They wanted to violate my rights given by Article 7.2 of the General Data Protection Regulation (GDPR), this is clearly making the product worse.
What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.
If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).
It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).
You can opt out by not using it, right? They'd be supposed to drop EU users, under some interpretation of the law. But even if they didn't, then as an EU user, you'd still be able to protect your own rights by ceasing use of their services.
The advice I have bookmarked (which I'll admit is not a legal opinion or the source legislation) says:
‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
and
the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.
As I read/understand things, unless the service you're providing is "being tracked by advertisers or analytics", you cannot block ac cess to users based on then not consenting to being tracked for advertising/analytics.
Pretty sure "They'd be supposed to drop EU users, under some interpretation of the law." is correct there, and that if Gitlab wants to have tracking consent as a mandatory requirement for using their source control service, they'd need to stop selling it in EU completely.
Good luck trying your luck with international law.
,,You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.''
The EU could certainly stop them from doing business there. Beyond that, you can't be sure they could collect fines. It may depend on the technical details of what the fines are about, and how big they are. America has human rights that privacy regulations like California's CCPA are careful to waltz around.
If at all, then only as long as they're conducting their business with EU customers entirely from the US. As soon as they're putting servers in a colo in the EU, there's something that EU authorities could confiscate to cover outstanding fines.
You cannot conduct business in the EU unless you have a VAT number issued by any of the member (still 28) states. You cannot sell anything in the EU w/o VAT, it'd be illegal. The company =must= pay the collected VAT to the respective member state(s).
So they have to register in the EU to conduct business (and issue VAT receipts). This requires some assets and people to be responsible.
The only way to conduct business outside is a small shipments (less than 22e) that would be free of VAT and customs clearance.
GDPR is very clear, there are no multiple interpretations: the responsibility of telling me how they are using data about me is on the server side.
It's impossible for people in the EU to track all the time how different services use their data, so what you are suggesting is not practical.
As an example if you go with 200km/h on the German highway the responsibility of the road not ending is not yours. When I was going with a car in Albania and this happened to me, I (and my car) was quite shocked, but there are differences between countries.
What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.
If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).
It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).