share, even while making ever more specific legal citation requests to me and asking me to do all the legwork of substantively explaining “some [interpretation of my evidence] that [you] can actually refute.”
These asymmetries are beyond the scope of what’s warranted here: we are two people having a casual unpaid Hacker News discussion, not you as a judge or juror and me as a lawyer trying to prove my client’s case in court. Similarly, if the point of me doing interpretive legwork is just to give you something to refute, that’s not worth my time.
I don’t think we have anything productive left to say to each other in this subthread, so don’t be surprised if this turns out to be my last reply to you here.
> I can’t force you to see parallels you are very firmly convinced don’t exist, nor can I force you to provide new evidence or arguments instead of rehashing conclusions I’ve already refuted as best I can
Oh. OK. So you're not actually providing any of the proof I asked you to, you're just wanting me to trust your arguments as correct in spite of all the evidence I've seen to the contrary. Yeah, that sure is reasonable. The 'trust me bro' defense.
> This is especially true when you’ve declined my open-ended request to provide one of the “plenty of” peer-reviewed legal journal citations you say exist and don’t engage substantively with the evidence I do share
Because I'm not particularly interested in doing research for you. That would actually take me maybe 10 0or 15 minutes, to find something you wouldn't just dismiss because it was cited by students and whatever reason you found convenient.
You're making a claim which against common knowledge and understanding, so the onus is on you to support it. Not just say 'read X section of the GDPR' and treat that as though you've provided proof.
> asking me to do all the legwork of substantively explaining “some [interpretation of my evidence] that [you] can actually refute.”
No. I'm just first asking you to support your point directly and not with vague handwaving. That's more than reasonable.
> These asymmetries are beyond the scope of what’s warranted here: we are two people having a casual unpaid Hacker News discussion, not you as a judge or juror and me as a lawyer trying to prove my client’s case in court.
Sure. I'm not trying to make it that. But clearly one of us is incorrect. You've been confident from the start it's me, but instead of actually showing how, you're just saying read section X of the GDPR and wanting me to trust your interpretation as correct. How is that reasonable?
There's plenty of peer reviewed legal articles talking about EU overreach. There really are not many saying "whoah, hold up guys, there's been a huge misunderstanding!" - you didn't even provide so much as a blog post claiming that.
The way I see it, EU tribalism can be just as bad as US tribalism, and EU citizens often try to defend EU laws even when it doesn't necessary make sense to do so. Likek how many EU citizens will try and say cookie banners are not the fault of the EU and try to shift blame to the websites, which is nonsense.
> Similarly, if the point of me doing interpretive legwork is just to give you something to refute, that’s not worth my time.
WHy do you think that stance wouldn't apply to me?
> I don’t think we have anything productive left to say to each other in this subthread, so don’t be surprised if this turns out to be my last reply to you here.
Which is incredibly reasonable. If the EU didn't try to claim EU law applies globally, those sites might still be up.