When open this website, I get a pop-up to agree to data collection. My only other option is "more information". If I click on that, I get the option to reduce the data collection to "necessary cookies". Once I set my preferences, it presents me with an obviously fake "processing request" screen, with a percentage number slowly going up. I can, of course, cancel at any time. At the end it tells me that I changed my preferences but some "partners" could not recieve those changes because I'm using https.
I really hope the EU actually intends to prosecute those not in compliance with the GDPR.
> it presents me with an obviously fake "processing request" screen
You may argue about the (efficiency of the) implementation, but that processing screen isn't a fake; it sends out a large amount of HTTP requests to URLs like "cookie-policy?optout=1" and "optout" for various tracking parties. Those requests take exactly the amount of time the progress bar is indicating.
Don't lightheartedly call somebody or some party a liar before being sure of your case.
Yeah. An enterprising ambulance-chasing lawyer could get temporary EU residency to get GDPR coverage, and cut some deals with whomever he cares to bully.
While an entertaining thought, in practice that would be ridiculous as that lawyer would then be subject to EU taxation which would negate any advantages for acquiring EU residence. That lawyer would then also be subject to US taxes as well since the US taxes worldwide income regardless of country of residence, while most EU countries tax income earned while a resident of that country. Despite tax treaties, some taxes, such as Social Charges in France, aren't covered by treaties, thus subjecting that lawyer to an entirely new world of pain in terms of taxes. Not to mention that if that lawyer were practicing law in the EU, he'd have to get credentialed in the EU or face arrest for the illegal practice of law.
It doesn't matter where you live or where the company is based... afaik, the determining factor is where the company stores data. In other words, if they have servers in the EU, they are bound by GDPR.
Absolutely nothing. They're not about to block some of the biggest sites around for failing to comply with GDPR. Can you imagine the backlash? No one wants a Great Firewall of the EU.
Anyone who thinks GDPR applies to companies operating entirely outside the EU is deluded at best.
How could EU law apply to a US publication? Would US law apply to EU publications? Is a representative from the EU going to show up in New York and serve Forbes a summons? I am genuinely curious how a US publication with no legal domicile in the EU have any obligation to follow EU laws.
If a California resident goes to an EU insurance website, will that EU company have to comply with California insurance advertising laws?
I think that there is a lot of wishful thinking about GDPR and a lot of ignorance on how jurisdiction works, especially internationally.
GDPR has no jurisdiction over companies without an EU domicile or physical presence. And EU citizens aren’t protected unless they are actually resident in the EU.
Actually, I'm going to stand corrected.. While I stand behind the jurisdictional argument I've made per the Territorial Scope of GDPR (https://gdpr-info.eu/art-3-gdpr/) -- however, in this specific case, Forbes does, in fact have an EU operation -- many in fact, (https://www.forbes.cz) as an example.
However, the question might now be -- do visitors to the Czech site have to agree to the same conditions and tracking as do visitors to the US site. If they're doing the same shenanigans on their Czech site as they are in the US, then of course, they are potentially violating GDPR.
However, if the Czech site (as an EU example) IS following GDPR but the US site isn't, then there could be a strong case made that they aren't violating GDPR since the main Forbes site would clearly not be intended for EU consumption; GDPR, while applicable to the EU-side of the Forbes business, doesn't provide a blanket requirement for GDPR compliance across Forbes's non-EU properties.
As far as EU citizens vs. residents, that concept ought to be clear: an EU citizen doesn't have protection of EU laws when outside of the EU just as an American banking in France isn't protected by US banking laws. The passport of a complainant isn't relevant, but their physical location. An EU resident American who is visiting the US isn't protected by EU consumer protection laws for example, during a visit to the United States.
As far as EU citizens vs. residents, that concept ought to be clear: an EU citizen doesn't have protection of EU laws when outside of the EU just as an American banking in France isn't protected by US banking laws. The passport of a complainant isn't relevant, but their physical location.
Yes, that's a common point of confusion, but it's completely correct: the GDPR applies to people in the Union, not to EU citizens everywhere (for non-EU companies, that is - an EU company has to apply the same protections for every user in the world).
Via business partners, treaties, subsidiaries, sister companies, and the restriction on the freedoms of individuals from those countries.
> Would US law apply to EU publications?
Yes, in exactly the same way. Whether one has to worry about it relates to the dependence of the two countries on each other and their relative military might.
> Is a representative from the EU going to show up in New York and serve Forbes a summons? I am genuinely curious how a US publication with no legal domicile in the EU have any obligation to follow EU laws.
Each relevant body in each EU state can act independently,
and they would presumably serve them a warning in any European office first, but for a US only company they would likely employ a US legal firm to deliver the letter for them. However its unlikely to be a summons, more likely a request for information followed by the penalty that is going to be imposed - there will probably be some opportunity for mediation and it could be escalated to a court.
> If a California resident goes to an EU insurance website, will that EU company have to comply with California insurance advertising laws?
Depends on Californias laws, but presuming the site was intentionally serving Californians then yes, it should, and would, be at risk of penalties in California.
> I think that there is a lot of wishful thinking about GDPR and a lot of ignorance on how jurisdiction works, especially internationally.
Undoubtedly
> GDPR has no jurisdiction over companies without an EU domicile or physical presence. And EU citizens aren’t protected unless they are actually resident in the EU.
The bodies that enforce the GDPR can recover their penalties by engaging any of many different legal apparatus, where they deem it appropriate (which will be rarely, if ever, as they have to convince other internal organisations to back them). It is harder, but by no means impossible, to recover money from abroad or to stop money transacting with a foreign entity.
Anyone present in the EU is 'protected', residence is not required.
---
Forbes media have offices in Paris, Milan, and London. They regulary engage in both high value financial transactions and on the ground reporting in the EU. If they were prevented from operating inside the EU it would cause them severe operational issues, and their place as an authority in Western media would disappear overnight.
I really hope the EU actually intends to prosecute those not in compliance with the GDPR.