To be eligible for things like a GDPR Data deletion request etc, is it enough that I am a citizen or must I be a resident? ty :)
Mildly on topic: I recently moved to France from Canada, I’m not an EU citizen, and google isn’t really sure if I’m on vacation or if I’ve moved permanently.
Every single website now asks me about cookie settings. Most have a reject all button, but occasionally I have to manually uncheck some sliders to protect my data. Time well spent.
My parents back in Canada always think it’s some voodoo magic when Facebook shows them ads about stuff they’ve recently been 'talking about (AKA searching on Google.) Duhhh. Thanks EU!
Not sure if it helps but :
GDPR Article 3 - Territorial scope
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
From what I understand, it doesn’t really matter where or who you are, it’s about whoever collects your data doing business in the EU. BUT ALSO if you are an EU citizen, it also applies to non EU companies (someone correct me if I’m wrong)
In a practical sense, I can tell you that in mobile apps, some parts of gdpr are implemented based on phone language settings or in the case of websites, the domain suffix of the page (.fr or .de, etc). I’m guessing this is an interpretation of the section described here:
strong indications that a non-EU business is intentionally offering goods or services to data subjects in the EU and may therefore be subject to the GDPR:
- Use of the language of an EU Member State (if the language is different than the language of the business’ home state);4
- Use of the currency of an EU Member State (if the currency is different than the currency of the business’ home state);
- Use of a top-level domain name of an EU Member State;
- Mentions of customers based in an EU Member State; or
- Targeted advertising to consumers in an EU Member State.
Most people seem to be leaning toward just applying them to anyone as that’s the way things are headed and once you’ve figure out how to do it technically it’s easier to just do it all the same way. Also, the EU is doing it’s best to set precedent for a broad interpretation.
This is why the EU is sometimes called a regulatory super power. Because the market is so large and important, the rest of the world often adopts EU regulations. Whether it’s GDPR or environmental standards, it’s cheaper to make one EU compliant version of your product or part than different versions for different markets.
Not any other kind of super power though, we’re far too busy squabbling amongst ourselves. Some still haven’t learnt the lessons of the last two world wars.
I think you need to reside on Europe to their laws apply to you, not matter if you are European citizen or not.
only sort of correct: the GDPR applies globally (see this comment: https://jlai.lu/comment/4089576), however if you don’t ever plan on visiting or doing business in the EU it’s probably one of those things that people would ignore because it’d be too difficult/impossible for the EU to actually follow up on
the appleebees website is not accessible from the eu - because they don’t want to comply. roadsideamerica.com, too.
off-topic but also the reason why people in the US need to use TOR to look up anything health related that isn’t on wikipedia, because the insane amount of data from tracking on the health websites hosted in the States are then sold to insurers and hence these websites are often not available in the EU because they aren’t GDPR-compliant. fucking dystopian
Legal advice given to me by an employer treated all citizens as eligible. Their advice tends to err on the side of caution at the best of times, but I have no reason to disagree that it’s at the very least legally contentious even if not yet officially contested.
Tl;dr I wouldn’t want to rely on it in court, whether everyone else is happy to risk that is whatever.
