GDPR Resources
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
They key element in the link I shared above that goes to the EC site is that there is something that targets the good or service towards an EU member that is the delineating point of the regulation (leaving aside the enforce ability of the regulation). ML has nothing that targets EU citizens, but those things can be relatively simple and unassuming from what I've read, like language translation into an EU member language when that is not the native language of the country of origin.
Yeah, and it's SO loose that "we use English", or "we do tech and the EU is very technical", we are "pro business", we have a .it domain, etc. are all things someone might argue make us "target" EU citizens.
From your response it sounds like you are not studying the topic very deeply and are making some unfounded assumptions. I might be misunderstanding what you're getting at, but in the things I've linked they talk about what targeting EU data subjects actually looks like. It is not a list of things, but it gives examples of things that would be considered targeting. It isn't concrete, and probably never will be. That is the way of legislation. It requires case law to flesh it out.
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
-
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
That said, goods or services is very broad. Is Kickstarter affected? There are EU citizens that participate in kickstarts, but the company is solely in Brooklyn, NY. Based on the above they would be, as would any other company in a similar situation.
No, because no goods or services offered in the EU.
Ok, now you're quoting the regulation incorrectly...
Actual text:
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or
processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.In Kickstarter's case they are offering goods and/or services to data subjects in the Union.
The key bit there is that the processor or controller in the EU is the tie. In all they example cases, there is a contract that connects someone to the EU. It's US companies, doing nothing in the EU, getting information about people in the EU, without ever being there, that is the issue.
To make it more difficult... consider that the US companies have no way to know that the data is about people in the EU.
Take ML for example, we have data the EU wants covered, but we have no way to know who is and isn't in the EU. Not only is there no means of enforcing the rule, there is no way to know what data it covers!
They key element in the link I shared above that goes to the EC site is that there is something that targets the good or service towards an EU member that is the delineating point of the regulation (leaving aside the enforce ability of the regulation). ML has nothing that targets EU citizens, but those things can be relatively simple and unassuming from what I've read, like language translation into an EU member language when that is not the native language of the country of origin.
Yeah, and it's SO loose that "we use English", or "we do tech and the EU is very technical", we are "pro business", we have a .it domain, etc. are all things someone might argue make us "target" EU citizens.
From your response it sounds like you are not studying the topic very deeply and are making some unfounded assumptions. I might be misunderstanding what you're getting at, but in the things I've linked they talk about what targeting EU data subjects actually looks like. It is not a list of things, but it gives examples of things that would be considered targeting. It isn't concrete, and probably never will be. That is the way of legislation. It requires case law to flesh it out.
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
That's the list I'm working from. Read it carefully, it's sweeping and can include absolutely anyone, anytime, anywhere.
-
@kelly said in GDPR Resources:
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
Except those ties are on their end, not the US side. In the US, it is just sold like any other domain. That there is a problem, it's on the EU side of things.
-
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
Except those ties are on their end, not the US side. In the US, it is just sold like any other domain. That there is a problem, it's on the EU side of things.
Not how that works.
Just because you bought it from an American company does not mean that it is not potentially subject to rules for that country code.
The company that resells it to you has to agree to terms to be able to sell it in the first pace.
-
-
-
-
So yes, it is very likely that ML will fall under GDPR.
-
@jaredbusch said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
Except those ties are on their end, not the US side. In the US, it is just sold like any other domain. That there is a problem, it's on the EU side of things.
Not how that works.
Just because you bought it from an American company does not mean that it is not potentially subject to rules for that country code.
The company that resells it to you has to agree to terms to be able to sell it in the first pace.
Correct, the one that sells it to me. They might be covered, of course.
-
@jaredbusch said in GDPR Resources:
So yes, it is very likely that ML will fall under GDPR.
Only if the registering party made a contract with ML to do so.
-
@scottalanmiller said in GDPR Resources:
@jaredbusch said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
Except those ties are on their end, not the US side. In the US, it is just sold like any other domain. That there is a problem, it's on the EU side of things.
Not how that works.
Just because you bought it from an American company does not mean that it is not potentially subject to rules for that country code.
The company that resells it to you has to agree to terms to be able to sell it in the first pace.
Correct, the one that sells it to me. They might be covered, of course.
Incorrect, because you do not own it. Ever. Unless you prove different residency.
No one can sell it to you. A trustee owns it and said trustee is a legal resident and as the owner of it, they will be rquired to have it comply with GDPR.
-
@jaredbusch said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@jaredbusch said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
@kelly said in GDPR Resources:
Actually your .it domain might land ML in GDPR land because of the requirements to obtain that tld have very clear and direct ties to an EU member.
Except those ties are on their end, not the US side. In the US, it is just sold like any other domain. That there is a problem, it's on the EU side of things.
Not how that works.
Just because you bought it from an American company does not mean that it is not potentially subject to rules for that country code.
The company that resells it to you has to agree to terms to be able to sell it in the first pace.
Correct, the one that sells it to me. They might be covered, of course.
Incorrect, because you do not own it. Ever. Unless you prove different residency.
That's a totally different issue. The legal coverage does not exist without a contract specifying such.
-
@jaredbusch said in GDPR Resources:
No one can sell it to you. A trustee owns it and said trustee is a legal resident and as the owner of it, they will be rquired to have it comply with GDPR.
Correct, which agrees completely with what I've been saying.
-
This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/ -
@danp said in GDPR Resources:
This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/Thanks for actually replying to the thread topic @Danp. I'm not really sure what to do with this experience...
-
@kelly said in GDPR Resources:
@danp said in GDPR Resources:
This link was posted over on another forum just today --
https://techblog.bozho.net/gdpr-practical-guide-developers/Thanks for actually replying to the thread topic @Danp. I'm not really sure what to do with this experience...
Hey, I was supporting you
-
@scottalanmiller said in GDPR Resources:
Your average US based website is under no obligation to do anything for the GDPR, but US based websites are something like 90% of the coverage cases.
So I should setup a Datacenter in post-brexit UK so I have low latency to the EU, but can ignore GDPR?
-
@storageninja said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
Your average US based website is under no obligation to do anything for the GDPR, but US based websites are something like 90% of the coverage cases.
So I should setup a Datacenter in post-brexit UK so I have low latency to the EU, but can ignore GDPR?
Or you could just put a cheap one inches outside the EU anywhere, if that's your goal. UK is in the EU so will already have adopted the GDPR prior to leaving.
-
@storageninja said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
Your average US based website is under no obligation to do anything for the GDPR, but US based websites are something like 90% of the coverage cases.
So I should setup a Datacenter in post-brexit UK so I have low latency to the EU, but can ignore GDPR?
It's not a matter of ignoring the GDPR. It's it not existing to you if you are not in the EU. Same as we "ignore" all EU laws outside of the EU.
-
@scottalanmiller said in GDPR Resources:
@storageninja said in GDPR Resources:
@scottalanmiller said in GDPR Resources:
Your average US based website is under no obligation to do anything for the GDPR, but US based websites are something like 90% of the coverage cases.
So I should setup a Datacenter in post-brexit UK so I have low latency to the EU, but can ignore GDPR?
Or you could just put a cheap one inches outside the EU anywhere, if that's your goal. UK is in the EU so will already have adopted the GDPR prior to leaving.
What part of post-brexit is hard to understand?
