Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It looks like it's a US-based company without enough of a European presence to fall under their jurisdiction.


https://gdpr.eu/companies-outside-of-europe/ it looks like it would? I'm no expert though.


Right, they can say it applies... but if a company does no business in Europe, how can a judgement be enforced?


> The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as "extra-territorial effect."

They can say this all they want, but if you have no presence in the EU, and your jurisdiction does not have any agreement to apply GDPR regulations to you, then this is at most a strongly worded request.

Barring explicit agreements to the contrary (treaties, extradition agreements, etc), by definition a country's laws are only enforceable there.

If PDL has no business in Europe, no plans to expand there, and there's no treaty or other agreement making the provisions enforceable against them, the EU can say whatever it wants but PDL has no legal obligation to do anything about it.


One obvious answer in that case would be to establish who is buying the data from them and treat any PDL data as potentially tainted. If you find a downstream customer who does have a presence, then investigate accordingly. You might not be able to fine PDL directly, but you could certainly make the offending data risky or unprofitable...


Sure, but how do you propose doing that? Send another strongly worded letter to PDL demanding their customer list?


Usually you'd either track known errors in the dataset (implying that the companies had either bought it from PDL or copied the leak), or you'd ask the banks (who do have a presence) which accounts were paying them and who owned the accounts. If Bitcoin's involved at all, you assume there's something fishy going on and investigate accordingly.

(Assuming anyone were bothered enough to actually do this, of course.)


I’m also not an expert, but my understanding is that it applies but would be hard for the EU to take action against them


A law isn't a law if you can't enforce it, so "applies" has kind of a strange meaning in this context then, doesn't it?


A law always has a jurisdiction. EU laws generally don't apply to the US, even if the EU wants them to. There are exceptions, of course.


Theoretically, if it were egregious enough, the EU could say to the owners or management of the company that if they went to the EU they would be arrested. That’s enough of a threat that it might convince them.


Legal jurisdiction is a separate matter than the specific text of laws. The "this applies to non-European companies" things just means that if you fall under the jurisdiction of European courts, you can't absolve yourself of responsibility of complying with this law simply by being a foreign-registered company.

On the other hand, if you never fall under European jurisdiction in the first place, you're free to ignore them, just as you can ignore Thai laws against insulting their king. One very important thing to note is that setting foot in European soil will expose you to their jurisdiction, so you've significantly limited your freedom of movement, but if GDPR compliance is a bigger deal than that then "just never go to Europe" can be a viable strategy.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: