Note: I am not a legal expert, and the content of this post is my personal opinion and not intended to be legal advice of any kind.
The Importance Of Privacy
Before I begin, I want to stress the importance of privacy protection for all. I created the open-source Dual SSL library to provide enhanced privacy and data protection beyond current industry standards. I built the TMS/LFM ecommerce platform with stronger password-protection than many competitors, and my HitsConnect ad-tracking service anonymizes IP Addresses before they even reach the database.
I share the belief that privacy is a fundamental human right, and I support recent efforts to implement TLS and HTTPS on all web sites. I also believe the underlying spirit of the EU’s GDPR law is a step in the right direction, and some of its components should be voluntarily implemented by businesses with no presence within the EU.
With that said, all of my personal businesses are owned, operated, and hosted on servers located within the United States. Some of the discussions I’ve had with customers and other business owners regarding the GDPR have been concerning, not because of the content of the law, but because of its origin and perceived jurisdiction.
The Jurisdiction Of EU Law
One frequent question regarding the GDPR law is who is legally bound by it? Multiple people have suggested to me that any online business who has customers or visitors from the EU is legally bound by EU law, even if that business has no presence within the EU.
The problem with this logic is that my web sites also have visitors from Canada, Mexico, Australia, China, Russia, India, and many other nations in all regions of the world. Each of these countries have laws that contradict the laws of other countries, and I would argue that some countries have laws which violate fundamental human rights.
Many countries attempt to use their influence to spread their laws beyond their borders and across the globe. Those who operate web sites that are accessible worldwide need to be aware of the laws of their jurisdiction, and also need to recognize that not all laws apply to them or are in the best interest of their customers and visitors.
The Larger Issue Of Accepting EU Law On US Soil
The politics and laws of the United States are far from perfect. However, all US Citizens have a right and a duty to take action against any law that we believe violates our rights. We are guaranteed legal representation in all levels of government that have jurisdiction over us.
International laws must be ratified by US Congress before we can be bound by them, and the jurisdiction of those laws within the US can be reversed under US law.
If a representative votes for a law that we disagree with, then we have the right to vote against that representative, or even run for office. If we feel a law violates our constitutional rights, we can bring the case before the courts and have it reviewed by a branch of government that is independent from those who create or enforce the laws.
To my knowledge, the GDPR does not offer any of these protections to US Citizens. The politicians who wrote it are not accountable to US Citizens, and US Citizens are not legally represented within the EU.
And yet, I am seeing US-based businesses asking US customers to agree to privacy policies that reference the GDPR and “EU Law”. Some influential businesses are driving a perception that all online businesses are legally bound by the GDPR simply because people in the EU can access their web sites.
I believe there has been little resistance to this perception because the spirit of the GDPR is nearly universally accepted. However, what if these laws are extended to include matters such as censorship?
We cannot let our blind acceptance of one law overshadow that a fundamental human right is representation in the law.