> Imagine the EU made a law requiring every country in the world follow their building codes whenever an EU citizen enters one of their buildings
You are reaching. I give you a better example: it does not matter where a building part is being produced, if it ends up in a building in Europe it needs to be up to the local building codes and to the regulations of the single market.
You think I am reaching, but the GDPR does act this way.
Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop. They put your name and delivery address in their computer in an MS Access database that makes stickers, emails the delivery guy's gmail account and a person delivers a pizza to you.
They have no idea your an EU citizen and they just put enough information into their computer that would violate the GDPR. They have no real way to comply unless they retrofit their computer system to some vendor that is GDPR compliant, if it even exists. Just deleting your info from the msaccess db and asking the delivery guy to delete their emails isn't enough for the GDPR. And a computer system retrofit for most business might as well be like asking them to retrofit their building as far as costs go.
The end effect might be just outright banning all EU citizens from doing business with various places, because it's just not worth the hassle.
'Sorry you cant stay at our hotel, we are not GDPR compliant'
'Sorry we won't deliver to you, we are not GDPR compliant'
'Sorry you can't enroll in our classes, we are not GDPR compliant'
'Sorry we won't treat you at this hospital, we are not GDPR compliant'
'Sorry you can't get a bank account with us, we are not GDPR compliant' (Like a lot of EU banks with US citizens with FATCA)
You clearly don't know what you are talking about.
Article 3 clearly states that it applies to
> the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> the monitoring of their behaviour as far as their behaviour takes place within the Union.
It does not apply EU citizens while traveling outside of the EU. It applies when you are monitoring or offering goods or services to someone in the EU.
> Lets say your visiting the USA as an EU citizen and you get a pizza delivery from a local small pizza shop
If that pizza store has no relation to the EU then there is no legal ground by which the GDPR could become relevant. There is no treaty which would establish some sory of leverage here.
//EDIT: which btw is unlike FATCA for which there actually are bilateral agreements.
You don't need a treaty to enforce the law, you just need a pizza shop owner who likes to vacation in europe sometimes. You carry out the default judgement if they ever arrive in the EU. The GDPR explicitly has a very global scope because it is targeting companies in and out of the EU.
I wouldn't really have much of a problem with the GDPR if it had some small business and non-eu business exceptions. It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.
It doesn't and regulators saying 'trust us we wont prosecute the easy to prosecute!' makes most businesses uneasy.
Indeed.
Let's not forget that the EU and national governments have form when it comes to this sort of thing. The new EU VAT rules on digital sales a few years back were similarly overweight, and they really did result in a lot of microbusinesses either literally shutting down or just plain breaking the law.
A lot of slightly larger ones, my own included, went to considerable lengths to update systems to comply, but with hindsight would have simply declined custom from any (other) EU nation instead because the overheads were and continue to be excessive.
Those same rules really did also result in national tax authorities abusing their new-found powers to go after businesses in other countries within the EU, sometimes through their own incompetence rather than any legitimate grievance, resulting in some very scary threats being received by other small businesses.
It's tough to give much credit to arguments about regulators exhibiting common sense and moderation when the evidence of previous sweeping EU rule changes suggests we shouldn't count on that.
The law itself does not even put itself into scope. You either need a treaty (Article 3, paragraph 3) or the data subject or processing is in the union.
How is that different from say Dimitry Sklyarov, a Russian who broke a US law while living in Russia, who later goes to the US for a convention and gets arrested and thrown in jail?
That's how it should be. Sadly the EU is taking a very different approach of trying to set laws for the whole world based on very unclear (and definitely unprecedented) requirements. It's true that they will have no jurisdiction over the pizza guy - just until he comes to the EU or to an allied country. Another comment talks about how it's very likely that GDPR will be a requirement of trade deals.
Even then not. The territorial scope in Article 3 of the GDPR is not that far reaching. It applies to processors with establishment in the EU, non union data processors who perform a service to data subjects in the union or the case of the pizza guy:
> 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So unless there is a treaty that puts GDPR into scope, the pizza guy is fine.
You are reaching. I give you a better example: it does not matter where a building part is being produced, if it ends up in a building in Europe it needs to be up to the local building codes and to the regulations of the single market.