Goodbye FLoC, hello Topics
Goodbye FLoC, hello Topics
Posted Jan 29, 2022 10:13 UTC (Sat) by farnz (subscriber, #17727)In reply to: Goodbye FLoC, hello Topics by pabs
Parent article: Goodbye FLoC, hello Topics
Yes, it does. It's the fact that the data subject is EU-resident that counts from the law's point of view. Which is a separate matter to enforcing it, as it's very hard to enforce against an entity with no EU links at all.
Effectively, though, the EU is saying that if you're big enough to have EU links, GDPR applies to you whether you take efforts to avoid coming under its banner or not.
Posted Jan 29, 2022 16:46 UTC (Sat)
by khim (subscriber, #9252)
[Link] (8 responses)
Have this been actually tested in court? EU may say anything it wants, but the idea that someone who lives in the other country and does reasonable effort to never fall under jurisdiction of some foreign law yet, somehow, becomes bound by it, sounds very suspicious. Not even Russia (who tries to make sure large internet companies have physical presence in the country) have ever tried to say that someone, who is not, legally, works in Russia should follow Russian laws. Heck, even China doesn't try to force Google to censor content on Google.com (and yes, Google have pretty significant presence in China because otherwise it's very hard to produce electronic devices in modern world).
Posted Jan 29, 2022 21:06 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (7 responses)
Not yet, but there's no reason to think that the EU won't apply GDPR the way it says it would. The rationale is that reasonable effort to not process the data of EU residents and citizens outside the terms of the GDPR is to always comply with the spirit of GDPR restrictions, not to try to ban EU residents and citizens from accessing your data.
More generally, the EU is quite keen on the idea that there should be no route that allows an EU entity to do an end run around the GDPR by somehow importing EU residents data from outside the EU; that means that if you don't comply with the GDPR requirements, then you need your data pile to be poisonous to EU entities, including others in the same group as you.
This is directly targeted at big tech like Google and Facebook - those companies can't be allowed to play tricks that allow them to say "welp, our bad, EU and US data got intermingled, so we breached GDPR. But don't worry, we made reasonable efforts not to fall under EU jurisdiction, so it's OK".
Posted Jan 30, 2022 15:34 UTC (Sun)
by khim (subscriber, #9252)
[Link] (6 responses)
No, it's not reasonable. If some group of people forget about what country borders are and how law works then it's not a good idea to try to placate them, usually it's cheaper to ensure you don't need to deal with them. Only if you are already deeply involved with them it may be too costly to block them and pretend they don't exist. Note: I'm not talking about specifics of GDPR here. The mere fact that it, supposedly, applies to entities beyond the EU border when they are dealing with people who are outside of EU border is deeply troubling and worthy of fighting against. Then why do they write a law in a way that mom-n-pop shop somewhere in Bangladesh have to, formally, deal with law of foreign country which they may not even know exist? I have come to be accustomed to Russian lawmakers to be crazy but their latest invention sounds much more logical and clearly says: if you large enough and have enough customers in Russia mainland you have to deal with our rules (and if you have 500000 visitors daily in Russia then you are definitely large enough to afford office there), if you are someone small or foreign (and don't deal with lots of Russian citizens already) — we don't care. There's centuries-old saying: however strict Russia's laws may be, their full power is reduced because they rarely are fully enforced. While European countries always tried to think about how laws can be executed once written. And it just starts looking to me that Europe and Russia have swapped approaches to laws! This is madness!
Posted Jan 31, 2022 9:45 UTC (Mon)
by taladar (subscriber, #68407)
[Link] (5 responses)
If anything the US approach of applying their laws abroad in all kinds of cases that do not even remotely relate to protecting their citizens is an issue, not the EU one.
Posted Jan 31, 2022 12:47 UTC (Mon)
by khim (subscriber, #9252)
[Link] (4 responses)
Sure, countries have spent resources to protect their citizens when possible. But that's significantly different from saying that laws of your country, somehow, should affect people in the other countries without these countries signing any agreements with you. Even embassies or military bases impose foreign rules on their own soil, not around the whole country where they reside. What's the difference? In both cases one country claim it's laws are extraterritorial and trump the laws of the other countries without there being an additional agreements to provide that extraterritoriality. The only difference I see if that US is willing to use force to support that interpretation and EU only tries to impose it when it have the opportunity to do so on their own territory, but the idea is the same.
Posted Jan 31, 2022 16:58 UTC (Mon)
by kleptog (subscriber, #1183)
[Link] (3 responses)
This happens all the time though. You don't need to interact with a country to be affected by their laws, you just need to interact with a person from that country. That's one of the things of the internet, it makes cross-border issues very common.
(BTW, "affect" is a very board term that can mean almost any kind of interaction)
The issue here revolves around the concept of "ownership". If I, by the laws of my country, legally own a widget X, then if I go to another country then they will generally accept that I own that widget, even if that country has never has any relations with my country. There are formal legal frameworks to give this effect, but even without these the concept of ownership is fairly universal.
When we created copyrights and patent we decided that people could own them. And in countries that didn't recognise said copyrights/patents they weren't bound per se, but there were plenty of tactics deployed, like import blockades, fining local subsidiaries, tariffs, seizing assets, etc to encourage said countries to recognise the existence of copyrights/patents and their ownerships and associated rights.
Now we're on to the next stage where some places in the world (the EU particularly) have decided that people own their personal data and have rights regarding them. The US in particular doesn't believe this and think people and especially large tech businesses have the right to do whatever they like with other people's personal data. As such we will see such tactics as import blockades, fining local subsidiaries, tariffs, seizing assets, etc to encourage said countries to respect the rights of the owners of their personal data.
The interesting thing is that people in the US are waking up to the idea that companies in China can also collect data on US citizens and process that however they like. Now the shoe is on the other foot they worry whether maybe they should prevent that, but unless you actually start with the idea that people have rights over their personal data, it's hard to argue China is doing anything wrong.
So back to the mom and pop shop in Bangladesh, if they do a transaction with an EU citizen that involves the transfer of personal data then they can choose (knowingly or otherwise) to not respect that user's rights and there may be consequences of that.
Posted Jan 31, 2022 17:54 UTC (Mon)
by khim (subscriber, #9252)
[Link] (2 responses)
Nope. Here's Russian version. Foreign citizens enjoy rights in the Russian Federation and bear obligations on an equal footing with citizens of the Russian Federation, with the exception of cases provided for by federal law. You may talk about GDPR or US law or anything like that as much as you want, court would just declare all these papers irrelevant and would ask you when and how agreement between Russia and your country was made and when federal law was changed to accommodate it. Yes, Internet made is possible to interact with someone who haven't left their own country. This creates collisions. What consequences? Bangladesh would ask EU citizens not to visit them? This is already happening, albeit under different pretext. Yes. And they, unilaterally, decided that the other countries wouldn't do anything about their wishes and desires but would just blindly accept them. They would, but blind acceptance is not in the cards. Nope. Not even close. Yes, EU may have started all that with the good intent. But… the road to hell is paved with good intentions. Other countries took note… and started preparing counter-measures. In particular Russia demands that information about Russian citizens is processed in Russia — and wouldn't care one jot if it would contradicts the GDPR. No. You may declare it illegal to collect personal data of US citizens abroad. Not say that citizens have certain rights over their data but that US have jurisdictions over them. China may agree to that. Move physical borders between countries into the virtual space, Internet. Rights of certain individual citizens? Nope. Never seen such an inclination in China authorities before, don't think they would start doing that now. And even if some agreements would be reached and GDPR would become law in Russia — this would happen not because EU said so, but because Russia would adopt it into “federal law”. Which, frankly, sounds less and less likely with each passing year.
Posted Feb 1, 2022 14:00 UTC (Tue)
by kleptog (subscriber, #1183)
[Link] (1 responses)
Clearly there's some miscommunication going on here, because I don't see the relation. The GDPR doesn't apply to the data of Russian citizens, so what's the relevance?
How can it contradict the GDPR since it doesn't apply to the data of Russian citizens in Russia?
Then you need to get up to speed (this entered into force 3 months ago):
The PIPL establishes the mechanism of personal information protection in China and it is modelled, in part, on the GDPR. It introduces several important concepts, such as personal information, sensitive personal information, and processing. It explicitly stipulates its exterritorial jurisdiction, and provides the traditional elements for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms and rights of data subjects. At the time of writing this note, some provisions are still waiting for implementing rules to provide clarification.
The right of privacy and personal information would be categorised as a personality right, which provides a legal remedy from the perspective of Torts in cases of infringement of privacy and/or personal information. Furthermore, privacy is defined by law for the first time, which refers to the private peaceful life of a natural person and the private space, private activities, and private information that a natural person does not wish to be known by others.
Of course, being China it's surrounded by certifications and a lot of other top-down bureaucracy that the GDPR doesn't have, but many of the basics are similar.
Posted Feb 1, 2022 14:22 UTC (Tue)
by khim (subscriber, #9252)
[Link]
Huh? We are discussing that one:
You don't need to interact with a country to be affected by their laws, you just need to interact with a person from that country. We are not talking about Russian citizens, but about foreigners who are, miraculously, according to you, entitled for what GDPR promises even if they are in Russia. But Russian law is extremely clear: when you are on Russia soil you may forget about your country laws which say something. Either there are Russian which gives you some rights or you have no rights at all. Which means that if you ban the EU citizens on your website you can safely ignore GDPR: EU citizens which interact with you legally can not bring it in the court and the ones who used VPN to pretend they are on Russian soil are very unlikely to be taken seriously by the court. Yes, GDPR have opened the Pandorra box. Now every country claims that their own law are exterritorial and apply to the whole world… but can they actually enforce that? When other countries (like Russia and China itself) explicitly refuse to accept that exterritoriality? I think that it would take 5-10 years before we would reach the final outcome, but I don't think it would be the ability of EU to enforce GDPR in all countries around the world and the ability of China to enforce PIPL around the world. More likely outcome is separation of the world into regions with clearly outlined borders and where mon-n-pop shop in Bangladesh would continue to blissfully ignore GDPR (but may be tied by PIPL depending on where the line between regions fall). IOW: I don't see the trend moving into the direction of more respect for people privacy. I would expect more and more geographic bans instead.
> Effectively, though, the EU is saying that if you're big enough to have EU links, GDPR applies to you whether you take efforts to avoid coming under its banner or not.
Goodbye FLoC, hello Topics
Goodbye FLoC, hello Topics
> The rationale is that reasonable effort to not process the data of EU residents and citizens outside the terms of the GDPR is to always comply with the spirit of GDPR restrictions, not to try to ban EU residents and citizens from accessing your data.
Goodbye FLoC, hello Topics
Goodbye FLoC, hello Topics
Goodbye FLoC, hello Topics
Goodbye FLoC, hello Topics
> You don't need to interact with a country to be affected by their laws, you just need to interact with a person from that country.
Goodbye FLoC, hello Topics
Goodbye FLoC, hello Topics
You don't need to interact with a country to be affected by their laws, you just need to interact with a person from that country.
Nope. Here's Russian version.
Foreign citizens enjoy rights in the Russian Federation and bear obligations on an equal footing with citizens of the Russian Federation, with the exception of cases provided for by federal law.
In particular Russia demands that information about Russian citizens is processed in Russia — and wouldn't care one jot if it would contradicts the GDPR.
Rights of certain individual citizens? Nope. Never seen such an inclination in China authorities before, don't think they would start doing that now.
> The GDPR doesn't apply to the data of Russian citizens, so what's the relevance?
Goodbye FLoC, hello Topics