You can decide not to allow EU citizens to use your service. However, the EU has a population of 508 million citizens. It's the largest population in the world after China and India. GDPR is a genuine attempt to balance the rights of data subjects against ever advancing technology. You'd be excluding yourself from one of the world's largest markets on the basis that you don't want to protect your customer's rights.
As I am interpreting the GDPR (IANAL) it is not about what you say, it is about if you have or have not users from EU.
See [0] specifically the phrase "It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location"
More or less; if you just happen to be accessible from the EU, but have otherwise no connection to the EU at all, you're probably not subject to the GDPR:
"In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. (..) the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention"
Sort of - you have to actually not cater to EU residents, simply saying so might not be sufficient, and (for an exaggerated example) a company implementing a signup screen that says "wink wink nudge nudge press quit if you're from EU" while having 25% of their business income from EU credit cards would be likely treated not as compliance but as malicious evasion.
You have to avoid touching personal data of EU residents; various exceptions are understandable (e.g. people using some measures like VPN to circumvent some restriction), but in general if you do somehow happen to have a sizeable amount of such data, then obviously you're "catering to EU residents" in some way no matter what you claim.
“25% of their business income from EU credit cards..”
Where did that 25% come from? Did you just make that up? My point is that some arbitrary EU regulator is going to tell a US based company (or Chinese, Russian, Canadian, etc.,) who that non-EU company is catering to? Under what jurisdiction does this happen? Where does a company representative show up to defend their case? They get to fly to Brussels? How does due process work? How does the EU learn about the percentage of credit card transactions? We’re going to expand their powers to track credit card transactions of individuals? No privacy concerns there right? We are going to support increased privacy violation to protect people from privacy violations? You trust your government that much? Given the history of many European countries, it would seem quite dangerous to give countries more surveillance power.
I am all for increased data hygiene for sure, but the EU has lost its fucking mind if they think they’re just going to be able to start telling non-EU companies what they can and can’t do when those companies aren’t even in the EU. The EU could start blocking websites, which would put it in the same level as China or Turkey. Did Pirate Bay ever get blocked in the EU despite enabling whitespread copyright abuses? Is the EU finally going to draw the line here?
If someone from France calls my US phone number — they are coming into my house. It isn’t like I am showing up at their house forcing them to buy my product. If I am a US company and I refuse to do business with an EU citizen — now we have national origin discrimination, which is illegal in the EU.
My SaaS product is subject to US HIPAA and the HITECH act which directly conflict with this European law. I am required to maintain detailed access logs for 7 years, but to do that, now I have to violate an EU law. We have EU patients who see US medical professionals. So now we are in a hell of a pickle. We have to violate HIPPA to follow the EU. Interestingly, HIPAA is actually stricter around privacy than the EU law — except there are still conflicts, especially around audit logs and data retention.
Additionally, to avoid servicing EU customers, a Canadian company would have to violate the EU national origin discrimination law? Or they’d otherwise be forced to conform their systems to a framework to which they had zero representation in creating? Who represented the Canadian companies when this law was being written by the EU? Because if the EU is going to imply that Canada is subject to said law, then Canada ought to have had a voice in its creation right?
The people who supported and created this law — let’s not pretend this is about privacy. This is about creating trade barriers. The recent obsession with the EU and US tech companies is further proof that there is a clear bias, or perhaps an inferiority complex from the EU. France especially.. they’re actually going after Apple because of the iOS and Mac App Store but they don’t do a damned thing when (Dutch-based) Booking.com takes high percentages of hotel/lodging bookings, including keeping customer data. Basically Booking.com is just like an App Store for hotels — hotels agree to a percentage of revenues for the marketing benefit of being in the Booking “store.” But France doesn’t sue Booking.com for that. But they sue Apple on behalf of French developers? Booking.com also prohibits lower pricing being offered to other distribution channels. But the EU or France isn’t trying to sue Booking.com for high commissions they are suing Apple over.
Give me a fucking break. This law is nothing but a trade barrier wrapped in some feel-good packaging. Is the EU really going to fine BNB bank 5% of global revenues when BNP shares my banking data to telemarketers in their insurance division without my explicit permission or knowledge? Of course not. BNB is French.
I am all for increased data hygiene for sure, but the EU has lost its fucking mind if they think they’re just going to be able to start telling non-EU companies what they can and can’t do when those companies aren’t even in the EU.
Countries try to do this all the time; just ask Marc Emery.
The EU could start blocking websites
There are many other tools besides blocking websites, unless your site is purely a source of information, in which case the EU is unlikely to care.
Most likely, they'll try to prevent any business such companies have in the EU (e.g. telling payment providers to cut them off).
It isn’t like I am showing up at their house forcing them to buy my product. If I am a US company and I refuse to do business with an EU citizen — now we have national origin discrimination, which is illegal in the EU.
The GDPR is not based on the nationality or citizenship, but on location. If an EU citizen is in the US, the GDPR doesn't apply.
the EU or France isn’t trying to sue Booking.com for high commissions they are suing Apple over.
Booking.com is under investigation by French and other EU anti-trust regulators, and had to make concessions preventing them from over-controlling hotels[1]. It was also explicitly mentioned as one of the companies whose market dominance could put "the whole European economy at risk"[2].
"We have to violate HIPPA to follow the EU." is strictly not true, legal requirements is a valid reason (user consent is just one of possible reasons) that allows you store and process private data.
A colleague (not direct colleague) was fined because he, while executing his normal responsibilities, accidentally broke a German custom rule. He's not German, nor located in Germany. German custom fined him at his private residence. He performed this work on behalf of the company. German customs didn't care; figured out where he currently lives and sent the fine to him personally (his name is on it). So he's basically liable according to German customs.
If you do business with EU then you have to follow certain laws.
