surveillance cameras pointing in every direction from the top of a pole, with the blue sky visible in the background.

GDPR, Jurisdiction, and Some Honest Questions.

ByBen Meredith

surveillance cameras pointing in every direction from the top of a pole, with the blue sky visible in the background.
This Post is not about data privacy. But this image is.
Photo by Nathaniel dahan on Unsplash
This post isn’t really about the GDPR legislation, though it’s the latest piece of legislation out of the European Union that has the world’s attention, so it got me thinking again about what this post is really about.

This post is about jurisdiction.

Specifically, why does the European Union creating a law have any effect on me? Beyond being friends with people who are citizens of the EU, I nor my business have anything to do with the European Union. I’m not subject to its laws, penalties, or taxes.

I’m clearly not a lawyer. While I am on disclaimers, this post represents my while-mowing-the-lawn-earlier thoughts and should never be construed as an official statement of anyone’s opinion. These are legit questions.

I can’t get over the same thought that I had back when the EU VAT legislation was passed (and some folks panicked about it online): we (the US) literally fought a war so that we don’t have to care what European laws say.

So, let’s walk through a worst-case scenario regarding the new law. A few months from now, after I clearly have not read the law or complied with it (I have a few other things on my plate, and reading through laws of other countries doesn’t make the to-do list), I get a nasty email from someone in Brussels demanding that I pay a fine for non-compliance.

My response would be a polite decline and explanation that I actually live in North Carolina, and obey the laws of my city, county, state, and nation. I’d simply decline to pay the fine.

Aside: Because the content of the GDPR law and internet privacy is such a hot-button issue, allow me to clarify that I take privacy very seriously and transparency with my customers very seriously. If I were contacted by an individual (not the European government) I would most certainly delete their info, or let them know whatever they would like about their info and how I use it. When it comes to the aims of the GDPR legislation, I actually think they are relatively noble aims from an ethical standpoint, and the privacy concerns raised by the discussion surrounding the legislation are good to talk about. Ethically speaking, businesses ought to be having these discussions. But that’s not what this post is about.

This post is about the fact that I can’t be compelled by European law to act—because there’s no mechanism for enforcement of the law.

Back to the hypothetical story.

My polite decline would likely result in scarier letters on official letterhead, which I again would politely decline, using the best letterhead template I could find for free online.

Getting a fine from Brussels would be like getting paperwork for a parking ticket on the moon. They’ve clearly got the wrong guy.

From where I sit, the worst case scenario for me or my business would be to be barred from travel to or through the EU until I paid a fine. And there ought to be an uproar over the unjustness of the fine.

Why do we as a tech community pay attention to the laws of the EU but not those of (for example) Botswana or China or Venezuela? I feel certain there are laws restricting what information I can share with North Korean citizens or citizens of Turkmenistan (but don’t quote me on that: In case it wasn’t clear, I don’t read laws that don’t apply to me). Yet I just ignore those as a US small business.

Serious question: do we only comply with the laws of the EU because they’re white people?

Do we only comply with the GDPR and other European laws because white people wrote them? Click To Tweet

Let’s try a closer-to-home analogy. We are good friends with the neighbors across the cul-de-sac here in our suburb. Our kids are roughly the same age and play all the time at one another’s house.

Imagine me sending the following email to the neighbors:

Hi Neighbors!

We’ve decided that our house rule is that kids who are visiting a house they don’t live in get free reign on the television as well as information about all snacks in the cabinet for the entirety of their stay. Effective June 5th, all families who don’t comply in the neighborhood will be forced to disclose their checking account balance.

Sincerely,
The family who cares more about kids.

It’s cute and all, but my neighbors would likely just laugh and say “no, the actual new rule is buh-bye, because weirdos.”

Best case scenario for my kids still being able to play at the neighbors’ house is that they just ignore the email and claim they never saw it.

Oddly enough, that’s the same exact posture I’ve taken toward the EU VAT law, as well as the new GDPR law: I intentionally haven’t read them so that their kids can still come to play at my house.

For a US small business, a European law is like me emailing my neighbor enacting new rules at their house. Right? Click To Tweet

So what am I missing? How is the GDPR (or any law of any country of which I am not a citizen and in with my corporation is not registered) enforceable to me? Is the European government going to petition the US government for extradition for this? Would the same standards be upheld if it were a Russian law? How about an Iranian one?

To reiterate one final time: I am happy to comply with any request for information from anyone who has done business with me, or anyone who has subscribed to an email list, or for whom I have collected any data. That’s not what this post is about.