I'm making the point government "overreach" or whatever you feel it is happens daily, and IMO, GDPR is the least inappropriate of those.
I would imagine it's incredibly easy for many US companies, like e.g. a restaurant or a tire-repair shop to prove they don't explicitly go after EU subjects.
Since I was elaborating on how the EU and EU nationals feel like the GDPR is appropriate in addressing the risk of privacy violations - which part of that did you feel like didn't address your comment of "Except that approach ignores the nature of risk"?
I think you’ve misunderstood how GDPR works. If you handle the PII of a single EU data subject, then you are in scope for it, regardless of whether you intentionally solicit EU customers or not. Even a small restaurant or auto shop is likely to have a mailing list, or a CRM, or other records containing PII. It would be almost impossible to prove they don’t have a single piece of EU PII.
This does completely ignore the nature of risk, because it does not consider impact at all, which traditionally accounts for 50% of total magnitude. A SaaS company with 50 customers has to comply with exactly the same set of regulations as Google does, and faces €20,000,000 fines, regardless of the fact that the small company poses a quantifiably smaller risk to PII. There’s also an argument to be made that the small company is less likely to become the target of a sophisticated attack, as an adversary is much less likely to invest huge amounts of effort into breaching a small set of PII.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
So it's simply not true that "you are in scope for it, regardless of whether you intentionally solicit EU customers or not." I could continue, but I suggest you actually read it if you're going to argue about it.
So spare me with all this "risk" bollocks. You're just another person willfully misunderstanding our laws, and spreading FUD to try and impose your culture and your rules on our society.
I would imagine it's incredibly easy for many US companies, like e.g. a restaurant or a tire-repair shop to prove they don't explicitly go after EU subjects.
Since I was elaborating on how the EU and EU nationals feel like the GDPR is appropriate in addressing the risk of privacy violations - which part of that did you feel like didn't address your comment of "Except that approach ignores the nature of risk"?