Comment by hartator
21 hours ago
Contradictory regulations is one of the symptoms of overregulation.
I.e., complying to GDPR means you can’t comply to cybersecurity laws.
US has less of those.
21 hours ago
Contradictory regulations is one of the symptoms of overregulation.
I.e., complying to GDPR means you can’t comply to cybersecurity laws.
US has less of those.
How exactly does GDPR prevent you from complying with cybersecurity laws?
For instance, one of GDPR's 6 lawful bases for processing data is in order to comply with legal obligations.
If you're going to make strong claims like that, the onus really is on you to give specific examples.
I wonder is the GP is referring to the CLOUD Act, as it is true that US companies cannot be compliant with both the GDPR and the CLOUD Act, but it doesn't weaken the case for European tech sovereignty.
Sounds like a broad blanket statement, have any specifics about this?
GDPR and cybersecurity laws are designed to be compatible, not mutually exclusive, but I'm sure there are edge-cases. Still, what exact situation did you find yourself in here in order to believe they're mutually exclusive?
All US companies selling to European customers have to comply with GDPR. European companies selling only to non-European customers don’t have to comply with GDPR. It’s all about who your users are. Not where your company is registered.
> European companies selling only to non-European customers don’t have to comply with GDPR.
Usually they do. European company processing personal data of non-EU customers falls with article 3(1) "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Of course if they do not process any personal data then it wouldn't apply but that's pretty unlikely (and if that was the case the EU customers data wouldn't fall within GDPR either).
I think what OP means is that a US company cannot simultaneously comply with the CLOUD act and the GDPR. That case has also been made by some courts in the EU, that US law and practice are incompatible with the requirements of the GDPR. US companies who claim to process data in accordance with the GDPR seem to be deceiving their customers. Maybe I'm wrong but it seems to me that companies in the EU who rely on US services, corporations in the US, and even governments themselves keep quit about this unpleasant truth. It means that Microsoft Windows violates the GDPR, Google violates it, every US social network violates it, etc.
Of course, as someone else mentioned, that is not an argument against EU sovereignty but rather one of its motors.