Hacker News new | past | comments | ask | show | jobs | submit login

I wonder what happens if I’m a European Citizen, which I am, but live in the US, which I do.

Does GDPR apply? Can I go around making annoying requests to apps and services I use?

So to my understanding, the law does not actually refer to EU Citizens, and rather it refers to people within the EU (citizen or not).

I found this excerpt from https://cybercounsel.co.uk/data-subjects/ informative:

A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.

If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.

So an EU business has to treat me under GDPR if I’m a EU citizen even if I’m abroad but a US business does not.

That kinda makes sense?

Seems so, but the EU business has to treat all citizens under the GDPR, regardless of nationality.

I wonder if this could be attractive? "By EU law, we won't sell your data" is stronger than an American company's promise.

I've wondered about this too. The whole thing about citizenship affecting how you're treated on the internet just seems to have so many holes.

It is based on where you and the business are at, not the users citizenship. If you are in the EU you are covered. If the business is in the EU you are also covered. Data being processed in the EU is covered (and transferring it to the US is also processing it). In other words the data is covered by the GDPR if it is inside the EU at any point.

EDIT: So to answer the question directly: No, if you use a US located business from outside the EU you aren't covered no matter your citizenship, unless the data is being processed in the EU at some point.

As far as I'm aware any citizen of the EU is under the GDPR umbrella even abroad.

That does not appear to be correct in general, although it is correct in special cases.

Here's Article 3, "Territorial Scope", from the regulations.

---- begin quote ----

(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

 a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

 b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

---- end quote ----

In the following, I'm going to say "company" rather than "processor or controller", and am going to say "EU company" or "non-EU company" instead of all that verbiage about established in the Union.

From (1) we have that an EU company has to apply GDPR everywhere to everyone.

From (2) we have have that a company, regardless of whether it is an EU company or a non-EU company, has to apply GDPR if it offers good or services to people in the EU or monitors their behavior in the EU.

(3) is just telling us that non-EU companies may also fall under (1) if international law says so.

Putting this together, it seems that for an EU citizen abroad they are under GDPR as far as EU companies are concerned, but are NOT under it for non-EU companies unless they are abroad somewhere where (3) applies. They are under it for non-EU companies only when being offered goods or services in the EU or when being monitored in the EU, so only when they are not abroad.

While that may be technically true, the specifics of the law would make it impossible to follow unless companies assumed everyone who visited their site was an EU citizen.

For example , using google analytics in many cases in the EU will now require opt-in consent, even for anonymous visitors. But unless a user registers and says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.

> Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.

That could be risky for EU users abroad or behind VPN's, no?

While I understand the 'plight' of companies who rely on data sucking in some way, this strikes me as a good reason to just assume everyone is from the EU and figure out how to make a profit despite that.

My unprofessional, based on nothing guess is that no one will be prosecuted for that kind of technicality, as there will be much bigger fish to fry of large companies totally flaunting major pieces of the law.

I'd love to setup a basic, solar powered, satellite VPN on Hans Island just to legally test this.

I don’t think that’s true with Google Analytics: the ToS there already prohibits you from storing personal data in it, so there are theoretically no GDPR implications if you’re doing it properly (e.g. /edit-account rather than /[username]/edit-account)

We've posted two conflicting answers to this question and I think that's indicative of how little the law is understood, only a few weeks from going into force.

Just because people on messageboards are posting different things, doesn't mean the law is unclear. GDPR Art 3 is relatively clear that it wouldn't apply just because an EU citizen is in the USA. Once that person is in the EU, then it applies.

Well I didn't necessarily say the law itself is unclear, just that the understanding of it as a whole seems to be unclear. Anecdotally, almost everyone I speak to at events seems to have different views on what they need to do. I'm in the EU.

Once the courts settle it with the big Fish like Facebook we'll have a more accurate understanding.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact