Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.
I think it's ok for foreigners to be skeptical of this promise, as the article implies that this reasonableness is not encoded in law.
Such as?
> Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.
It is, thanks.
- Scope outside of Europe – e.g. if a completely foreign entity that offers a Spanish or French translation of its service could potentially be covered by GDPR, even if they're not marketing to EU markets specifically. Too bad for Quebec I guess. Or what if you fly to speak at a conference in Europe – is that "marketing" to residents of EU? Depends on your slides? Or not? Who knows.
- Consent – does X fall under "legitimate interest"? Is it essential to providing the service? These are not easy to definitively answer for any non-trivial application. And it's not like you can just err on the side of caution – you are not allowed to ask for more consent than you need IIRC. And if the regulator (one of them) disagrees with you after you've spent a few years building a business relying on a certain interpretation, tough luck I guess, try again?
- How to deal with backups that contain personal information
No, the GDPR is clear that it is applicable if you are offering goods or services to Europeans. The fact you are speaking French in Quebec isn't relevant.
> Or what if you fly to speak at a conference in Europe – is that "marketing" to residents of EU? Depends on your slides? Or not? Who knows.
So, if you fly to the European conference and talk to a Europeam audience, you're not going to be covered by the GDPR until you actually supply goods or services within the EU.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union
> factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union
https://gdpr-info.eu/recitals/no-23/
So you need to "offer" services, not "supply" them, and "to data subjects in the EU", not "within the EU".
So you can't just run your business from Canada with no special emphasis on EU and call it a day.
Or if you're advocating blocking European IPs, well that's exactly the "hysteria" the article argues against.
You really can, it says that it may make it apparent.
Does your use of English make it apparent that you are intent on selling to the UK? No. Italian, might I suppose. French wouldn't if you were based in Canada.