How can the EU encumber a US based company with no European presence without a treaty enabling that authority. Any country can pass a law, but that doesn't make it enforceable in regions outside of their jurisdiction.
Well.... here's the thing...
The Law applies to any provider to services to European citizens. It doesn't matter where it happens to be based. The fact that it is providing services to EU citizens means it is subject to those laws.
Its not really a radical position. If I buy goods from a US retailer... then although I am not a US citizen, I may have to pay US sales tax. Libel Law is tricky as well.. but if I libel a US citizen on here, even though i have never set foot in the states, someone could sue me under us law (or vice-versa, I could sue under UK law, or even australian law where neither party has been, if the post causes them reputation damage in Australia)
And before any US citizens get all high and mighty about the fact that the USA would NEVER do such a thing... they already have. with CLOUD act that was passed earlier in this year, which means the USA claims the right to access data held internationally on servers outside the USA ( if the company involved provides servicesfor US Citizens) the
https://blogs.microsoft.com/datalaw...ifying-lawful-overseas-use-of-data-cloud-act/
Now... as to whether these are enforceable.. I'm not a lawyer.. However, the penalties involved under the GDPR, mean that there significant amounts of money involved. And the USA is very clear that it will drag anyone though the US court system to uphold the CLOUD act.
The GDPR bit though seems to be all about good practice... I'm deliberately not going to tell you how to run AF (that would be out of place) but speaking purely about a 'hypothetical web forum' seems easy enough to comply with, by embracing the values that that we'd all hope out forum has.
- Any data collected must be with the informed consent of the person its being collected from... Simply having massive pages of T&Cs may not be sufficient.. .it needs to be clear and understandable what the user is consenting to.
- Data collected for a purpose (such as running a forum etc...) should be for that purpose only. If you're running some sort of data processing system behind it that tracks my every waking minute and sells that information on to advertisers without me knowing and agreeing to that, that isn't cool under the GDPR.
- Information shouldn't be kept longer than required... so whilst forum posts can stay up forever, there's no need to retain server log files indefinitely (beyond the need to diagnose problems with the site, and mine them for information from say 10 years ago
- If you store information about me, then I have the right to see it if i ask to... which is pretty easy for the web forum here... and if there is hidden information behind the scenes that isn't publically available, then i get to see that as well if requested
- I am allowed to withdraw my consent if i choose.. at which point i can ask you to delete information about me... which would mean that you may have to anonymize certain things held, including usernames of ex members... which could be done with a script in the background.
- If someone doesn't want to supply services to EU citizens, and decide to lock them out, to prevent any need to interact with the GDPR, then that is an option as well. (in which case goodbye and thanks for all the fish)
- You're supposed to keep information safe, and if you have a data breach report it...
- You should have someone who is responsible for the above.
These rights give some power to the people... and seem to be in support of the values that i think most people would agree with. They are very much "we the people" rights, as opposed to the governments/corporations taking them away from us.
With all the stories of "big data" removing our freedoms and privacy, this is a bit of good news.