Given the pressure by the EU and China on US companies to enforce local laws globally (GDPR, RTBF, Taiwan), I don't see how Github, operating in the US, as a US company, has any chance absolving itself of enforcing US laws and regulations (though in this specific case they appear to have overreacted, likely due to regulatory enforcement via algorithm and not common sense).
If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well.
"If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well."
I don't expect any US entity to "respect" GDPR. Unless they are expecting to trade in the EU. If you trade in the EU, and violate EU law, then you can expect to be fined - wherever you choose to locate your HQ.
Incidentally, GDPR is pretty badly flawed. The intrusive cookie popups are an egregious example of unintended consequences - those popups are actually attacking privacy.
EU is not forcing American companies to enforce their laws for third party companies operating on non-EU market. Also, American company does not have to follow GDPR for Iranian customers.
EU wants American companies to follow GDPR when acting in EU market.
I'm in the U.S. and I still have to click all those super annoying "Accept using a cookie" popups everywhere. So that EU law certainly does affect me a U.S. citizen interacting with U.S. companies.
The only ones you have to blame for that, are the companies to show you those annoying popups. They have no obligation whatsoever to show that to anyone outside the EU.
Start complaining to those companies and stop pointing your finger in the wrong direction.
To nitpick, while for non-EU companies GDPR applies to individuals in EU (and their data) as per GDPR article 3.2, any EU companies have to apply this for all personal data as per GDPR article 3.1.
So while foreign companies can decide whether they want to apply their GDPR policies (which generally should not require "cookie banners", though it is a popular choice) only to people in EU or all their users, an EU company does not have a choice, they have the obligation to treat personal data of Americans and Iranians and everyone else in a GDPR-appropriate manner.
Keep that in mind the next time you encounter a US based newspaper that puts up a GDPR error page instead of serving the news article you requested. The EU asserts it can penalize a US based company a percentage of its worldwide revenue (not EU derived revenue) for GDPR violations.
I'm not saying it's right, I am saying that these are the logical, practical responses to the way different jurisdictions expect their laws and regulations to be honored, respected, and applied.
"The EU asserts it can penalize a US based company" ...
Well, of course it can, if the company violates EU law inside the EU. Do you think US law trumps [sic] national law globally? If a US company doesn't want to comply with GDPR, it is free to cease trading in the EU, or cough-up the fines.
I think you may have either misunderstood me, or maybe have gotten the logic backwards.
I'm not saying that US companies should not enforce US law. I think they should. That is: strictly within the US market.
When they operate outside the US market, they have to (also) adhere to whatever law exists for that market. If that creates a conflict, the company has a choice to either open up show elsewhere, outside of US jurisdiction (if that's the only way to comply with local market rules), or stay in the US and leave the foreign market alone.
Either way, being a US company should never be a valid excuse to violate laws (and/or legal protections) somewhere abroad.
It ultimately is up to a company to choose what they do and where they do it. To me, the current status quo appears to be that many US companies have been (illegally) enforcing US laws outside of US jurisdiction. Aside from that, and maybe even on a far worse level, they have been essentially been making up de facto "private laws", in their TOP/EULA "contracts".
Last time I checked, law should be left to governments. Preferable through democratic due process. Certainly not to commercial companies, who are either privately owned, or publicly by a select few rather undemocratic entities.
My shorter version: Precedent in the US is that the US views its jurisdiction over US citizens and corporations as global. If I as a US citizen step over the border to your country and bribe an official of your country in order to gain a commercial contract, I can (and probably, though not definitely) will be prosecuted for breaking US law, regardless of whether or not bribery is perfectly legal in your country. Same for corporations: if the act is prohibited in the US, the US Government generally does not distinguish between whether the act occurred in the US or not.
This is not new. The Internet exacerbates the potential for conflicts, but it’s not a new problem with the rise of the Internet.
The US government should do whatever it sees fit for its subjects. That's not the issue.
The issue is that a US company should also be held accountable for whatever they violates abroad. Not by the US government, of course. But by the authorities of whatever foreign market they operate on (the only authority with jurisdiction anyways).
While the tide is gradually changing, so far a substantial part of the problem is that the US government has quite a few nasty ways to shield US companies from being seriously held accountable abroad. Still, the longer that reality exists, the more inevitable it will become that at some point US companies will simply be barred altogether from (some) foreign markets. You can only abuse a dominant position for so long, before the receiving end will no longer put up with it. That is, of course, when (or as soon as) they have the luxury of choice in the matter.
It’s been my personal experience that the US government does not distinguish between a US company offering products and services in the US and a US company offering those products and services outside the US. Even foreign subsidiaries are held accountable to US laws and regulations if the US parent has sufficient control of the company.
Bigger companies get a little bit more leeway to negotiate with the US Federal government on this but if the US decides that something is illegal or prohibited, the Justice Department doesn't really care what country the prohibited activity occurred in, it'll walk the executive chain to pick people to prosecute.
The only way a company could complete avoid this scenario is if it licensed its product or service to an independent entity outside the US. And even then the DOJ would likely attempt to force the termination of the license agreement if it results in a product or service being offered in a prohibited jurisdiction.
None of this is new, or due to Trump, or even partisan.
You are correct, on each and every count. However, none of that is related to what I tried to highlight.
Sure, the US is (rightfully so) subjecting every company within its jurisdiction to US law, no matter on which market they operate. Sometimes they go even further and say non-US companies can be held liable, when they somehow interact with the USA or its citizens. That can sometimes become a bit dicey with jurisdictions, but even that is not the point here.
The point is that a US-based company is operating on a market outside the US and (most likely) is operating in a way that is within the law of that market.
To put bluntly: I don't give a #### about how the US treats companies on their territory, regardless where those operate. I care about US-based companies abiding to law wherever they do business. If they can not do that, they should cease to operate there. Whether it's the US government or something else that is to blame for the situation is irrelevant.
If you expect US companies to respect GDPR and cookie banners and the right to be forgotten, globally; you cannot be surprised that they will respect and enforce US law globally as well.