EU law is world law


#1

Not sure if this is topic worthy but I couldn’t figure out where else to put it. I guess whats has struck me is:

In 2016 both the UK and USA voted for the triumph over the nation state over supra national institutions ie: “America First” & “Brexit”

in 2018 companies in the UK and USA without question changed the way they do business to comply with GDPR.

I haven’t seen a peep from the right or left about this being a political issue. I just find it odd, the default acceptance of EU law having primacy over the laws of the UK or USA.

For the record I think GDPR is a good thing, I think Brexit and Trump were and are terrible mistakes. But thats kind of irrelevant to the larger issue of accepting EU laws without question. Anyone else find this interesting? Or am I projecting something silly?


#2

Americans are too dumb to know what GDPR is.


#3

I think it’s not a matter of “accepting EU laws without question” and more “let’s adapt to EU laws so we can still make business and sell stuff there”. Which, btw, is already done by private companies everywhere.


#4

Thats not the case though. Previously companies adopted EU laws WITHIN the the EU. Same for the USA or UK or any country. In many cases here however companies are changing the way they do business in ALL countries to comply with GDPR.

From imgur “We’re updating our privacy policy in preparation for the EU’s General Data Protection Regulation (GDPR) later this month. Although these updates are sparked by European law, on Imgur, they will apply to everyone.”

Same for my mortgage company (which only does business in the USA and I wint post them as I use my real name here) same for Itch, Marriot. I havent checked the others in my inbox yet.


#5

Nope. This is simply about the companies in question not willing to pay the costs of splitting the policies and procedures around data protection for its EU userbase. There is nothing stopping EU/US/ROW users being subject to different levels of protections, its just about costs.


#6

So companies in the USA and the UK are adopting European privacy laws to save money. Ok, I can buy that. Still I am surprised its not even raised an eyebrow amongst the trumpster, brexiter crowd. They usually are VERY hostile to any regulation from outside that country.


#7

Pretty much. It’s similar to California in the US. Most vehicles abide by their emissions laws and the like because it’s easier than making “California cars” that are different.

But it’s not like you see say, CA gun laws affecting Iowa or anything.


#8

Two good comparisons there. Hmm interesting.


#9

This breaks down for me for internet services, because if someone from the EU signs up for your service does that immediately mean you must comply with all EU laws and regulations, or do I need to start blocking EU users until I have a lawyer that tells me I’m not voilating any EU laws for the x% of customers that may come from there?

The GDPR specifically requires companies to have a Data protection officer, and that DPO must be an EU entity and must not be a developer or other type of role like that. Small and mid sized companies are not exempt from this rule either. So for a company of 10-20 people in the US it gets kind of weird on how to accept EU customers, and if you decide to go all in on GDPR it becomes a real question of costs (and how much runway will get burned for it vs how much business you will gain in the next X months for it).

I’m a pro-regulation guy overall when it makes sense, but I really don’t like the far reaching consequences this has and I don’t believe it’s going to have the desired effect (unless the desired effect is to extract money from Facebook, Google, and other tech companies that are skirting on taxes).


#10

Exactly. It struck me as I was looking at the effort we are doing around GDPR at my current USA based , Korean owned company. It is not a trivial effort, but we are just doing it world wide seemingly because everyone else is. I dunno just seems interesting the way its just become accepted as “well this is the way we do things world wide now”.


#11

It’s only “World” law because the US for the moment has LOL internet privacy laws and the UK is too tiny a market to be able to set that sort of law. And I’m sure the Chinese are totally going to follow GDPR. :D

Once the USA establishes some sort of non LOL internet privacy laws, something that’s incompatible with EU law, then companies will have to follow both or decide not to service one of the markets.


#12

Fair points.

Minor point but as an FYI the UK is not tiny , at least not in my line of business, it has the 5th largest games market in the world.


#13

From what I heard, this isn’t the first law of the kind, but the last one the EU passed had no teeth. This time around, there are huge potential fines for companies


#14

You mention “LOL privacy laws” but I think this comes to a fundamental question, which is who owns data.

If I build all the systems and you enter information into my system, do you own the data or do I? If you enter someone else’s data in do you own the data, do I, or does the person the data is relevant to? If I enter the data in the act of conducting business as an employee of a company does the company own the data? If I still own the data does this mean I can force the company to remove all the data about me?

None of these are black and white despite what the GDPR is trying to say about it. Most of the privacy laws in the EU (and in GDPR) can be waved away by saying they are a legitimate part of the business or complying with a deletion request is too hard (yes this is allowed as long as you can justify it). The latter is the attitude FB and Google are taking and they have not changed their behavior over GDPR because their lawyers have (or think they have) found ways to get around it.

So it’s not black and white about who has the better laws imo.


#15

The fines are indeed massive and underline the nature of the law.

Its 4% of your world wide revenue you have to pay if you are a company (EU or USA or wherever) that does not comply with GDPR. Up to a max of I think of ~$25M*

That has teeth.

*legowarrior corrects me below.


#16

Let’s do a thought experiment. Suppose only China declares loot boxes illegal? What about just the USA? Just the EU? Or just the UK?

This is going to be different for each company, yadda yadda, but of these options which ones have the biggest chance at making loot boxes pretty much non existent world wide?

Is the UK market large? Sure. Still tiny by comparison to what it needs to be to impose that sort of rule. Many companies would just not do business in the UK.


#17

Good example. So far companies in the USA , UK and EU seem to be adopting Belgian law. I have no point here, just offering the most recent data.


#18

My LOL privacy laws is not in the sense of being better or worse, just easier to comply with. So, if I comply with GDPR I’m also complying with current US law.


#19

Actually, it’s far more. The penalty can max out at 4% of world wide earnings or $25 million, which ever is higher.

Now, from what I hear, the penalties will probably not be the max possible for the first couple of years as industry works this all out.


#20

Wow! Thanks, I was not aware of that.