Comment by dclusin
3 years ago
Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
> Does this mean I’m now breaking the law serving them the website?
As the article specifically states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
So, unless you are collecting EU citizens user data, transferring it to US and have the capabilities to enrich such data through additional information you hold, no.
IIRC, it basically only applies if you're actively doing business in the EU, or courting future business.
So, if you have a personal blog that grabs IPs? Not illegal. If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
> If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
And you do business in the EU. If you have a merch shop, but don't serve EU users (no EU shipping, not accepting EUR as a currency, no EU specific languages (German, French...), ...) there is no problem.
That is not how law, jurisdiction or sovereignty works.
If I run an export business from my own country, the only law I need to comply with are the export laws of my own country. It's the duty of whoever is buying it on the other end to make sure they are allowed to import and possess the goods.
The EU does not own the right to use languages. I can use German if I choose without ceeding an inch of soverignty to the EU.
The EU does not control what data I collect when running my website. I might be required by my home jurisdiction to collect details on controlled export goods, and I might be required not to tell the user.
The EU controls the Euro currency, but they cannot make it illegal to me to use it, or attach special conditions to its use. They could convince my own government to sanction me, or aid them in sanctioning me, but that would be my own government affecting me, not the EU.
Your countries laws stop at its borders. Stop trying to control other people who have no say or vote in the laws. It's anti-democratic.
https://en.m.wikipedia.org/wiki/HTTP_451
> After introduction of the GDPR in EEA it became common practice for websites located outside EEA to serve HTTP 451 errors to EEA visitors instead of trying to comply with this new privacy law. For instance, many regional U.S. news sites no longer serve web browsers from the EU.
https://en.wikipedia.org/wiki/HTTP_451