GDPR doesn't apply for entities outside EU if they aren't specifically targetting services at individuals in the EU (which can be indicated by using EU domains, supporting EU currencies, supporting EU languages or mentioning EU customers in promotional materials).
this is not completely correct. GDPR applies to (among others) „ a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.“ - if you have an accidental EU customer it applies to you. Also if you have an US customer who is temporarily in the EU. https://commission.europa.eu/law/law-topic/data-protection/r...
I'm pretty sure I've provided French localization for some of my software at some point, just on a whim. Which is an EU language. And I know that some of my non-EU users of free, online tools have travelled to Europe occasionally. So I guess I was subject to the GDPR, until I took all my web tools offline?
Sure, I never tracked any information except what was absolutely necessary. No email address, no IPs, just logins, passwords, and data saved by the user. But that still means:
- I needed to respond to several kinds of emails within 30 days, even if I was on vacation.
- I needed to understand the frustratingly vague and abstract language of the GPDR.
- I was subject to 27 different data regulators, not all of whom provided information in languages I could read, I don't think?
As a non-EU resident, I have zero vote in any of this. I make zero money off of anyone in the EU. I would happily ignore the EU entirely, or allow EU users to download my stuff and to figure out their own laws.
But the EU claims jurisdiction over foreign nationals, even though we have no vote, no representation, and no commercial presence. There is precisely zero upside for me here.
And with the Product Liability Directive, it looks like the EU might impose personal liability on me as an open source author who occasionally consults for US companies. Which, since nobody in the EU is paying me a cent, I have no interest in assuming. If the final PLD is bad enough, I guess I can try to block downloads from European IPs or something.
If these laws were limited to real companies with an actual presence in Europe, I'd feel very differently. But extraterritorial laws for private citizens are gross.
I'm not a lawyer, but I think it's unlikely that this browsewrap agreement is enforcable in United States as the website doesn't ask the user to actually consent to Terms of Service, see Nguyen v. Barnes & Noble, Inc. (763 F.3d 1171).
This particular restriction is mostly arbitrary anyway because `this` and `super` accept arbitrary expressions (including static method calls), so in most cases it's possible to do this, just with much worse syntax.
Technically, this does introduce new functionality when extending a class, specifically it's possible to choose a constructor to overload depending on arguments, but in most cases there is usually one constructor that all other constructors use.
The problem with shorting cryptocurrency is that you are assuming that market is fair, when this is absolutely not the case - the market is heavily manipulated.
This is why the U.S. government needs a dedicated digital team like the Obama administration had setup.
The entire government can be their clients, so they can efficiently reuse stuff they’ve developed.
The UK government has done this I believe (I’m not entirely sure how it’s setup, but I do remember them publishing a UI toolkit that didn’t just look good but covered accessibility properly), and I think every govt should be doing it going forward.
Paying the criminals wouldn't help here. First, there is no guarantee that they wouldn't release the data anyway, second, the data already got leaked - criminals who were responsible for it have access to it, third, they publicly posted the information they have access to it.
Instead, the proper solution is after verifying legitimacy of the leak to immediately (within 72 hours) notify supervisory authority and users about personal data breach according to Articles 33 and 34 of GDPR.
Technically Google already has per-service bans for Google Ads and YouTube. That doesn't help if you get banned for a reason unrelated to those services however.
Certificate Transparency system requires certificates issued by CAs to be publicly reported, otherwise web browsers will reject them. Publicly reported certificates then can be monitored by anyone, and anything suspicious could be reported.
