Where they are based doesn't matter. If they are collecting revenues (taking payments) from EU clients, it applies. That includes generating ad revenues from EU based eyeballs.
When it comes to on-ad-generating, free websites, it remains to be seen how bold EU regulators get. It'll be hard to penalize or prosecute such websites, and there are enough violations in the fat cats anyway, so I'm guessing those free websites will get a free pass for now (pun intended).
> That includes generating ad revenues from EU based eyeballs.
That would be fairly hard to enforce against a company that doesn't have a physical or legal presence in the EU.
In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet. In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.
> In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet.
Isn't it simple enough to geoblock areas if European customers are somehow too hard to serve?
> In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.
As the topic is GDPR: a privacy first approach is not rocket science. I'm sure any startup with even the remotest chance of success can follow the basic principles without undue complications.
While I agree that startups should be respectful of privacy, that doesn't change the principle at work here. Allowing countries to enforce laws against companies that don't have a physical or legal presence within their borders is a dangerous mechanism. Introducing a dangerous mechanism to enforce a good policy will result in that mechanism being used for a bad policy later on.
When you operate a business somewhere, you have to observe the laws of the place you do business in. It does not matter where you are based.
How someone gets a hold of you to enforce any action against you is a different matter. But Emirates kind of needs to come to the EU sometimes to do its business there.
If they sell to EU customers, then yes, they have to abide by the EU privacy regulations. Alternatively, they can set up a website just for EU customers or stop serving them altogether.
I can only hope for the EU that their economic incentive remains strong enough to prevent foreign companies from totally pulling out, resulting in the EU market becoming bleaker and bleaker. And it's not even the current companies that I worry most about - they often have already invested too much to withdraw because of this - it's the new companies that may flat out refuse to enter the EU market.
The GDPR is yet another regulation that adds a lot of liability with the risk of huge fines for a foreign company. And while no regulation in itself is ever going to be enough of reason, it's the plethora of regulations that is, and the more it grows, the more companies will feel it reached the tipping point for them, which may result in either withdrawal or refusal to serve the EU market. If this proves true, EU citizens should expect to see a lot more of "We're sorry, this service is not available in your country" messages. And it's already pretty bad from what I've heard.
Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.
> Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.
What could be a more universal level than EU that could actually enforce something like GDPR? US is rather anti-privacy these days, which I found interesting as they are extremely individualistic at the same time. The only even remotely suitable body is WTO, and that won't happen.
Right, it's a universal regulation that applies to about 6% of the world population. But you make a good point, it is very hard to regulate this on a higher level. I'm just saying that the EU shouldn't expect every foreign company to accept and play by their rules, especially if it's only relevant to a fraction of their customers. What this may lead to is companies refusing to serve the EU and EU residents forced to resort to shady VPN companies to access their services - as they already do to circumvent copyright regulations - eventually resulting in less privacy and loss of VAT and other revenue for the EU.
Again, I do not want to paint an overly bleak picture - and I do support regulations like this one - but my feeling is that, due to the lack of a universal solution, this GDPR won't have a better fate than the current copyright regulations: beneficial for some, but at the cost of more internet fragmentation and discrimination. It's almost like lawmakers consistently forget that the internet doesn't stop at borders.
The preamble of the GDPR states that it regulates the fundamental right to privacy, not the human right to privacy. The human right to privacy is much lower level than the fundamental right to privacy.
To repeat myself: I'm [also] NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level.
As far as I understand, Emirates is risking big fines if they they don't fix this by May 25.