MobileRead Forums - View Single Post

darryl · 03-29-2018, 01:57 AM

This regulation is a potential nightmare. Whilst it is well intentioned and its objectives very desirable in many ways, its drafting leaves many ambiguities, I suspect deliberately so. The extra-territorial operation is a potential nightmare under certain circumstances. Since "processing" is defined to include both collection and storage without any other significant use being made of the data, it seems likely that any forums, for instance, accepting users from the EU and requiring their registration are literally caught, no matter their size, whether they charge or whether they have anything else to do with the EU over and beyond simply accepting its residents as members. This scope is of course absolutely ridiculous. In practice, there is little that the EU can do to enforce this regulation against a controller or processor without any presence or any assets within the union. Nor would it be likely to try. Many years ago I used to use a hypothetical in lectures and tutorials, asking students whether the Australian Parliament could unilaterally pass a valid law imposing a tax on all US residents. Such a law would very likely be within the power of the Australian Parliament. However, it would be impossible to enforce except against those few US residents who were unfortunate enough to have a presence or to visit, or who held assets here. Secondly, of course, is the principle of reciprocity. The US could and would quite justifiably retaliate. Many countries, of course, including the US and of course the EU member countries, do increasingly test the boundaries of extra-territoriality. How far can they go without triggering more than a luke warm protest by other countries whose citizens are affected?

In the case of Mobileread it appears likely that because we accept EU residents and gather and store personal information we are caught by this regulation. However, it would seem that in a practical sense the EU could not enforce compliance in the absence of a controller, a processor or assets within their jurisdiction.

The text of the Regulation can be found here for anyone interested. I should add that I count myself fortunate not to live in the EU and that I do not profess any expertise in their law. This is not legal advice and cannot be relied upon. I've set out my very cursory view based only on the text of the Regulation here for purposes of discussion only.

03-29-2018, 01:57 AM	#10
darryl Wizard Posts: 3,108 Karma: 60231510 Join Date: Nov 2011 Location: Australia Device: Kobo Aura H2O, Kindle Oasis, Huwei Ascend Mate 7	This regulation is a potential nightmare. Whilst it is well intentioned and its objectives very desirable in many ways, its drafting leaves many ambiguities, I suspect deliberately so. The extra-territorial operation is a potential nightmare under certain circumstances. Since "processing" is defined to include both collection and storage without any other significant use being made of the data, it seems likely that any forums, for instance, accepting users from the EU and requiring their registration are literally caught, no matter their size, whether they charge or whether they have anything else to do with the EU over and beyond simply accepting its residents as members. This scope is of course absolutely ridiculous. In practice, there is little that the EU can do to enforce this regulation against a controller or processor without any presence or any assets within the union. Nor would it be likely to try. Many years ago I used to use a hypothetical in lectures and tutorials, asking students whether the Australian Parliament could unilaterally pass a valid law imposing a tax on all US residents. Such a law would very likely be within the power of the Australian Parliament. However, it would be impossible to enforce except against those few US residents who were unfortunate enough to have a presence or to visit, or who held assets here. Secondly, of course, is the principle of reciprocity. The US could and would quite justifiably retaliate. Many countries, of course, including the US and of course the EU member countries, do increasingly test the boundaries of extra-territoriality. How far can they go without triggering more than a luke warm protest by other countries whose citizens are affected? In the case of Mobileread it appears likely that because we accept EU residents and gather and store personal information we are caught by this regulation. However, it would seem that in a practical sense the EU could not enforce compliance in the absence of a controller, a processor or assets within their jurisdiction. The text of the Regulation can be found here for anyone interested. I should add that I count myself fortunate not to live in the EU and that I do not profess any expertise in their law. This is not legal advice and cannot be relied upon. I've set out my very cursory view based only on the text of the Regulation here for purposes of discussion only.