If this were the case then every country would have to enforce the Great Firewall of China, and every other country's internet related laws.
You're literally proving my point... If you don't comply with the Chinese law, they will block you countrywide. Same for Russia.
What I said was I would not be surprised if the EU started doing that to non-compliant sites in the future.
What if Russia decides any foreign website which is pro-LGBT rights is subject to a fine if a Russian reads it?
Again, I did not say anything about the fines affecting you in your home country. What I did say is that the EU has total right to do whatever they want within the EU about your website because you're effectively operating in the EU. If they want to fine you in the EU and make your life a total hell if you ever visit, they can.
And, again, in the future, I would not be surprised to see them cut off access to your website at the country level.
As far as Russia goes, we do block access to and cause drama with foreign sites. That's not new. We just don't fine you over it.
People will say by IP address. But, I am from the US and with 2 clicks of a mouse I can look like I'm in Germany. So, there went that idea.
With regards to Europeans using foreign proxies, it's all about best effort; many of the data agencies in EU member states have said this. If you make a best effort attempt, like blocking them by IP address and adding terms saying Europeans are banned, no one is realistically going to fine you.
As far as the American pretending to be European goes, personally, I just willingly offer American users the same privileges I am required to grant to Europeans. I don't know why you'd do anything else because you're just making it harder on yourself.
It's really not all that hard to take a deletion request from the couple of oddball Americans who try to pretend to be Europeans. You'd waste far more time vetting them than you would pressing the rename & delete button.
Again, assumptions. The main problem with GDPR is that it did not scale the law. A business making $50,000 annually versus making $50,000,000 had to do the exact same level of milestones (effort/work is varies between business to business) to achieve GDPR compliance.
Scales pretty well, honestly. You have the same requirements regardless of company size, yes. But, the amount of work to implement those requirements is massively different based on income.
Generally, and, yes, it's an assumption, a company making $50,000,000 generally has far more independent services that make use of user data than a company making $50,000.
So, I work for a fairly small company; we make about $1,000,000 per year.
We have
- Our game server
- Our forum
- Our store
- Our homepage (just a frontend for post data from the announcements section on the forum)
- Our leaderboards (just a frontend for the data already provided by the game server)
All in all, there are only three sources of data for us to worry about there. And, only two products that we're the actual vendor of (XenForo being the one who handles the forum software compliance).
For us, it really wasn't a big deal. As I mentioned, it only really took about six hours for the code required for easy GDPR compliance.
Now, in the case of 50 or 100 million USD, you often have quite a bit more going on than we do and so your development time goes up often pretty relative to the amount of cash you're pulling in.
Larger companies, in my opinion, have a lot easier time implementing GDPR because they potentially have money and resources to throw at the problem. With money, they can hire lawyers, purchase resources, and recruit an army of talent to help them achieve compliance with GDPR.
I agree. This is the case for all laws, though.
For example, does the 72 hour data breach notification rule apply when the laws in your own country supersede the GDPR requirement when law enforcement is involved and that they explicitly tell you to not do any notification because doing so would impede their investigation?
As with most of the rest of the questions, a big theme is that most of it comes down to best effort. If you are complying literally as best as you possibly legally can, they are not going to fine you. Everyone I've talked to has reiterated that. Go have a chat with the ICO or any other European data protection agency and they'll essentially tell you the same thing.
The idea is, generally, try to be nice and try to follow the rules. If you can't follow them exactly 100% to the T due to legal reasons or whatever, don't worry too much about it; they're not here to kill you. They just want the best possible for their citizens.