I take it as applying to expats too living in non EU countries and their natural or adopted children, depending on how they inherit citizenship and maybe their grandchildren.
That is our understanding of it too. It doesn't matter where your company is incorporated, or where your hosting provider stores the data - as long as an EU resident uses your service, you have to comply. I could be wrong, but we are erring on the side of caution with our SaaS app and treating this as the case.
edit: I understand this is an unpopular fact. However it is a fact that the EU does not have global jurisdiction to overrule foreign national sovereignty and dictate legislation. US businesses do not need to comply with GDPR if they are doing no business in the EU, period.
No, you do not have to comply if you're outside of the EU's jurisdiction. They can only hit you if you've got business in the EU that they can directly touch. Facebook, Google, etc. are aggressively complying because they want to continue making money in the EU.
They'll have to overrule eg US or Chinese jurisdiction to force outside companies to comply with GDPR.
How exactly do they intend to force compliance upon the two global superpowers with $34 trillion in economic output? It's laughable. US Federal courts will bury any attempts by the EU to legislate US laws/regulations on these matters.
If I'm a US service/site, I do no business in the EU, and I store information from EU residents on my servers in the US, the EU can't force me to comply with GDPR. They have no means to force that compliance, and to overrule or dictate US domestic laws. The EU doesn't govern the world's laws, if they didn't already realize that they're about to discover it.
Does that still apply if we are a 'data processor' according to their definition? We are an Australian company, with servers based in the US, and we have EU companies actually using our SaaS to manage their employee's information (also based in the EU). We haven't had formal legal advise on this, but upon discussions with other service providers, it seems we still have to be compliant because our paying customers who actually own the data are based in the EU.
If you're doing business with the EU, my opinion is that you should comply to GDPR. Your EU business customers will very likely demand / require it, if not today then sooner than later. Those EU businesses will be assessing the services they utilize and trying to make sure there are no holes in their own GDPR compliance as a consequence.
As a counter example. A US-based service I'm building now, will have zero business dealings with the EU, although it may store EU resident data (people that sign up that are from the EU). I have no concern about complying any time soon. I may choose to never comply, as I doubt I'll be drawing revenue from the EU. It's about the last thing on my list of things to worry about (GDPR, not user privacy in general).
If you're doing business with companies doing business with the EU, you should probably comply. GDPR compliance requires certain affiliated businesses that are involved with the data you collect to also be compliant. The US-based company I work for is in the process of switching to Stripe for ACH invoicing because bill.com isn't going to be GDPR compliant.
EU law says that it's only legal to transfer personal data to companies that have adequate level of protection for personal data. Certain countries are considered to meet the adequacy requirement, but Australia is not one of them[1], so you probably need to meet the requirement using a contract[2]. You should probably consult a lawyer.
> The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
Yes, EU companies are going to want legal guarantees that you'll fulfill your duties as a data processor under EU law. Common term for such a thing is "data processing agreement", quite a few services offer them in a more-or-less self-service fashion.
this is actually true, while in theory EU says GDPR applies abroad, it simply doesn't because its not law of the land. Only indirectly can it be enforced, e.g. a US based payment processor would want to comply because otherwise EU businesses would not be able to use it.
To me there's still a minuscule risk that goes something like: "Hey, we think your company is violating GDPR. Come to court." US company ignores. EU court finds in favor of whoever is launching these lawsuits. They can't collect any fines, but maybe they could prevent the company owners / other employees from entering the EU even as a tourist until they pay up. Though that goes against the whole philosophy of the LLC, EU perspectives on business generally seem kinda screwy...
I agree unless you have business in EU it's not really worth worrying about it... And even with business in EU, depending on how much of a hassle it would be to overhaul everything, an underconsidered option in all the panicked headless running about is just to have code branches that don't collect any data if the context is EU. Overhaul only what's needed for business, but no need to run around fixing all the other data vacuuming / data laziness going on just yet.
