GDPR is much more comprehensive than that, but most importantly it gives data privacy regulators real teeth to enforce with (fines up to 4% of global revenue).
The only way Americans (or anyone else besides EU citizens) will get GDPR protection is if GDPR-style regulation is enacted into law.
The downside with trying to use dark patterns: The courts say "Nah that doesn't count. Ergo you don't have consent, ergo fine!"
If FB actually leaves it like this, then they clearly believe that there's a lot more to be gained by not complying with GDPR
> then they clearly believe that there's a lot more to be gained by not complying with GDPR
This. Though more precisely it is the other way around: they have something to lose by complying globally rather than something to gain by not.
Extracting every last cent out of every bit of data they could possibly hoover up is their business model. I expect they'd be better of telling EU users to go elsewhere than applying GDPR style protections to non-EU users (which they won't do: even if they can extract less from EU users less is presumably better than none especially when network effects are taken into consideration).
> I work at a firm where we care about GDPR
Same here. Our clients use our systems to store a lot of information about their own users and their customers. But unlike facebook that information is not their primary business and source of income.
Limiting corporations power would be one thing but I don't expect any politician to move in that direction when either they're lobbied/bribed by the same entities they should limit, or face the risk of having their career destroyed (search for "mccarthysm").
a) it is not possible to tear it down and start over with good material/intentions/ethics
b) they do not want to change their model, because they are making money from their current practices
c) it is a VERY useful tool for evey government's dark/shady practices (gag order + give-us-everything)(exactly what every dictatorship does)
d) people need to be protected even if they don't understand the risks (e.g. houses are built following a code - even if people don't understand that walls need X material and I-beams need to have Y width).
Yes, the federal government is as bad (in reality, worse) than you say, but that's no reason to not take action against the thousands of other players that are blatantly following in their footsteps in terms of data collection.
Government is pretending to save people’s privacy with one hand, while forcing private companies to store people’s personal information with the other.
Lol, that could not be further from the truth, you have no idea of the amount of data private companies gather, the government has nowhere near as much data as Facebook, that's why the NSA has programs to incorporate Facebook data, the reason being that it's much better than anything they have got by themselves.
There's no government program which records your position in real time, your interests, all the messages sent to your friends, the list of your friends, their occupation and where they are in real time, the news you read, all the information you are looking for... All of that in real time with an accuracy similar to Facebook (and aggregated as well, people often forget that most government files are not as neatly organised as Facebook...) . I could go on forever on the data Facebook has, no government program gathered as much as this, it's not even close. Not even the Soviet Union managed to get that much data on their citizens.
Same for fire safety,road safety, air transport safety regulations, I am sure that many business people would benefit by ignoring this laws, so let's do what is better for some business people and who cares about society.
Related to GDPR specifically, don't collect personal data that your product does not need, is it hard? Maybe you need to put a bit of effort to be in compliance but if your product is hones then you are fine, if you are not honest and you were collecting data in the hope you maybe could sell it later then I understand why you don't like it,
Article 6.1c "Processing shall be lawful only if and to the extent that at least one of the following applies: [...] c) processing is necessary for compliance with a legal obligation to which the controller is subject;" exempts data collection by private parties if ordered by gov't, e.g. if they require communications operators to track subscriber identities or something else, then GDPR consent requirements don't apply.
So I'd say that it's materially true that "Data collection for security and intelligence purposes by governments is exempt from GDPR rules", as long as governments are doing this data collection according to whatever other laws they have passed and not in violation of them (which sometimes has been the case, though, with executive branch doing what legislative branch has forbidden them).
Member states have argued that intelligence services aren’t covered by EU law (their management is reserved to the member states), but since the basic principle of data protection is embedded in the European Charter of Human Rights, you can argue that EU residents (indeed, everybody) should be protected. It’s just that, unless individual countries write it into their law or a court successfully asserts its jurisdiction, there is nobody to enforce it against the intelligence services.
At this point private corporations 'helping' the government is exactly the worrying part because the government at least has some decorum and is keeping up some pretenses and you have to really be in the wrong place, at the wrong time and have an ethnicity that somewhat matches the supposed crime.
Meanwhile with corporations it's starting to look like a free for all between machine learning, big data, hidden internal Terms of Service kangaroo courts and so on. You can get blacklisted, flagged, (shadow)banned and not even know it. And then government or other corporation buys that Big Data DB and real fun starts.
If the government actually wants to capitalize on the data it has there is a lot of instant red tape applied. You can't just get arrested, told you're a terrorist and put in jail for 10 years with 0 process, 0 appeal and 0 documents (well, except with Gitmo but it's a special case).
Meanwhile the corporations can turn you into a functional half-leper in the modern increasingly online society and deny you business arbitrarily (or even secretly) as hell because their deep learning said so (and what they feed in there, what comes out, who made it and how - you don't get to know that), they don't care enough to admit a mistake and the most appeal opportunity you get is customer support ran by lobotomy patients. There's 0 recourse to being shadowbanned, hellbanned, blacklisted, whatever, sometimes even 0 contact option other than making a new account (which breaks their ToS in itself) and unlike the government that has watchful eyes on it from all sides for abuses you'll be told it's "a private business so they can do anything" or that you deserved it because it's a Cool and Good Company.
There was a story that some Palestinian guy got arrested because Facebook translated his "good morning" in some Arabic dialect into "attack them". If it wasn't the Israeli police arresting him but instead Facebook doing some deep mind big data crap and covertly flagging him as a potential terrorist then he might have found out 5 or 10 years from now that he can't get a plane ticket because some airline or other secretly sourced Facebook's DB and he has no way to even find out where that flagging came from because corporations are free to be secretive in their decision making.
Government also follows some logic (simplistic, biased, populist, racist or reductionist - sure, but still), while corporations can just spit out a verdict with 0 explanations with a link to 20 page ToS written in pseudo-lawyer pseudo-English and say that a video making fun of a mass shooter is suitable for advertisers and one of eating a carrot in a silly hat or swinging a banana around (it's not an euphemism, I mean an actual banana) is not.
 - https://www.theguardian.com/technology/2017/oct/24/facebook-...
 - https://www.youtube.com/watch?v=7uIn_3704pk
Congress should convene a hearing about how current and incoming EU laws are thinly veiled protectionism against US corporations and what should be done about it.
The GDPR, while a pain, are a response to decades of an industry that should have known better.
But we get to "protect our companies" as a matter of policy.
Just because many companies and startups are U.S.-based, does not mean that universal privacy laws/rights are targeting U.S. companies.
From my understanding, the GDPR applies equally to all companies, regardless of where they are founded.
I wonder if you know that the US passed legislation a few weeks back that lets the US government request any data on any user of an American company even if that user and their data are not on American soil. (Possibly thanks to GDPR) companies may object to that request if it contradicts local laws.
But yeah. Go on pretending that the EU lives to target American companies. From a European's point of view, American companies are not fined enough as they view privacy, data, sovereignty etc. as some abstract concepts that don't apply to them.
The only way I could see someone believeing that it's well protected is due to making money off of violating that privacy
Yes, the US regulations protecting our privacy rights are well-known, which is why the current Cambridge Analytica scandal couldn't happen, and triggered all sorts of... what's that? In fact, we have no privacy protections whatsoever? Oh.
The law also applies to European companies.
You've unfortunately posted other uncivil comments in the past, too; could you please (re-)read the site rules at https://news.ycombinator.com/newsguidelines.html and use HN as intended from now on?
The most ignorant fucking statement I have read on HN in a long time. The 2016 GDPR is an update to the 2002 EU Data Protection Regulation. It has nothing to do with taxes, profits or crippling any company. It is an enforcement of the EU Charter of Fundamental Rights.
"An update" as in adding new laws and regulations all of which are unneeded and all of which are targeting US companies.
Clearly not true, but exquisite in the context of the FB factory dodging tax via the Irish loopholes, and now moving away from Ireland as a base.
I very much value the good faith exhibited on this forum. This comment is the antithesis of that. It is nothing more than bigotry.
They are changing their terms of agreement to now say that people outside of the US are doing business with the US company. This means that only people in the EU will be covered by the GDPR. Probably that's what they should have been doing all along, but there were probably massive tax advantages to running their international company in Ireland.
For what it's worth, I'm a huge proponent of GDPR and I would probably do the same thing -- at least initially. They have a lot of users and GDPR is really tricky to implement when dealing with any manual processes. Limiting your exposure is common sense.
I'm looking forward to seeing what actually happens to Facebook when GDPR comes into force. You know people are going to exercise their rights and I just can't imagine they are prepared. As I've been going through this stuff in my job I can't see any easy ways to sweep this under the carpet -- you not only need to inform the user about what's going on, you actually need to record the lawful basis that you've told them you are using. If you just say, "Oh I have consent" then the user can withdraw consent. If you actually needed that information (like the user's name!) then you are absolutely screwed.
I fully expect some thoughtful users to nail them to the wall. And when that happens, I expect them to implement everything world wide because it will be a lot easier/cheaper than maintaining different processes all over the place.
The consequences for violating GDPR are quite severe -- up to 20 million euro, or 4% of global turnover, whichever is greater. Again, this applies to US companies even if it's a single record of EU personal data.
Furthermore, individuals are fully entitled to sue in the event of a data breach, and there is legal precedent in the EU for compensation of between 10-15k euro per person.
As to the question of EU law applying in the US, just look to financial regulation like Sarbanes–Oxley to see it going the other way.
This means that I can bankrupt small, careless companies that hold a few hundred users data?
The ICO (UK) has been fairly clear that the intention is not to fine businesses to the point where they cannot operate. It also seems fairly clear to me that they do not expect smaller organisations to jump through the same hoops as large ones such as Microsoft and Facebook. If you are a small organisation and you can show that you have and will continue to take meaningful steps towards protecting the data you hold and providing your users with transparency as to your processing, then the ICO and other regulatory authorities are not going to hit you with a 20M Euro fine .
I certainly feel as though the law is being perhaps misrepresented as some sort of anti-business regulatory overreach. I highly doubt the European Union wants to a) Drive businesses away from Europe and all that yummy tax money that they bring with them, or b) Piss off European consumers by restricting their access to all the fun things being provided by non-EU companies. It's not in the EUs interest to do either of those things, but there has to be a balance, right? The fact that organisations can collect huge amounts of personal data and when/if something happens just shrug it off (exaggeration, I'll admit). The current legislation doesn't give supervisory authorities (such as the ICO) enough of a bite to encourage compliance from larger companies. £500k (current fine limit) is nothing to an organisation that turns over billions a year globally. I'm sure in many of these circumstances the cost of compliance would far outweigh any fines handed out.
The debate here is very interesting though, as there are plenty of people viewing this from different angles. I wonder if some residents of non-EU countries here feel as though the EU (to them an unelected body) is effectively overruling their domestic legislation, and that this is not right. I can certainly understand the argument that whilst (in my opinion) this law could be overwhelmingly good for consumers, especially given the current climate, it could be viewed as setting a dangerous precedent for extraterritorial reach.
That's a problem, imho. We cannot rely on good intentions when it comes to the interpretation and enforcement of the law. Anyone who's gotten caught up in the quagmire of legal bureaucracy understands that.
The law is the law, and will outlast the good intentions of the authors or people currently in charge. If the law, as written, was not intended to be as such, then it should be amended.
Depending on the nature of the violation, it may also reflect the scope of the violation, such as fraud. This is a scenario where, again, the size of the business, or the risk of the business going under, is not taken into account.
If we really want two separate punishments for the same crime- one for small businesses and one for large businesses, because we don't intend on putting anyone out of business- then that should be a codified part of the punishment.
Within small companies, it's now easier to push for proper data security, for not being careless. "Boss, I know it'll slow down our release, but if we don't do it, we could go bankrupt!"
And as for ANY regulation, progressive enforcement should be the norm. We shouldn't expect the same level of data security from John Buckley's local tool supply that we expect out of Amazon.
Ha! Try telling that to the Americans ;)
Facebook moves 1.5bn users out of reach of new European privacy law
I feel like that's going to be more an incentive to ignore EU resident if the fees are that high. Even with a huge security budget, mistakes are made, is it worth it to risk that much cash? Check any gaming console, they have a pretty big incentive to keep the security pretty high, yet failed to do it so often.
That said, the existing legal precedents won't prevent the imposition of much larger fines when warranted after May 25, given the new law's higher maximums.
Then probably (or your employees) would not like to visit the countries there, etc.
Technically you should not be selling electronic services in the EU w/o EU VAT, so that already is sort of a breach... but no one chases so small fish.
By forcing EU ISPs to block your ip.
But if you're a VC funded business aiming to "change the world" and grow big, then it might be a problem for you later.
This will change anyways with the GDPR.
A bank with zero US financial system exposure can’t be penalized under FATCA because they have nothing to penalize. FATCA only works because banks have exposure to US assets.
The unintended consequence of FATCA is that it is dramatically harder for a US person to do any business with European banks — banks have closed accounts in order to reduce operational risk. So this “good law” (occurring to Democrats that passed it) actually made it much more difficult for Americans overseas and American companies who need overseas banking.
GDPR could be considered similar — it won’t have any jurisdiction if the company involved has no EU presence, but it could result in companies denying services to EU persons based on operational risk.
People should have thought this through much better.
Compare this to FATCA: https://www.irs.gov/businesses/corporations/foreign-account-...
And again FATCA and SOX applies to huge financial institutions that can afford all the lawyers in the world.
Say I make guitar picks and tuning forks in Zimbabwe I sell it online and I have costumers in the EU. I either need to comply with the GDPR which will be prohibitively expensive or will have to stop selling to EU customers.
The problem with the GDPR is that people don't understand both the inconsistency and the scope of it. Come 25th of May I'm sending a data access request letter to my dry cleaner which they will have to comply with within 30 days or face fines.
If you are a non-EU company and you don’t have any legal entities in the EU even if you deal with EU customers (retail) the application of GDPR isn’t going to be relevant at least initially.
(The fear for example is that PayPal etc. will force you to comply in the usually blind and deaf PayPal manner for fear of EU retaliation)
If you are a non-EU company with no legal entities in the EU but you are dealing with EU companies and process data for them those companies would have to ensure you are compliant this is a purely B2B route.
If you are a non-EU company with EU legal entities this is the vector the DPAs will use to go after you.
The GDPR is currently in a retarded state with near zero official guidance and definition for things that matter.
And as far as non-EU companies go GDPR is well in a though spot. GDPR does not trump lawful data retention and data access requirements in the EU those fall under then final jurisdiction of the high court but there is no way for them to influence non-EU law.
And SOX is a terrible example SOX affects a tiny portion of companies and those who need to comply are huge and there are clear definitions, requirements and arbitration channels which the GDPR lacks.
P.S. we’re talking so far about the periphery of the EU, Canada, Australia The US etc... when you’ll find a way to make Alibaba and China at al comply let me know please.
This is part of why I think GDPR is a disaster for startups. It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.
Typical EU regulatory overreach.
The spirit of the law is really quite simple; my personal data is an extension of me, and if you want to store or process it, you need a legal basis for doing so, and need to be able to demonstrate this legal basis to me. If your startup is at odds with this, well then perhaps you're not the kind of company the EU wants to be doing business with.
Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics.
No part of my "business model" is attempting to profit from personal data yet I have to jump through a bunch of new hoops.
My likely solution for projects is to simply block EU traffic going forward.
Assuming it's a personal blog then just don't capture any PII. Don't sell it, be prepared to delete a user's comments on request. Don't capture PII without informed consent.
I personally think so, but everything I've read about GDPR says they usually now are considered in scope.
Deleting comments is non-trivial. How do I verify that the person requesting deletion is the original commenter? How do I then wipe out every mention of their IP address from all my logs?
These are easily solvable questions for large companies, but overheard for small startups and personal projects.
Or, just block users from EU from commenting. I can see the win for the Internet here.
Wordpress asks for your name and e-mail to post a comment, doesn't it?
I guess the tuple (ip,name,email,comment_text) is PII?
> > (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
IANAL, but I'd be wary of saying that you'll be fine storing dynamic IP addresses. You'll probably need to have a rationale as to why you don't consider it.
There is no guarantee that comments stay anonymous. Commenters can, and do, enter their real name as their display name.
I don't even consider a random IP to be PII.
In the U.S., freedom of speech usually trumps privacy rights. It will be very damageable if the supreme court ruled that any EU citizen can limit US speeches based on their laws.
When I store your personal data, I should be allowed to do so under the 1st amendment that is about speech?
No. But I can ask you to remove my name and personal information from it.
Personally, I think it is a fundamentally important right that I be able to post a blog about how "the_mitsuhiko wronged me" in some way and have that information publicly accessible. European courts think you should be able to suppress such information—even if it is true.
The EU is not a single entity. It’s dozen of nations, more than 300M individuals.
Any law that gives power to users instead of companies harms companies.
To me, it's an acceptable trade off
Europeans want Facebook and Google and the rest, the EU doesn't. The EU != the europeans.
So international startups must now care more about what the EU wants than what european customers want. That's wrong.
In the meantime, european governments take measures that jeopardise private life, like putting black boxes at ISPs in France to watch everyone (aka. fight terror...).
GDPR is ideology. Not private life protection.
The only complaints I've seen about it are concerning people responsible for administrating data in companies.
GDPR represents an ideology of not giving corporations free reign to make profits at any human/social cost, but to reign them in and give people chance to consent rather than be data-raped.
Could you expand on how you think it's (solely?) ideology? What's bad about informed consent wrt PII?
"GDPR represents an ideology": one point we agree on.... "at any human/social cost": what cost? Can't I sue Facebook in a civil court if I suffer any prejudice just like I can sue any company?
Is there any "data-rape": if your data is processed only to choose which ad you will see, does it count as a "data-rape" for you? The ad you're seeing is the only thing of value on Facebook: your data has no value except to show you this ad.
Can you tell me where I can buy data from Facebook? I'd love to buy the friend-list of influencers who have set their privacy settings so that data doesn't leak. What? I can't? Doesn't FB sell people's data? ;-) What about famous artists private pictures then?
That's what people think of when they hear "Facebook is selling your data". They don't hear "Facebook is using your data to show you better ads which pay for the whole service".
Informed consent isn't bad. Have you read FB Terms&Conditions? Have you read the paragraph that says you're OK that FB has the right to use and reproduce the content you're posting on FB? You have already given your informed consent. Now you're trying to take it back.
The cookie pop-up is an example of EU overeach. Doesn’t help privacy, doesn’t UI, and now everyone is just dismissing them.
I know everyone here wishes this to be true, but what data are you basing this claim on?
People SHARE their life on FB. They don't expect it to be private.
When journalists tell them Facebook is "selling" their data, they believe it because many want to believe they're victims of capitalism (that's even more true in Europe because the economy is mostly in a bad shape). Instead, they fall victim of politicians who want control (EU politicians now have POWER over american companies! how exciting), and of journalists who don't like competition (journalists work for TV stations or newspapers who sell... ads).
The only thing that has value on your Facebook page is the ad. Not your photos. Not your comments. Not your sexual or political preference. Only the ad.
We've all been fooled.
But that's just business as usual, businesses are allowed to do things we consider morally wrong because that's just how things work.
And the second a law springs up that helps out the little guy, it's a massive governmental overreach. How dare government actually try to help people, think of all the businesses they are hurting!
This helps massive corporations (who can afford to comply) and hurts small businesses which cannot.
It doesn't help your argument when you misrepresent the truth like this.
There's absolutely no requirement for every individual who accidentally has an IP address in their logs to comply with GDPR.
In the case of web servers I can't see a problem with not recording IP if you're also gathering PII; or asking for permission in the PII submission; or say dropping the last digits from a dotted-quad as a default.
This is draconian legislation which unnecessarily causes many more problems than it solves.
I'm strongly considering simply taking down all my old blogs/sites because it's far too much work to deal with GDPR for anything less than a medium-sized business.
I imagine most CMS will have the option to do that at update?
My approach is one very much based on risk - how likely am I to receive requests from data subjects requesting deletion of their data? How likely am I to be subject to a targeted attack where people try to remove information from my server? How likely am I to be the subject to enforcement action if my server is hacked and data is leaked?
On one argument operating a blog is a purely personal activity and so out of scope of GDPR in any event. If you're outside the EU, GDPR will only apply if you are actually offering goods/services to those in the Union, or are monitoring them. I take the point about analytics in the second place, but in the absence of analytics, I don't see that making available a blog constitutes the offering of goods/services?
Mine too. The risk is massive fines, while I currently derive virtually no benefit from my online presence.
> On one argument operating a blog is a purely personal activity and so out of scope of GDPR in any event.
I also own a business and previously several of my clients have come through my blog postings.
In the UK for example the ICO who regulate data protection matters concluded 17,300 cases, in which only 16 of them resulted in fines.
I’m just intrigued as to how you have developed this perception of GDPR and data protection law looking to regulate small one man blogs out of existence?
/edit oh and my other point still remains - even if you’ve got some customers through a blog, you don’t appear to be within scope of GDPR on the assumption you’re not directly looking to do business with EU based customers (for example through offering payment options in European currencies).
There are huge industries with vested interests against privacy and consumer data protection and they have deep pockets. That person, if not instrumental in spreading misinformation, must then be a victim of it.
GDPR outside of the EU (for purely non-EU entities) is a non sequitur there are zero internal processes to make it work.
Lets take the most basic example the GDPR does not apply in a vacuum it's enforced and supported by Data Protection Agencies (DPA) in each member state which are responsible to ensure that companies in those member states comply with EU regulation like the GDPR within the context of local laws and regulations.
The DPA is responsible for the application of the GDPR within it's member state (and it's power is limited to that member state only but the GDPR does have a few venues for applying a local DPA directive across member state lines) it's also responsible for handling complaints in that state and it provides directives and advice to both law makers and the industry.
If I'm a UK company and need to deal with the GDPR (till Brexit do us part) I work with the ICO which is the UK Data Protection Agency. While other DPA might affect me the ICO is my primary source of both advice and enforcement and any issues that might originate in another DPA would still pass through the ICO.
Now I am a company in don't know where lets take Argentina I want to sell to EU customers which DPA do I answer too? which DPA to I ask for advice? How do I arbitrate complaints filed against me and to which DPA do I prove I handled data disclosure requests in a manner compliant with the GDPR? which DPA would know my local laws to ensure if my application with the GDPR was complaint with local data retention and lawful access laws?
In fact other than going through my own state/trade department and organizations what venue do I have as a non-EU resident and a non-EU entity to any EU services and resources.
The question to all of this is none as a non-EU company there is fuck all you can do even if you want to comply with the GDPR.
To a developer used to systems thinking this should not be rocket science. Most of it is just good practice. Kim Cameron came up with the laws of identity many years ago, which the GDPR is surprisingly similar to.
What court do you use to appeal a complaint or a fine?
There are no processes at all for a non-EU entity to function within the GDPR and saying it’s not rocket science isn’t going to change that.
In case of the EU you have your own local DPA other DPA local courts and high courts to appeal too and or work with.
As a non-EU entity you get nothing.
Any decisions of German DPA can be contested just as any other administrative decisions in German courts, the German DPA is fully under their authority. Yes, you won't have your local courts, but it doesn't mean that you can't appeal - you simply have to file this appeal where the contested decision was made.
As for the taxation part of your comment that is again an incorrect statement in fact it’s categoriclaly false.
If I as say a Brazillian company want to sell goods to an EU resident I do not perform any tax collection other than the local taxes in my country.
In fact it likely means that I can forgoe some local taxes like VAT or sales tax due to export.
You as the customer are obliged to pay all taxation related to this purchase which is usually paid when the item clears customs as the customs duty.
The only cases when one would collect tax on behalf of another country is when there is an explicit tax agreement to do so and process to support it. This is extremely rare and usually only happens within shared customs unions.
As a non-EU entity I legally can not collect VAT on behalf of EU customers because I have no way of paying that tax on their behalf.
Those weird things aside, this isn't about collecting VAT. It's about remaining within the confines of the law of the country you're conducting your affairs in.
It's like if I, as a Russian, wanted to sell a car to someone in the US, I'd have to ensure that my car meets whatever requirements/standards the US sets out for vehicles. If my vehicle doesn't meet those standards, which court do you think I'd have to appeal in, as a Russian selling a car to an American?
The GDPR has no mandate under existing international law.
The level of strawmaning is getting ridiculous when 2 countries sign a trade agreement you have 2 electorates which have a say in what is going to happen.
The GDPR extra-territorial application isn't just extra-territorial it's extra-judicial in which you have a law forced on you that you have had no saying in how it was passed and you have no saying it how it would be interpreted and or enforced.
This is tyrannical and I'm an EU citizen.
That’s not how this works. You are required to collect VAT and use the MOSS system to pay it quarterly.
Even if by some chance you are a small business that for an inexplicable reason does fall under this you can get out of this scheme fairly easily (VAT exemption rules apply) and more importantly VAT can be handled by a proxy e.g. a payment processor.
For businesses there is no VAT collection at all and all businesses must pay reverse VAT when purchasing (or providing) services from (and to) outside of the EU regardless if they fall under TBES or not.
This means that most businesses it's not an issue since you can have a turn over of a few 100,000 EUR spread across the EU without being required for registration.
This is also solved via your payment processors and what would you know the EU also offers you the infrastructure to register where is the one stop shop for GDPR?
You also must provide a service that is qualified for VAT since it doesn't cover all non-tangible goods e.g. anything that is actually produced by a human but is delivered digitally like professional services.
Brexit will make little or no difference unless you refuse to deal with EU citizens in any way the involves you having access to their PII or storing any information about them (including traces of their activity in your product/app/site.
GDPR will be carried over post-brexit, and even if it is later revoked by act of parliament and not replaced by something equivalent you'll still need to deal with it if you want to trade with EU citizens. If the UK refused to play ball and somehow blocked us from the punishments for non-compliance we will face inconvenient sanction by other means.
GDPR isn't perfect (is any regulation?) and their are certainly significant questions to be answered from the PoV of people operating outside the EU, and even some issues that may still require more clarity for those entirely operating here, but I wholeheartedly welcome it (UK citizen here, FWIW) despite being a data specialist and therefore having a bad nervous-twitch reaction to any idea of a non-soft delete operation!
The GDPR isn't perfect it's just none workable for companies that are not in the EU.
1. You have a subsidiary in EU, in which case that is who will get fined or will have to deal with the DPA where it is registered
2. You don't, in which case the EU can not fine you?
The logic dictates is that it won’t apply to companies that simply dont have any legal presence in the EU.
But that is not defined because again there are no exceptions.
However PayPal might enforce it on you in fear of the EU going after PayPal because it’s expected that all EU companies would require GDPR compliance from their business partners overseas that perform any data processing for them or are exposed to EU PII.
However how this compliance to be achieved, validated and arbitrated isn’t defined either.
The GDPR isn’t clear only anything it rewrittes agreeable concepts of localization which have much more severe applications than simply the GDPR.
It also provides zero channels and infrastructure for non-EU entities to comply to the GDPR in a manner which is offered to local EU companies.
If the GDPR would define its scope as if I can buy form you you must comply what stops the EU form mandating I must collect VAT on their behalf?
Recital 23 of GDPR will give you insight into how your Zimbabwean guitar pick seller would be treated. If they are consciously offering picks to data subjects in the EU, either through specifically referencing EU data subjects, or through offering picks in EU currencies or tailoring the site for different European languages, then they are likely in scope.
Conflict of laws provisions are a separate point, however in various areas, the GDPR expressly states that legal obligations override GDPR obligations in various areas.
Whenever any company considers that a law may apply to them (whether as a result of operating in the country or because of the extra-territorial implications of certain laws, like GDPR) they generally take advice from local lawyers as to the implications or do independent research.
The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.
If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.
Add to that the fact that you now have laws enforced on you that you have no control on how they were written or are enforced because you are not part of the electorate that passed them.
International law is applied when 2 countries agree on a common set of rules in which case you have 2 representative electorates which are mediating an agreement.
The GDPR has no legal basis of application it's not part of any trade agreement or any other international agreement between the EU and other countries.
The claim that it somehow applicable is essentially tyrannical despite the intent of the law the means through which and the fact that people support it's universal application is terrifying.
What is even more terrifying is the likely means of enforcement which will be through the multinationals.
>The regulation is obviously available and there is a host of interpretative guidelines issued by the Article 29 Working Party which will enable anyone with enough time and desire to understand the implications of compliance. I'm not sure what kind of assistance you're looking for here? It's incumbent on the party who wants to operate in a country/provide services to users in that country to understand the relevant laws.
What are you even trying to say here? If I don't live in the EU, have no legal presence in the EU I have no means through which I must comply with the GDPR.
Mandating that I would create a local legal entity to serve as a proxy in a member state is a violation of existing trade agreements and WTO rules.
Enforcement of extra-territorial laws must be done through a process which is agreeable and understood by all parties.
>If you disagree with the extra-territorial application of the GDPR then that's a separate issue. Bringing international tax treatment into the discussion is also not of relevance.
This entire debate is about the extra-territorial application of the GDPR, bringing international tax treatment is super relevant because it's an established framework and it already establish things like localization which are critical for extra-territorial application that the GDPR must follow.
People really need to wake up and understand that the GDPR isn't about Facebook or eBay, Amazon or the likes it applies to them equally as it applies to your local dry cleaner or hair dresses which collect and process Personal Information as defined under the GDPR and are subject to the full extent of it's regulatory requirements.
What is more frighting is that through commerce of either tangible goods or services this regulation can be applied to non-EU entities in not only a extra-territorial fashion but in also extra-judicial one.
The reality is that either many small businesses or businesses regardless to which the volume of trade they have with the EU is less than the cost of compliance would likely be forced to stop offering services to EU consumers or switch to a proxy like well eBay or Amazon.
The scope of regulation like FATCA or SOX which were mentioned here as examples applies to institutions that can afford it and can handle it.
The GDPR applies to everyone equally, actually that isn't true if it applies to non-EU entities it doesn't apply equally it's much more costlier to them. If nothing else is then just by your ridiculous example "consult a lawyer" then a GDPR lawyer in Belgium or the UK would be fairly cheap since it's an established local law, to get the same level of advice and to get arbitration with a DPA in say Bolivia you can't go to an ambulance chaser you'll be limited to an international law firm.
Not to mention that getting legal advice for such services can be achieved for free in the EU through the local DPA and or various organizations like Citizen Advice which provide legal assistance.
I was responding to your point that there were zero channels to help non-EU companies to comply.
I’m really not sure on what resources you think are available to EU companies that are not available to non-EU companies? You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with. To the extent a local regulator would provide guidance to an EU company, I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply is not the case!
We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.
Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!
And please tell me how say I as a small merchant in any country outside of the EU can get in touch with them and get services from any of them.
Better yet please tell me how a lawyer in Mexico or the Philippines would be able to advise me on GDPR unless they are part of a top tier international law firm which operates in the EU and has experience with GDPR.
Please let me know to which non-EU bar associations were provided with materials and guidance and have conducted workshops and seminars in order to ensure that they would be able to provide legal advice on this manner by a DPA or any other EU regulatory agency.
>You would definitely not get GDPR advice at the Citizens Advice as they have more important matters to deal with.
Wanna bet? citizens information board (CA in Ireland) already offers such service (so does Citizens Advice Edinburgh), in the UK the ACF provides GDPR related legal council to foundations, a lot of other industry organizations offer similar services.
> I am certain they would also provide to a non-EU company looking to comply. You present it as a clear distinction between EU vs non-EU companies but that simply
They will not provide any service or information to you, in fact they are forbidden from doing so trying contacting an MP who isn't yours or an agency outside of your member state.
>We can agree to disagree on the pros and cons of an extra-territorial law but don’t misrepresent the position in terms of help available to EU vs non-EU companies.
There is anything to disagree about, this isn't about extra-territorial law this is about extra-judicial application of it which is tyranny since you are applying laws and regulation outside of the scope of international law and frameworks. The fact that you accept this as something good makes me think that the brexiters might have had a point.
>Also your point about hairdressers is nonsense. A non-EU based hairdresser is very muh out of scope of GDPR!
I think you should practice on your reading comprehension I'm in the EU on the 25th of May I am submitting a data access request letter to my dry cleaner (I like my hairdresser), Pristine Dry Cleaners just for the lolz and to show just how ridiculous it can be.
I know for a fact that they have my name, address and phone number since it was required during registration and I also know that their branch in East Finchley shares the same database as the one in Lancaster Gate since I've used both despite being different franchises so I really want to know who they shared those with.
Apologies also - I took Citizens' Advice in the narrow sense of the Citizens Advice Bureau (I used to work there so it's in my subconscious) who generally deal with benefits, employment and housing law queries. I took a look at the citizensinformation.ie and did a search for GDPR - I can't see much in the way of materials unfortunately. ACF makes materials available which can be read by anyone regardless of location. Sure, they might make advice available to local entities, but this would be a small benefit to EU orgs vs non-EU orgs.
However I still don't really follow your point how organisations will approach GDPR compliance in general and the idea that there is a massive gap between what is available to EU entities versus non EU entities.
For lots of organisations, GDPR will not be on their radar, and life will go on as normal post May 25th.
For organisations aware of GDPR, their route to compliance will be through reading the source materials and supporting materials available on the Art 29 Working Party website. That is the case regardless of whether the organisation is in or out the EU. They can consult materials from third parties like ACF but the core materials are as above.
I don't really think contacting your MP or actually contacting a regulator is something which many entities have actually done because actually the base regulation and the interpretation notes are sufficient to understand what an organisation has to do to comply (again available to anyone who cares to read). In terms of court access
In terms of access to legal advice, then I don't quite think it's as bad you paint out here! I've instructed local counsel in multiple countries direct and it's a straightforward process and those firms were not part of a top tier international law firm network. Often smaller local firms have firms of similar sizes in other countries that they can refer work to. If other peoples' implementations of GDPR are anything like my company's then the extent of legal advice sought will have been limited.
I think overall I take your point that resources on offer to non EU companies may be a more limited, but overall the core resources are the same. Lots of non-EU entities have been working very hard on looking to comply with GDPR using the above resources and taking local legal advice where relevant. I agree that for smaller organisations this is more problematic, but this is the case regardless of location to an extent.
I do take your point about the extra-judicial nature though. We will have to see how things work out. My instinct is that for lots of companies it will be business as usual and the local regulators will have bigger targets that they want to go after.
We also maintain compliance in the financial sector and we have both very good in house and external counsel which works with both the ICO and political institutions to ensure we meet our compliance.
The fact is that as an EU citizen you have a say about how the GDPR is applied and you have a say in how it will be enforced and interpreted.
As a non-EU entity you have no voice.
You also cannot ask for assistance from any EU or member state body.
You also don’t have access to DPA run events for example: https://ico.org.uk/about-the-ico/news-and-events/speaking-en...
Now if you want a good comparison as you have worked for a legal aid organization before you can likely estimate the hourly billable of a lawyer in the UK to provide you counsel on UK or EU law vs say FATCA or SOX.
My bet is that it would likely be at least 3 zeros in difference.
The fear isn’t that a DPA would go after you, but rather that they’ll force service providers to compell you to comply.
Under the GDPR for PayPal to remain compliant it needs to ensure that all merchants that use it to receive payments from EU residents are also compliant because you share your Personal Information with PayPal who then shares it with the merchant (name, email, address, phone number etc.).
This is going to be the likely channel of enforcement not them dragging you to court.
In practice, I doubt that they'd get the US to enforce judgements. But it might mean that I can never risk going to Europe again lest I risk having a default judgement enforced against me for one of my businesses.
The mere availability of a website is not sufficient however to satisfy the above. Recital 23 below gives more details about those factors:
*Whereas the mere accessibility of the controller's,
processor's or an intermediary's website in the Union, of
an email address or of other contact details, or the use
of a language generally used in the third country where
the controller is established, is insufficient to
ascertain such intention, factors such as the use of a
language or a currency generally used in one or more
Member States with the possibility of ordering goods and
services in that other language, or the mentioning of
customers or users who are in the Union, may make it
apparent that the controller envisages offering goods or
services to data subjects in the Union.*
Add on language and currency, basics of accessibility, and you're meeting the definition AFAICT.
If you would push for this the only thing that would happen is that companies would stop accepting orders from the EU.
If this is going to be the definition expect a lot of store fronts to be closed to EU residents following May 25th or more likely the first time this precedence will be set in court.
Similar things happened with USA's actions on Silk Road, KAT, with Kim Dotcom, and I'm sure many other legal situations I'm not aware of.
EU is seemingly extending logical contact to be equivalent to entry to a jurisdiction as USA appear to have established is desirable as a facet of inter-national application of law in the internet age.
I much prefer the extension of jurisdiction in protection of member states citizens rights than in the service of media conglomerates.
In no way shape or form does US law has a direct mandate outside of the US.
All the examples you've given were those of actions performed through established legal channels to which all parties had and have a saying in.
Extra-territorial application of the GDPR under existing frameworks (or the lack thereof) is tyrannical because you apply it to people that have had no saying in the establishment of the regulation and have no control over the interpretation and or the enforcement of it.
PayPal could tell you you must comply to accept payments form the EU and likely in the same manner they handle everything which means no guidance, benchmarks or clear directions and it would be up to you to figure it out.
By PayPal I don’t mean just PayPal but any other payment processor or service provider which you are dependent on.
Where's the burden? Only collect the data you need; tell people what you're collecting and why; only keep it for as long as you need; keep it safe.
These are not burdens.
"Take, for example, my old blog. It has commenting enabled and a standard Apache config (where logs include IP addresses). If I want to comply with GDPR, I have to do a bunch of work around log rotation/encryption, provide tools for old commenters to go back and remove their information, and this is even the simple case that I'm not using any 3rd-party analytics."
If it is a company. Yes, it will require more work. That is the nature of regulation, but the demands placed on companies are not unreasonable in any way. I would place it on the same level as stores being required to provide receipts, or restaurants being required to clean the kitchen. It certainly was easier when they didn't need to do that, but don't we agree it's an reasonable burden to place on businesses to guarantee an acceptable level of service?
Restaurants being subject to local laws around hygiene makes sense. It would be far stranger for restaurants to be subject to health codes from across the world just because tourists occasionally visit.
I had no say in GDPR but am forced to comply, despite the overheard it entails without any actual benefit to user privacy (in my case).
Also, you can keep logs (with IPs) if the purpose of the log is to prevent abuse. If you are only keeping the log on because it was the default, that is a bad reason to keep them, and is not in compliance with GDPR.
If you are keeping the log because you are selling the data to Facebook for data analysis, and are sad because you have to turn them off for EU citizens. I’m not sorry that you are forced to comply.
It's not strictly personal, in the sense that I post technical content which sometimes leads to me being hired for consulting engagements.
> If you are keeping the log because you are selling the data to Facebook for data analysis, and are sad because you have to turn them off for EU citizens. I’m not sorry that you are forced to comply.
I honestly cannot tell if you are trolling or not.
Do you truly think Facebook has a program where I can sell them my Apache logs of a few daily visitors?
Yes, it would be more challenging, and inconvenient, and probably a massive pain in the ass not to log IPs by default, but if the end result is a weakening of the power of modern social media companies (and political and law enforcement agencies) to exploit people's data for nefarious ends without consequence, then society as a whole, and the web, benefit.
Mind you, I don't necessarily believe GDPR is the solution, or that logging IPs is unreasonable, but I do welcome the conversation people seem to be having about who owns their identity.
If you're using a CMS then it's going to be type the username and hit "delete all comments"; maybe WordPress et al. do this already.
With a small blog the administration of that is going to be facile, surely.
And by the way, most blog comment systems don't require you to create an account before commenting. So this "have them post a comment using their credentials" wont work anyway.
Personally, I don't even think people should have the right to go back and delete a comment from years ago, which might have started a whole interesting discussion. But the EU requires that I think through such a system, including finding a way to identify them as the commenter and purge their PII from all logs/backups/caches as well.
If the blog is purely personal the GDPR does not apply.
> The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
And if GDPR does apply you only have to do the extra work if the IP addresses can be used to identify a natural person. Note here "can be", not "is".
> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
> (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
And article 4
1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
IANAL but for me this doesn't sound like a blog, open to the public, maybe even with a public commenting system, would be freed from the burden of the GDPR.
IPs "can be", not "is" personal data
It doesn't help you that IPs are not always personal data, as soon as they can be, you have a problem if you store them.
Though they have a lot of users in the EU (population 700M), it seems that once they figure out how to do it for their 250M (?) EU users, expanding it to 2B users is not a huge stretch.
When the flood of letters starts, THEN they will feel the true pain/essence/extent of GDPR.
E.g. when my bank will get MY letter asking them who they share my data to, and asking them to STOP sharing my data with friggin FB (WTF???) on their app.. it will be fun to watch them squirm.
You are probably counting 'Europe the continent' rather then the EU (where the GDPR will come in effect) which is rather lower at 525 million or thereabouts.
Schrems has basically single-handedly proven that Safe Harbor, and I think the Privacy Shield, too (soon to be decided) have been violating the EU Charter of Fundamental Rights and the right to privacy under the European Convention of Human Rights.
> What does "noyb" stand for?
> We use “noyb” as a brand name. The name was suggested by a twitter user, and is the abbreviation of “none of your business”, which fits quite well with the goals of “noyb”, because your privacy is none of a company´s business.
Well, only screwed if they want to keep their account? I can assume that resulting in Facebook closing down your account.
All in all, I doubt millions of people will request data under the GDPR. But I guess the fines are significant enough to worry about it.
That's actually pretty horrible. How about freedom of association and freedom to contract? These two are basic human rights. If one thinks their privacy rights are not respected they are free not to associate or contract and same thing for the entity on the other side of the contract, why should one party be forced to contract anyway? This is authoritarian. The basis of a free society is the freedom to contract and associate between individuals. If the GDPR makes that impossible and it's highly liberticidal.
It's done in the same manner as with other consumer contracts - there's a broad range of contractual terms that (in EU) automatically are unenforceable if they're put into a "take it or leave it" consumer contract; GDPR clarifies that permission to use private data is one of such terms; this permission cannot be transferred by some term in a nonnegotiable contract.
I.e. if customer A clicks "agree", customer B clicks "disagree", and you deny service to customer B because of that - then this means that the "agreement" of customer A (and everyone else) is worthless to you, it means that these clicks don't indicate freely given consent and thus do not give you permission to use their data, as customer A can reasonably claim that they did not really want you to use that data in this manner and they clicked "agree" only because you'd refuse them service otherwise.
The legal wording is such that you can't (and shouldn't be able to) gain GDPR-consent unless the users actually want you to do the thing you do with their data; GDPR requires that they know what exactly you'll do, and they without any coercion give an explicit opt-in indication that they want you to do it, and they can freely revoke that permission.
How free are you when one of the parties is naive (in the context of the contract) and has little power, and the other party has the interest, the means and the power to force an unfair contract?
Freedom of association implies the freedom to NOT associate. Yet non-Facebook users are tracked by Facebook, without their consent.
Laws like GDPR are needed to help protect individuals from powerful interests.
If you choose the consent lawful basis, then the user is allowed to withdraw consent. In fact, they are allowed not to give consent in the first place. If you choose the contract lawful basis, then the user can't withdraw without cancelling the contract. However, they can object if they believe that there is no reason you need the information to complete the contract. If you choose "legitimate interest", then the user can object and you have to show that the interest is indeed legitimate and that there is no other way to do what you are doing without the private information. One of the things explicitly prohibited is profiling. So it's quite complicated.
The key is that once you have informed the user of how you are going to use their data, you can't change your mind (within the same business context). This means that you have to be very, very careful. If you decide to use consent (in my example), but you should have used contract, then you are in big trouble. If you say that it's part of the contract but it's not strictly necessary to provide service, then you are in big trouble. Etc, etc.
One thing that I think will be very interesting is under what lawful basis FB publishes your real name. If it's consent, then you can withdraw it. If it's contract... do the really need you real name to give you service? Legitimate interest... Yes, potentially, but I don't see how they will get away with sharing your name with the whole world.
I'm very much looking forward to seeing how it pans out.
We tried that. It didn't work.
> The basis of a free society is the freedom to contract
You cannot write any contract as you want. They are limited, and for very good reasons. One example is indentured servitude. It's basically a contract you voluntarily sign that binds you to work for a party for a duration of time. Does it sound reasonable at a first glance? It's considered slavery today and is almost globally banned.
> We tried that. It didn't work.
It did and still does work. People freely give away their information, giving up their rights to privacy, in exchange for services they want. I really don't see what the big deal is, and GDPR is a massive overregulation.
In most (?) countries we deny the right to contract on many things, contracts that avoid taxation, contracts that involve selling human organs, contracts that make slaves.
It avoids power imbalances from causing desperate people to do things that dehumanise, disenfranchise, and devalue them.
I think you'll find this libertarian "right to enter into any contract for anything" doesn't exist in EU law.
The Charter of Fundamental Rights doesn't list it. It does list the right to protection of personal data.
> 1. Everyone has the right to freedom of peaceful assembly and to freedom of association at all levels, in particular in political, trade union and civic matters, which implies the right of everyone to form and to join trade unions for the protection of his or her interests.
But I don't think the person I'm replying to above was thinking of labour unions. ;)
If you don't, not if can't. If you can demonstrate a reason that that piece of information is absolutely necessary for your service then you can deny service if the person doesn't want to provide the data. Otherwise you could submit a complaint about any delivery service for refusing delivery if you refuse to give them your address.
If you don't provide a reason why that data is necessary and still require the person to give it to you, then yes, you're in for some pain.
Not that I'm against the GDPR. It seems to be a great law for consumers.
I see this turning into an in-app clicking contest though soon, a card comes up in the app with a little description, a cutesy graphic, and a "Consent" "No Consent" box to click before you can get to the newsfeed.
Put another way, Facebook should not make the provision of a service (which technically should not require usage of data for other purposes i.e. marketing/advertising, ignoring any business model points) conditional upon providing consent for that other form of processing.
Bundling of consent means the consent is not freely given here because the user wants the service and so is less likely to refuse than if the consent decision was isolated from the provision of service.
It sure seems that way and I find it amazing. It has been known for a long time that the GDPR will come into effect in May. Maybe they thought they could lobby it away?
Can someone explain this as my understanding is that only EU residents are covered by GDPR. So EU based companies do not have to comply with GDPR for non EU residents.
So this change to the user terms seems to me to have nothing to do with GDPR. The EU privacy law cannot be applied to non EU residents.
Edit: Is further backed up by Recital 22 .
From what I can tell it does three things. Limits the secret data collection market to the government and bad actors, limits new companies by creating an additional artificial cost of entry through regulation, and sets up infrastructure to allow government to block any arbitrary site.
Edit: Another tool given to them is the potential to destroy any small business anywhere on the globe. Think about that.
Facebook is still going to legally operate out of Ireland to dodge taxes.