Why is shipping data different? If a certain drug is illegal in the country but not yours do you think you should be allow to sell and ship the drug over?
The US believes it has extraterritorial jurisdiction as well in many places, even in some cases where it isn't their citizens that are affected.
In general countries may well claim that their law applies even if you believe it doesn't, you then break that law at your own risk, and given that the penalties can be pretty serious I would caution against this without having consulted with a lawyer.
Note that I'm perfectly fine with the EU protecting the rights of its citizens, being one of those myself, and that I'm also perfectly fine with the US protecting the rights of its citizens.
I'm a bit weirded out by how the US taxes its nationals even when they live abroad but if that's the law then that's how it is for now.
"Let’s say for example that you are a Chinese web shop with a website that is available in German, French and English as well. You also process multiple orders a day from individuals within the EU and ship your products to them. This will make you fall in the scope of the GDPR, even though you have no establishment in the EU and are not performing any data processing activities within the EU."
> You're trying to compare GDPR to general prinicples and it doesn't work. GDPR was a new type of law.
No, it's a law like every other. You abide by it or you end up dealing with the business end.
> "Let’s say for example that you are a Chinese web shop with a website that is available in German, French and English as well. You also process multiple orders a day from individuals within the EU and ship your products to them. This will make you fall in the scope of the GDPR, even though you have no establishment in the EU and are not performing any data processing activities within the EU."
I'll jump in here between the two of you and say that from my point of view it's you ignoring facts not jacquesm. I accept that if you believe jacquesm to be arguing in bad faith there's not a way to say that without it being a little bit rude, but I believe that description actually applies to your comments and not theirs.
edit: your original claim-
> GDPR tries to enforce its rules on servers outside of its territory.
It's enforcing rules on data sent to/from people in the EU and the servers (not just servers ofc), i.e. on companies offering their services to people in the EU. If the companies don't wish to follow the laws of a specific country (or in this case, all EU countries), they're welcome to not provide services to those users.
Since you seem to think the example they gave doesn't count because it's a Californian law not federal (not sure why that matters...), how about stuff like "The FTC engages with competition and consumer protection agencies in other countries to halt deceptive and anticompetitive business practices that affect U.S. consumers." ( https://www.ftc.gov/policy/international ) which includes laws such as COPPA ( https://en.m.wikipedia.org/wiki/Children%27s_Online_Privacy_... )
Or let's say there's a country in Europe where hacking and ransomeware are completely legal, and a company in that country focussed their ransomeware efforts on attacking American companies. Would you argue that either the USA wouldn't care about that because it's outside their jurisdiction, or that they shouldn't care because it's outside their jurisdiction?
No worries at all, I don't take that personally, but may I ask what facts you think I am ignoring?
The facts are as follows:
1. GDPR asserts extraterritorial jurisdiction. This is clearly documented and is within the text of the act itself.
2. This is unprecedented. There is no other law from any (lets say first world) country that asserts extraterritorial jurisdiction to anywhere even close to the GDPR.
I've provided links for both of these claims.
jacquesm is arguing against both of those facts, claiming they are not in fact true, and linking to US laws trying to state that are the same thing, when they are not even close.
> It's enforcing rules on data sent to/from people in the EU and the servers (not just servers ofc), i.e. on companies offering their services to people in the EU.
Quoting from an earlier link I posted:
"Let’s say for example that you are a Chinese web shop with a website that is available in German, French and English as well. You also process multiple orders a day from individuals within the EU and ship your products to them. This will make you fall in the scope of the GDPR, even though you have no establishment in the EU and are not performing any data processing activities within the EU."
The point is that that Chinese web shop can provide services to EU citizens, and the EU has no way of enforcing any aspect of the GDPR on that Chinese webs hop, and I'm pretty sure China would be the first to tell you the GDPR does not apply within its borders.
> If the companies don't wish to follow the laws of a specific country (or in this case, all EU countries), they're welcome to not provide services to those users.
In this case, the company could be following the laws in their home country, and be in violation of the GDPR just because an EU citizen bought something from them.
In this case, the EU is responsible for blocking the website, rather than the website needing to be in compliance with the GDPR.
> "This is unprecedented. There is no other law from any (lets say first world) country that asserts extraterritorial jurisdiction to anywhere even close to the GDPR."
Or a more recent example that's related to financial/fraud regulations rather than copyright law, look at the FTX / Sam Bankman-Fried situation. Being registered in the Bahamas didn't make what FTX was doing to US customers any less illegal in the eyes of the US justice system.
That's not an example at all. I'm talking specifics here. The GDPR is the first law of it's kind that just outright asserts jurisdiction anywhere, as long as the origin took some data from an EU citizen. That is absolutely unprecedented. I'm not aware of any remotely similar law in commerce or communications in any other country.
Megaupload is about an international seizure of a specific company, not farreaching broad open-ended legislation.
COPPA only applies domestically, and is significantly more narrow in scope. I know wiki says the FTC asserts it has international reach, but the actual text of the legislation (https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C...) says no such thing, and the wiki says that opinion isn't taken seriously.
I don't really see how to argue further since you seem to be intentionally missing the point and looking for minor pedantic nuances that don't actually change the situation. So I'll let you know that I still think you're entirely wrong, and agree to disagree.
That's fine, I respect you ending the discussion if you don't feel headway can be reached.
I will say I feel you are missing my point, and that you are claiming things like COPPA are equivalent because you are at a higher level of abstraction. When you get more specific, you will see that I am correct.
#2 is simply not a fact. Wikipedia has a page on extraterritorial jurisdiction. There's a list[1] of specific laws passed around the world that grant extraterritorial jurisdiction. How can you say there is no precedent?
GDPR asserts that anyone anywhere in the world must adhere to the GDPR if any EU citizens supply data to them. I'm not aware of any remotely similar laws in commerce or communications in any other country.
Having read this comment thread I feel compelled to comment that I find your reasoning bizarre. You started out with saying:
> GDPR tries to enforce its rules on servers outside of its territory.
Which you then clarified to
> It's still fascinating (and, I believe, a first) that the EU thinks they have extraterritorial jurisdiction just because their citizens are affected.
So it would appear as if your argument is:
GDPR is unique, because it exerts extraterritorial jurisdiction over servers whenever EU citizens are affected.
However, you won't relent. In the latest iteration of your argument you claim:
> I mean specifically in the way GDPR does it.
which you specify to mean
>GDPR asserts that anyone anywhere in the world must adhere to the GDPR if any EU citizens supply data to them. I'm not aware of any remotely similar laws in commerce or communications in any other country.
But you never ask yourself WHY ByteDance has a US presence in the first place? We could ask similar questions: Why does Facebook have a EU presence (on Ireland), why does Google?
I can concede that maybe I have not expressed myself well or articulated my points clearly. Allow me to try and clarify.
> GDPR is unique, because it exerts extraterritorial jurisdiction over servers whenever EU citizens are affected.
It's not simply the extraterritorial jurisdiction, it's that combined with how far-reaching and broad the GDPR is. The other examples people have given were either a seizure after an act was committed via a court order, or far more narrow in scope.
> However, you won't relent
Regarding COPPA, I provided references showing that a) the legislation itself does not assert extraterritorial jurisdiction in the way the GDPR does, b) that the wiki claims the FTC asserts extraterritorial jurisdiction but I can find no actual link to the FTC asserting that, and c) that legal scholars and the legal community seems to be of the opinion that COPPA is only applies domestically.
Why should I relent when those points show that COPPA is indeed quite different from GDPR? What's the flaw in my reasoning here?
> But you never ask yourself WHY ByteDance has a US presence in the first place? We could ask similar questions: Why does Facebook have a EU presence (on Ireland), why does Google?
But that's the point! The US sued someone via COPPA when they had a US presence, and it was in a US court. There was nothing extraterritorial about it!
GDPR is saying they could take action against one lone Chinese person operating a small business from home within China, someone who has never even left China, just because they collected data on someone in France.
That's frankly ridiculous, and I maintain, unprecedented.
>Why should I relent when those points show that COPPA is indeed quite different from GDPR? What's the flaw in my reasoning here?
The flaw, in my view, is that you begin with something that sounds very general (GDPR is the first extraterritorial law!!) and wind up defending a very particular and narrow statement which is appears distant from your starting position (GDPR is the first extraterritorial law that targets SERVERS).
>GDPR is saying they could take action against one lone Chinese person operating a small business from home within China, someone who has never even left China, just because they collected data on someone in France.
Personally I wouldn't base my interpretation of a complex, and to a large extend untested, international law on some document from a international conglomerate (i.e. Deloitte). I would ask myself, if there are any ulterior motives (i.e. profit) that might be biasing their view.
No one claimed otherwise.
It's still fascinating (and, I believe, a first) that the EU thinks they have extraterritorial jurisdiction just because their citizens are affected.
reply