What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?
In the financial sector, the extra-territoriality of US laws has been a problem for decades. Securities issued in the EU, by EU entities and marketed to EU investors end up having some language referring to which US regulation they fall under out of fear that a US person will end up buying it, and the US applying their laws and regulations.
> In the financial sector, the extra-territoriality of US laws has been a problem for decades.
This is a problem for the internet that has long been present but is increasing: multiple jurisdictions with global reach. Historically the First Amendment has shielded the internet from a lot of attempts to interfere with it, but there's no particular reason why only the US should claim that its laws apply globally. Why not Franco-German laws against Holocaust denial? English libel law? Saudi blasphemy law? Chinese censorship law?
Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.
> Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.
That's exactly what we're already talking about here: companies are unable to obey both EU rules concerning privacy, and US laws concerning law enforcement access to data.
And that's basically why borders between internet jurisdictions are now being drawn up.
The sad thing is that Europe also has laws enabling law enforcement access to data, including (until recently) mandatory retention of certain data by ISPs. All this is about is mass surveillance without due process. All that would be required to fix it is interpreting the Fourth Amendment in the same way as Article 8, and abolishing the whole secret court infrastructure.
> The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
> Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
Microsoft was ordered to hand over an Irish citizen's emails stored outside of the US to US government officials in a drug case. The case is still in appeals.
In practical terms your blog would be outside the EU jurisdiction so no direct, effective, sanctions could be levied. However if you do take payments, for anything, from within the EU that is where they can hit you; by simply blocking European banks from making payments to you.
I'm not a bitcoin guy but this is a scenario where I can see the technology becoming popular/useful. They can theoretically block your service (like China firewall) but that's harder to pull off and sell to public.
For example it could let games circumvent online gambling laws.
> What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?
De facto, it's when you take money from EU customers and/or have an official office in some EU country.
To wit, non-profit doesn't mean "doesn't take in money." IIRC, it means that the organization doesn't distribute surplus income (profit) to shareholders.
So, a non-profit that took monies from EU citizens I think would still possibly be affected, unless there's EU laws that make non-profits a different class of business subject do different laws.
There are non-profits that make millions of dollars in positive cash flow. All that term means (At least in the US) is that it doesn't ever pay dividends to shareholders.
I'll be intentionally vague because I don't want to stray too far afield but there are some large organization that make a lot of money but are classified as non-profit. They can pay excess revenue as bonuses to directors and executives.
Note that I said "de facto", not "de jure". Nobody would bother suing a non profit that doesn't have EU offices unless you were very large and/or very prominent and/or doing something really nefarious about the data you have. And even then, suing an US company with no EU standing in front of an EU court from an EU citizen complaint is far from easy.
The same reason that if, say, Texas introduce a law that says everyone commenting on a texan website needs to be polite and I post a comment with some name calling, suing me as someone not from Texas nor the US would not be very doable, even though I technically infringe on that law.
This is where I think Business Insider is ultimately "wrong", yet it keeps stressing in all related articles how this will create huge bureaucracy.
From what I see in the ruling, it keeps stating "under the directive" (Data Protection Directive).
The current Directive, does indeed give national governments the right to decide how it's implemented. However, the new Directive (or regulation actually, meant to pass this year) will unify the directive for all countries. So I believe this "bureaucracy" issue, at least in regards to having to follow 27 different laws, will not be an issue anymore.
Even the current directive likely doesn't require satisfying all nations separately; since the various schemes are supposed to be compatible (i.e. conceptually safe harbor, though it's not called that, does apply within the EU), if a business hosted its data in one country and served others from there, they'd likely be safe.
There might be some bureaucracy to ensure that you really count as being hosted there (e.g. possibly ensuring that the parent company cannot access said data - which would be problematic for some companies), but AFAIK (IANAL) there's no legal distinction between EU and non-EU companies in this kind of rule.
EU banks also have special rules for US persons. There are special courses on how to properly determine whether someone counts as US person or not. Nobody cares about other countries.
Isn't the US the only country that taxes the foreign income of its citizens, which would probably require that the banks have some paperwork particular to US citizens with accounts?
One of my Dutch banks, a small investment bank, kicked me out because I am on a temp visa in the USA. This means I have to pay taxes here and therefore need to report my Dutch bank accounts with the IRS. They told me the US penalties for not reporting 100 % correctly on my money with them were so outrageous that they preferred to boot me.
U.S. residents, including temporary residents, are considered "U.S. persons" by the IRS and have to report everything. Amusingly this also applies to holders of U.S. Green Cards who aren't actually resident in the U.S.
Canadians working in the U.S. have had fun with IRS because a type of Canadian registered (tax-advantaged) savings account is not recognized by the IRS as a registered savings account but rather a "passive foreign investment company" and IRS loves to make people fill out lots of paperwork. This is apparently because IRS rules haven't been updated in the 10 years since the account type has been created.
Yes. If you're a US person or a US citizen living abroad, you pay income tax in all of your income wherever it is earned. And even most states claim this too. If you live in Colorado and travel one time to earn a consulting fee in New York you must pay New York state income tax on the money earned in New York, and claim it as a credit with Colorado. That means filing IRS forms, Colorado income tax forms, and New York income tax forms.
It's such a bureaucratic clusterfuck for a small business or consultant.
There is this problem in multiple countries I believe.
From what I understand, the US asks you to report what you earn outside of the US but also what you paid as taxes. If the foreign country has a tax treaty with the US you would only pay the difference (in case the US taxes are higher than the foreign).
It might not be the only country, but such taxation practice is definitely not the norm.
Unfortunately, there's little chance of normalizing the laws with international custom, since I can already see the attack ads about tax breaks for the wealthy.
Similar to the Cookie banner, you'll probably have to indicate to your subscribers that their data will be resident outside the EU and will not be subject to the same data protection. Subscriber proceeding will indicate agreement with that.
No, the data protection directives are not something you can opt out of, even if you nicely ask your users with a banner.
Note that the original point of the cookie banner law was not to ban cookies, but to inform users about it and allow users to avoid websites storing information about them. That consequence of that law is terrible and we all know that with the banners everywhere, but at no point was it "cookie are forbidden, but you can bypass it with user approval", it was "cookie are allowed but require approval".
Storing EU citizen data without respecting the data privacy directive is forbidden, period.
Actually, the fundamental rule of data protection legislation is that an organisation can store data on its subscribers and can not except in limited legally prescribed instances (e.g. lawful intercept, insurance fraud) share it with another organisation.
The issue at the core of the Schrems case is that Facebook for example is not bound to respect this, or any other fundaments of EU data protection law.
However, if you register with a website that is clearly and overtly outside your data protection jurisdiction then it is "you" who is freely providing that data. Just as you might give personal information over a transatlantic phone call.
The EU has no jurisdiction where the company is not in the EU, and cannot prevent an individual from sending their private information outside the jurisdiction if they want to.
But various of these multinationals such as Facebook are in the EU for various operational reasons and as such the EU does have jurisdiction over them.
Perhaps more relevant to the data retention laws, would be a site sharing passport numbers, names and addresses of EU citizens, perhaps collected at stays at motels/hotels across the US? The site might host them for free - but keeping/sharing that data without consent wouldn't be allowed under EU law. The particular example would probably also be illegal according one or more US laws (state or federal) -- but I think it is still more interesting than the rather silly things people get hung up on?
If it's a US organisation (and not a multinational like FB), with data collected in the US, the Data Protection Directive does not apply. The fact it's merely EU citizens is irrelevant.
> The NSA will not stop gathering data on EU citizens
This is precisely the reason for the ruling. US policy will not guarantee that NSA won't snoop on EU citizens, therefore "safe harbour" is null. You're either respecting the other jurisdictions or you're not.
The issue here is not that the "law failed to do what it promised" it's that the "law was not implemented as promised". It can still fail even with the right implementation but at least now such practices facilitating such failures are now understood by everybody to be illegal. It is not "Okay" any more.
As you probably know, you can't comment like this on HN and we ban accounts that do it repeatedly. Please post civilly and substantively or not at all.
In the financial sector, the extra-territoriality of US laws has been a problem for decades. Securities issued in the EU, by EU entities and marketed to EU investors end up having some language referring to which US regulation they fall under out of fear that a US person will end up buying it, and the US applying their laws and regulations.