• ℍ𝕂-𝟞𝟝@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    2
    ·
    27 days ago

    You should also know that hosting a service in the US without explicitly denying service to Europeans, and not abiding by the GDPR makes you liable to criminal prosecution in the US. US federal law has a version of GDPR that does not protect US citizens, just EU ones.

      • ℍ𝕂-𝟞𝟝@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        19
        ·
        edit-2
        27 days ago

        It’s very dry and boring legalese, but look up the EU-US Data Privacy Framework.

        TL;DR: Biden signed a law last year letting EU courts enforce GDPR fines in US courts. It never happens because companies are not stupid and defend themselves in the EU courts.

        It’s a recent edition of a string of increasingly privacy-favouring legislation attempts by the US to placate the EU about the rights of its citizens being respected abroad. The gist of it is that it is a US federal law signed into force by Biden last year, which makes it so that EU citizens have legal standing in US courts to enforce EU GDPR court decisions. There is not a lot of precedent yet, but that’s part of the point.

        It precludes companies from using the loophole of not having any EU presence to evade fines and rules. Companies can and almost always exempt themselves from this by having an EU entity and subjecting themselves to GDPR directly, since if they get you through this, the EU court will already have tried and found against you, and the US federal court has little room to get you off the hook, because if they do, they risk Big Tech bottom lines by endangering EU-US data transfers.

        • koper@feddit.nl
          link
          fedilink
          arrow-up
          3
          ·
          26 days ago

          I’m sorry, but I think you’re mistaken. May I ask where you got this information?

          As I understand it, the DPF is merely an executive order and not a federal law, so it’s very limited in what it can do. It doesn’t create the ability to enforce fines through US courts because breaking the GDPR is still perfectly legal under US law.

          This loophole is still used unfortunately. For example, Clearview AI was fined by various data protection authorities, but their fines cannot be enforced so the company just never paid up.l