Mildly on topic: I recently moved to France from Canada, I'm not an EU citizen, and google isn't really sure if I'm on vacation or if I've moved permanently.
Every single website now asks me about cookie settings. Most have a reject all button, but occasionally I have to manually uncheck some sliders to protect my data. Time well spent.
My parents back in Canada always think it's some voodoo magic when Facebook shows them ads about stuff they've recently been 'talking about (AKA searching on Google.) Duhhh. Thanks EU!
In the EU it is illegal to save unnecessary Cookies without active consent. So the best you can do for your privacy is use Ublock origin with a cookiebanner list!
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
From what I understand, it doesn't really matter where or who you are, it's about whoever collects your data doing business in the EU. BUT ALSO if you are an EU citizen, it also applies to non EU companies (someone correct me if I'm wrong)
In a practical sense, I can tell you that in mobile apps, some parts of gdpr are implemented based on phone language settings or in the case of websites, the domain suffix of the page (.fr or .de, etc). I'm guessing this is an interpretation of the section described here:
strong indications that a non-EU business is intentionally offering goods or services to data subjects in the EU and may therefore be subject to the GDPR:
Use of the language of an EU Member State (if the language is different than the language of the business’ home state);4
Use of the currency of an EU Member State (if the currency is different than the currency of the business’ home state);
Use of a top-level domain name of an EU Member State;
Mentions of customers based in an EU Member State; or
Targeted advertising to consumers in an EU Member State.
Most people seem to be leaning toward just applying them to anyone as that's the way things are headed and once you've figure out how to do it technically it's easier to just do it all the same way. Also, the EU is doing it's best to set precedent for a broad interpretation.
This is why the EU is sometimes called a regulatory super power. Because the market is so large and important, the rest of the world often adopts EU regulations. Whether it's GDPR or environmental standards, it's cheaper to make one EU compliant version of your product or part than different versions for different markets.
Not any other kind of super power though, we're far too busy squabbling amongst ourselves. Some still haven't learnt the lessons of the last two world wars.
only sort of correct: the GDPR applies globally (see this comment: https://jlai.lu/comment/4089576), however if you don’t ever plan on visiting or doing business in the EU it’s probably one of those things that people would ignore because it’d be too difficult/impossible for the EU to actually follow up on
off-topic but also the reason why people in the US need to use TOR to look up anything health related that isn't on wikipedia, because the insane amount of data from tracking on the health websites hosted in the States are then sold to insurers and hence these websites are often not available in the EU because they aren't GDPR-compliant. fucking dystopian
Legal advice given to me by an employer treated all citizens as eligible. Their advice tends to err on the side of caution at the best of times, but I have no reason to disagree that it's at the very least legally contentious even if not yet officially contested.
Tl;dr I wouldn't want to rely on it in court, whether everyone else is happy to risk that is whatever.
GDPR can only extend to their borders, the same that any country's laws extend to theirs. Why would you expect another country to honor your "home rules"?
It does. When GDPR was about to be placed in effect, the company I worked for in Brazil, send a communication to all our clients saying that they needed to communicate us if they were in Europe for us to process their claims (life insurance) with a third party European partner because the Brazilian office would not be able to comply with European regulations and the company would not even going to answer emails from clients located there. Eventually Brazil made their own data protection laws based on the European one and the company re opened contact with their clients located there.
Borders on the Internet get weird. Effectively, as quoted above, GDPR applies if you do business in the EU even if you aren't there. Things are murkier if you're not in the EU when the data gathering takes place and the operator is outside as well, though.