
America should borrow from Europe’s data-privacy law - kushti
https://www.economist.com/news/leaders/21739961-gdprs-premise-consumers-should-be-charge-their-own-personal-data-right
======
bognition
Generally I agree but I think the law should take a different slant. Rather
then providing consumers recourse after their data has been collected we need
to provide individuals the right to control what data will be collected. All
devices should have a label describing what kind of data collection they do.
This label should be on the packaging in easy to understand human terms (not
buried in the EULA). Additionally devices would be put into classified into
one of 4 different classes:

Class A - no data collection

Class B - anonymized statistics for diagnostics that cannot be used for
marketing

Class C - anonymized usage statistics that can be used in aggregate

Class D - Targeted collection that can be used for targeted marketing

Consumers should have the explicit right to opt out of any and all data
collection without risk of impairing the primary function of a device. For
example there is no reason a TV should need to be anything beyond class A
(maybe B). A smart speaker on the other hand needs to be a B maybe C. Nothing
should need to be a class D.

~~~
tlogan
I 100% agree with this approach. The problem with GDPR is the following:

\- big corporations which do collect the data will lawyer up and still collect
data they do

\- small companies will do whatever they can do and they will bet that
enforcement is going to be sparse

\- the enforcement will be non-existent

So nothing will change. The GDPR will not improve privacy, not improve users
knowledge who is collecting what, will give false sense of privacy for some
users, etc.

~~~
Joeri
Doesn't your argument apply basically to any law?

 _The problem with tax law is the following:

\- big corporations will lawyer up and still dodge taxes

\- small companies will do whatever they can do and they will bet that
enforcement is going to be sparse

\- the enforcement will be non-existent_

I don't know if you meant to do so, but you seem to be arguing governments are
incapable of enforcing law against companies.

~~~
chongli
They're pretty incapable against large multinationals. The sort that hoard
profits offshore for years and years, waiting for the tax holiday. CEOs can
outlast multiple election cycles to get what they want.

~~~
codeulike
EU fines Google record $2.7 billion in first antitrust case

[https://www.reuters.com/article/us-eu-google-antitrust/eu-
fi...](https://www.reuters.com/article/us-eu-google-antitrust/eu-fines-google-
record-2-7-billion-in-first-antitrust-case-idUSKBN19I108)

Microsoft fined by European Commission over web browser

[http://www.bbc.co.uk/news/technology-21684329](http://www.bbc.co.uk/news/technology-21684329)

Apple ordered to pay €13bn after EU rules Ireland broke state aid laws

[https://www.theguardian.com/business/2016/aug/30/apple-
pay-b...](https://www.theguardian.com/business/2016/aug/30/apple-pay-back-
taxes-eu-ruling-ireland-state-aid)

EU fines Facebook 110 million euros over WhatsApp deal

[https://www.reuters.com/article/us-eu-facebook-antitrust-
idU...](https://www.reuters.com/article/us-eu-facebook-antitrust-
idUSKCN18E0LA)

~~~
chongli
$2.7 billion is just the cost of doing business to Google. They had $32
billion in revenue last quarter.

~~~
zaarn
2.7 b$ is not simply cost of doing business. 32 b$ revenue doesn't mean 32 b$
profit, once you deduct cost you are left with a lot less. Under GDPR the
maximum fine grows to >4 b$ and that will hurt even more.

------
djsumdog
I know the EFF opposes the right to be forgotten. I'm curious if there are any
similar concerns with the GDPR.

The trouble with the right to be forgotten in censorship. The concept is nice,
but in the end, the right to be forgotten can mean corrupt powerful people can
censor their misdeeds.

I think something similar in the US would be problematic without our freedom
of speech. Even if you get a criminal record expunged, anyone who scooped up
that data, that was once public, does have the right to hold onto and sell it.

Not to say that's a good thing. It does encourage Labeling Theory, preventing
people with criminal records from being able to find legit work (a counter
example, the sex offenders registry in Australia is confidential. It can only
be accesses for very specific things, like employment at a school).

~~~
pktgen
I hope we can differentiate "I want the New York Times to remove an article
about me" from "I want Equifax to remove its business records about me because
I don't consent to them collecting my data for commercial purposes."

The former would clearly run into 1st Amendment concerns, but I'm hopeful the
latter can be allowed without the same concerns. Does the EFF oppose the
latter type?

~~~
closeparen
The foundation of the American economy is the fact that the financial
industry, and not you, owns the records about your credit history.
Disempowering data subjects is essential to making credit history a useful
signal about risk. Without that signal, lending would disappear overnight.
This would crash home prices and wipe out almost all middle-class wealth. It
would also probably eliminate the auto industry and severely curtail retail as
consumer credit disappears. A less indebted society might be good in the long
term, but that’s one hell of a shock you’re proposing.

~~~
theseatoms
You're right about the way these things currently work. But you'll still be
able to volunteer information about yourself in pursuit of a loan. Exactly who
will validate that information is another question. (Dare I suggest a
distributed credit ledger? :) )

There are quite a few startups in the lending space. But most I've encountered
rely pretty heavily on existing, underlying infrastructure, i.e. legacy
finance.

~~~
closeparen
A Blockchain is much worse than a credit reporting agency. Instead of one
entity having your records, everyone does!

~~~
theseatoms
Yes. Storing financial records themselves on the blockchain would be pure
insanity.

But I’m imagining a distributed reputation rating scheme. There’d have to be
some PageRank-analogous feature (I think that’s how PageRank works), so that a
high rating from an entity with a high rating is worth more.

Still plenty of issues to remedy... spam, sock puppets, etc. But I’d bet that
a distributed credit rating system could be built.

------
loudmax
Given the expense and difficulties of complying with these rules and enforcing
them, we should seriously consider the opposite approach of radical
transparency.

As the ability to collect and process data becomes cheaper and easier to
deploy, it seems to me that trying to preserve an assumption of universal
privacy and anonymity trying to swim up a waterfall. Cameras are becoming so
cheap they're practically disposable. Facial recognition software and the big
data tools to manage all this data are also becoming more widely available.
Are we going to legislate against all that? It's one thing to monitor high
profile corporations like Google and Facebook, but if surveillance is cheap
enough, how do you make sure that _no one_ is amassing reams of private
information?

The worst case scenario is that while corporations and criminal organizations
continue to discretely gather private data, the rich and powerful will be able
to afford the cost of privacy but the rest of us won't have a grasp on who
knows what about us.

The alternative to working against the tools that technology affords us is to
work with them. In some cases this means embracing radical transparency. We
define a narrow range of places that really are private, and assume that
anything that happens outside of those spaces is public. For example, what
happens inside of one's bedroom is private, but what happens outside of one's
front door is public. This information wouldn't be available only to the
powerful or well-connected, it should be available to everyone. In particular,
society should keep a close eye on the richest and most powerful people. Not
necessarily on their private lives, but certainly on their finances.

I'm not arguing that we should give up all privacy. Encryption works and is
difficult to defeat, so we should default to encrypting all interpersonal
communication. We don't need to give up privacy, but we do need to prioritize
what aspects of our lives should remain the most private. I do think that if
that we're going to expect twentieth century notions of privacy and anonymity
with twenty-first century technology, we're going to have a very hard time of
it.

~~~
Sir_Substance
Radical transparency is far worse than the current situation.

You don't have an exa-scale storage array, and google does. Which one of you
is at an advantage if everyone has to share data with everyone else?

Radical transparency is nothing short of digital feudalism, it puts all power
in the hands of those that own the storage and processing. Let me now address
your needlessly dystopian post one point at a time:

1\. _how do you make sure that no one is amassing reams of private
information?_

You license and audit large storage arrays. Peta-scale and above will do as a
start. You can detect those remotely from their power draw alone, so they
shouldn't be hard to find if you're not phoning in the job. They'll show up on
power grid stats more or less the same way large weed grow ops do, and we
already hunt those down in most western countries.

2\. _The worst case scenario is that while corporations and criminal
organizations continue to discretely gather private data, the rich and
powerful will be able to afford the cost of privacy but the rest of us won 't
have a grasp on who knows what about us._

Indeed, so why would we deliberately make that a reality? Taking action on
data requires storage and processing capacity sufficient to process that data,
which no one other than the rich and powerful has. Additionally, transparency
laws are only going to reach the edge of your borders, so anything
confidential that can be offshored will be offshored to bypass your laws, but
only by those that can afford it.

3\. _For example, what happens inside of one 's bedroom is private, but what
happens outside of one's front door is public. This information wouldn't be
available only to the powerful or well-connected, it should be available to
everyone. In particular, society should keep a close eye on the richest and
most powerful people._

But in reality, no one except the rich and powerful has space to store footage
of everyones front doors, so boots-on-the-ground journalism against the
richest and most powerful people will remain exactly what it is:
detect/predict first, and then selectively record. Meanwhile, you've just
created a law that allows facebook drones to prowl our neighbourhoods,
recording as they see fit. Are you even on our team?

4\. _Not necessarily on their private lives, but certainly on their finances._

That's not going to work any better than it does today. Companies and
individuals alike _already_ funnel their wealth through shell companies in tax
havens around the world to hide their activity. Those tax havens will not
adopt your "transparency for everyone" laws, because their national income is
based on hiding peoples financial activity, and your laws have just made that
service _even more valuable_. They also won't sell you the privacy protections
they're selling to the elite, because you're probably not rich enough. So all
you've done is ensured that ordinary citizens can never access the financial
privacy that the rich can buy off the shelf.

5\. _We don 't need to give up privacy, but we do need to prioritize what
aspects of our lives should remain the most private._

Sure, but we should prioritize it with a plan of eventually restoring privacy
for all aspects of our lives, not with a plan of doing a shit half-job and
then going for an eternal smoko.

~~~
devit
Google would have to provide it to you.

The way to achieve radical transparency is simply a law that says that if you
hold (some kinds of) personal data, you must make it publicly available for
free.

There's of course the issue that some things must be kept private (e.g.
authentication data, but maybe also things like web searches that are personal
but essential to use a service) and drawing the line can be hard.

The issue that this tries to solve is not really "privacy" per se, but rather
the existence of entities monopolizing data.

~~~
Sir_Substance
>The way to achieve radical transparency is simply a law that says that if you
hold (some kinds of) personal data, you must make it publicly available for
free.

That'll work, but the theorem behind it is nonsense. We're trying to prevent
people from building up secret stores of data on other people, but where I
would force such an individual so caught to delete that data, you would force
them to share it.

The enforcement cost is the same either way because it's mostly in the
discovery and the prosecution, so where's the savings in sacrificing all
privacy in the process? There is none, so we might as well keep privacy. What
a silly proposal.

~~~
devit
The idea is that users will no longer give services so much data if it's
guaranteed to become public (and thus services will no longer require or even
ask for it), so the rule will tend to enforce itself.

And if they do, then the data being public prevents those services from
gaining a competitive advantage from the data, thus making it easier to
compete with them, and resulting in a more competitive market and thus better
services at lower cost for users.

------
wpietri
For those interested in considering alternatives, I recommend giving the sci-
fi book "Queen of Angels" by Greg Bear a read. [1]

That novel follows a police detective trying to solve a crime. A major source
of tension is that all of the quasi-public data (public cameras, citizen
movements, credit card use) is in the hands of a separate institution called
Citizen Oversight. If I remember rightly, it was a separate, quasi-
governmental (or non-governmental) body, broken down by region and with
separately elected commissioners.

In the novel, the main focus is the relationship with the police, which was
very tense; Citizen Oversight was very stingy with data. But you could easily
imagine it having jurisdiction over corporate behavior around individual data.
And having an active regulator whose job it is to enforce broad _principles_
would have advantages over detailed rule-making fixed in laws. Especially so
if they were part of a legally independent body.

It was definitely interesting to think about. And given that it came out in
1990, surprisingly prescient on the topic of data and privacy.

[1]
[https://en.wikipedia.org/wiki/Queen_of_Angels_(novel)](https://en.wikipedia.org/wiki/Queen_of_Angels_\(novel\))

------
bowlofpetunias
It's not the law that's the difference here. The clue is under the headline:

> The GDPR’s premise, that consumers should be in charge of their own personal
> data, is the right one

That's not just the GDPR's premise, that's the very foundation privacy as a
civil right in Europe, and has been for a very long time.

The GDPR is just yet another attempt to force companies who have wilfully
ignored the rights of millions of Europeans to start complying with laws we
already had in place. It's not something new, just an iteration in
enforcement.

America should make laws that suit America's values and principles, but as it
stands, America has no deep concept of privacy. The GDPR is alien to American
values.

(BTW, that quote is subtly wrong but illustrates the huge gap in perception:
it should be "citizens", not "consumers"...)

------
chimeracoder
To push back on the premise a little:

The intention behind the GDPR is good, but it still hasn't gone into effect
yet, and it remains to be seen what the long-term effects of it are. It's
really premature to draw any conclusions about its effectiveness, and history
provides us with countless examples of far-reaching regulation that either
failed to have the desired outcome, or in fact ended up exacerbating the very
problems that it aimed to solve.

With a law as massive as the GDPR, it's going to take several years to really
get a sense of what steady state will look like, and there are all kinds of
ways it can backfire. I hope it won't, but there definitely is a strong,
unfounded bias in discourse towards assuming that the GDPR will succeed in the
goals that have been projected onto it.

~~~
phicoh
I'm not a lawyer, but it my impression that the main thing that is different
with the GDPR is the threat that it will actually get enforced.

In discussions about the GDPR I see things that are part of Dutch law for
years, in some cases dating back to the 1970s.

In practice nobody cared. In extreme cases the data protection authority would
say something. But they were mostly understaffed.

~~~
jimnotgym
> I'm not a lawyer, but it my impression that the main thing that is different
> with the GDPR is the threat that it will actually get enforced

I think you are dead right. GDPR is an incremental modernisation of the 1995
EU regulation. There have been a number of cases recently that have shown that
Facebook, for instance, have been breaking the current EU law, but the
national governments (Germany, Belgium recently) have had a hard time
enforcing it in any meaningful way. GDPR will allow national governments to
enforce their existing laws. If you are a US company who was breaking, for
instance, the UK's Data Protection Act 1998 then I have very little sympathy
if GDPR now breaks your business model. Breaking the law, but exploiting
jurisdiction is not the kind of competitive advantage I will stand up for.

BTW you can't opt out of the law in a EULA.

~~~
avar
How will the GDPR allow EU member states to enforce pre-GDPR law? How was it
simultaneously law and unenforceable before?

~~~
stordoff
As I understand it, the existing Directive has to be implemented by member
states in domestic law. This makes it difficult for one member state to
enforce action against a company incorporated in another. As a Regulation, the
GDPR is directly binding and can be enforced at the EU level, rather than just
at the national level.

In some ways, it makes it easier to comply, because you just have one set of
rules rather than multiple national implementations of the Directive.

------
throwaway2016a
I think the US implementing something similar is inevitable. If not by the
government than by a privacy company (like PCI is for the card industry).

Already I've started to see contracts with credit card gateways include
PrivacyShield clauses.

Personally, all products I build going forward will be GPDR and Privacy Shield
compliant even though I am in the US. I recommend other entrepreneurs do the
same because it is probably easier to consider it now than it is to do it
later.

For example (to give context we have PCI requirements to) when someone makes a
change to the code we have a impact assessment that needs to be filled out.
Among those are the questions:

1\. How will this change impact security?

2\. How will this change impact customer privacy?

We fill it out for every single change request (even if the answer to both is
"It doesn't) just to document that we are thinking about it and engrain
thinking about it into the company culture.

~~~
r00fus
Whats to prevent the ticket creators / assignees from simply saying "no impact
" by habit?

The danger for these kinds of controls is that you're trained to say "no
impact " many times (because there is none most of the time)

~~~
throwaway2016a
This is something filled out by the security and devops team not by the ticket
creator.

Also, best practice would be to have "No impact" require an explanation not
just simply a two word brushoff.

Edit: Also at some point you have to trust your team, hire the right type of
people, and embed it in the company culture that the analysis is something to
be taken seriously. If leadership takes it seriously the people filling out
the forms aren't going to brush it off.

------
no1youknowz
> The legislation is far from perfect. At nearly 100 articles long, it is too
> complex and tries to achieve too many things. The compliance costs for
> smaller firms, in particular, look burdensome.

Not here, but I have seen many comments on other sites that imply this will be
a burden on small companies implementing this and worrying about whether they
are compliant with some rules that can be interpreted in different ways. Also
answering requests for information which range from the benign and can be
automated to the letter which caused a stir on linkedin [1] and can be viewed
as complex and costly for a small business to answer.

The reason why I talk about small companies, in a lot of cases another already
overworked person will need to wear another hat and may or may not do a good
enough job. Verses the larger ones, they can implement a small task force and
get this out of the way.

I know some commenters on HN would disagree with this and mention that these
smaller businesses who don't adopt GDPR should go out of business. But I
largely disagree. Businesses which close due to regulations, results in larger
market shares to those left standing. Meaning that competition and what
largely benefits the consumer dwindles down. Another knock on to this would
mean that prices go up, due to those same regulations.

However, what I haven't seen talked about which I wonder if it will make the
GDPR moot. Is that Trump is currently engaging in a trade war and I wonder if
any lobbying attempts are being made for him to exempt US companies from
it[2]?

[1]: [https://www.linkedin.com/pulse/nightmare-letter-subject-
acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-
request-under-gdpr-karbaliotis/)

[2]: [https://martechtoday.com/president-trump-save-us-from-the-
gd...](https://martechtoday.com/president-trump-save-us-from-the-gdpr-horror-
show-213403)

~~~
Matticus_Rex
Just one data point, from me as a DPO-equivalent:

My company is squarely in the SMB camp at 21 employees and single-digit
millions in revenue across three business lines.

GDPR compliance has already cost us hundreds of thousands of dollars and will
cost us more as we go on. There will be some very minor benefits to our
customers, perhaps, but for the same amount of money we could 100%-definitely-
for-sure-absolutely give all of our customers things they would, if given the
choice, trade those benefits for.

That's the thing; it's like when you buy an appliance. You can buy the thing
that meets the needs for $X, or you can buy something that's better for $2X.
Of course, the better appliance would be better. Should we make a law that
requires companies to only make the better one? That law would provide a
benefit, because consumers would get the better appliance, right? Okay, sure
-- but at what cost? And what value-producing companies (because companies
_do_ provide value for customers!) are going to be marginally less efficient
and therefore marginally less effective and therefore, on the margin, go out
of business because of it?

There are valuable ideas in the GDPR. The execution is pretty crappy, and in
the end it I think it likely _reduces_ net consumer autonomy because it gives
them _less_ choice in how they relate to companies.

~~~
GordonS
> GDPR compliance has already cost us hundreds of thousands of dollars and
> will cost us more as we go on

Wow, that's incredible! Can I ask where you are based and roughly how the cost
is broken down?

I just can't grok how an SMB would need to spend so much on something that
seemed relatively straightforward for my own business.

~~~
jimnotgym
It seems incredibly excessive to me unless your business model is harvesting
personal data. I work at a rather larger SME (multi channel
retailer/wholesaler) and we are spending almost nothing. But then we were not
doing anything creepy with our customer data before. We are updating some
documentation and will ditch some old data we don't need any more, reword the
privacy policy on our website etc. I am not apportioning any direct cost to
GDPR as these are all things that need attention periodically anyway.

------
jimmaswell
GDPR seemed unnecessarily overburdensome and limiting last time I looked into
it. I don't think we should have anything like it.

I don't really buy this concept that you have a reasonable expectation of
privacy on other people's websites and the site owners don't own data
collected on their services unless the EULA specifically says something to the
contrary.

As a practical matter, if we make it even harder to target advertisements then
we'll end up with even more of these "you've run out of articles" type sites.
I don't want to have to pay the ISP and then also pay every individual
website. Collect all the data on me you want to make it so.

~~~
_red
Its a thorny legal issue, and frankly I think there is very little support for
GDPR in common-law.

If you voluntarily walk into someones private shop, can you demand that the
shop owner doesn't catalog that event? Is there an expectation of privacy
while walking on the public street? If you voluntarily agree to receive access
to a service in exchange for data collection, can that legal contract be
invalidated by decree?

Don't take this as some sort of support for Facebook, I personally have never
bought into the idea of social media. Luckily for me, I was a full adult long
before social media appeared, so I was able to rationally see that the mass
privacy invasion vs "free stuff" calculation wasn't worth it.

Having said that, you can't stop people from voluntarily submitting their data
in exchange for services - there is simply no legal theory in support of
banning that.

~~~
rowyourboat
> If you voluntarily walk into someones private shop, can you demand that the
> shop owner doesn't catalog that event?

Unless you know the shop owner, you would not be personally identified, and
yes, in fact, it would be illegal to use technology that personally identifies
you when you walk into a shop. The event that _somebody_ walked into a shop
can be recorded.

> Is there an expectation of privacy while walking on the public street?

Insofar as no records are made of your movement, yes. It is illegal to record
somebody else's presence in a public space, although fair use examples exist
(in the background of a personal vacation photo, for example). There are zones
with video surveillance, but those are generally clearly marked. The general
expectation is that nobody who does not happen to be in the same place as you
at the same time knows that you have been there.

That is, in very broad strokes, the current legal situation in Germany pre-
GDPR.

~~~
ams6110
_It is illegal to record somebody else 's presence in a public space..._

So, I can't take a snapshot in a restaurant or on the street if anybody is
visible in the background?

~~~
rowyourboat
You can, as I pointed out in that very sentence:

> It is illegal to record somebody else's presence in a public space, although
> fair use examples exist (in the background of a personal vacation photo, for
> example)

If you were to publish that photo, however, you have to get all identifiable
persons' permission or make them unrecognizable. That extends to other
information usable to identify somebody such as a readable license plate.

------
spdustin
Here’s what I’d like: any advertisement I see on the Internet should have a
small pictograph/icon/link I can select that tells me—specifically—why I’m
seeing that ad. Precisely what data points were used, was it remarketing, was
it an uploaded list of email addresses, etc.

------
em3rgent0rdr
I worry about a GPRS-like law preventing innovation, for example because
wouldn't it make IPFS-like storage, which relies on duplication and can't
remove files, illegal:

[1]
[https://en.wikipedia.org/wiki/InterPlanetary_File_System](https://en.wikipedia.org/wiki/InterPlanetary_File_System)

~~~
scarlac
You /can/ implement a deletion mechanism, but you just can't "guarantee" it. I
think it'd be up to a court to decide if that would be grounds for winning a
case against a potential company that used IPFS (I don't know any that do).

------
sakuronto
Maybe America should wait a bit to see how it goes before jumping on the
bandwagon. There isn't much to gain by adopting these (potentially beneficial)
standards sooner rather than later.

~~~
DerpyBaby123
There isn't much to gain for who? If regulations will help companies see that
hoarding personal data is a liability they will do less of it, and US
consumers will have less to lose in each new data breach by companies. That's
a lot to gain for consumers!

~~~
saryant
This assumes that the regulations successfully achieve their goals. Otherwise
we've fallen into the old trap "we need to do something, this is something,
therefore we must do it".

There is ample possibility that the unintended consequences of GDPR play out
in ways the regulators do not expect. Assuming otherwise is foolish.

~~~
tonyedgecombe
Absolutely, the EU is willing to conduct this experiment, you may as well wait
and see what the results are.

As far as I can see the companies targeted will do their upmost to avoid any
impact on their bottom line so its quite likely they will discover plenty of
holes in the legislation.

------
paulie_a
America should have data privacy laws too begin with and a way too completely
opt out of Equifax etc

------
zerotolerance
As far as I'm concerned the Internet is public infrastructure and you should
never expect privacy of your behavior in public places. Besides, "identifying"
information should be useless, but it isn't today.

What if we stopped using "identifying" information as authenticating
information? PII is only useful because the authentications systems we have in
place are such sh*t. Changing this is a much more achievable scope, and would
actually address the core value of stolen PII.

------
golemotron
In the US is there a possibility of a 1st Amendment challenge? The act of
recording information could be seen as speech or publication.

If we take computers out of the argument it would look like this: the
government telling people that they can not take notes or make records of
information that they hear. Case law has found, for instance, that photography
in public (which is making records) can not be banned.

------
yalogin
Why do they define small companies using the number of employees or money they
make? In today’s world laws should me made based on the amount of data a
company has. If they have data on upwards of 10 million they need to comply to
all data protection and privacy laws. Companies should and will plan their
funding and operations accordingly.

~~~
nsp
How do you define 10 million pieces of data?

~~~
Sylos
Yeah, that's the hard part about this. If they have the IP addresses of 10
million people, that's probably less critical than if they have medical data
on even just 10 000 people.

But the IP collection of how-to-live-with-epilepsy.com might be worse, again,
since it implicitly carries the information that you do probably have
epilepsy.

------
handsome-mike
Could Americans take advantage of EU protections by using European services?

~~~
some_random
It seems to me like Americans might benefit from EU protections in any case,
since corporations have to (from my understanding) apply said protections to
EU citizens living outside the EU and those using VPNs to connect from outside
the EU.

~~~
icebraining
I don't think the GDPR applies to EU citizens outside the EU; only to people
_in_ the EU.

Also, the GDPR doesn't necessarily apply to every non-EU site that has EU
visitors, only to those who in some way target EU customers (the rules are a
bit ambiguous: [https://gdpr-info.eu/recitals/no-23/](https://gdpr-
info.eu/recitals/no-23/))

So if someone outside the EU wants to benefit from the GDPR, the best way is
to use services by EU companies, as those are required to apply it to
_everyone_.

------
jrgaston
While I agree with the Economist, the idea that the US look outside its
borders for advice is laughable. American exceptionalism and all that.

