• FreeAdvice has a new Terms of Service and Privacy Policy, effective May 25, 2018.
    By continuing to use this site, you are consenting to our Terms of Service and use of cookies.

GPDR: effect on US-based forums?

Accident - Bankruptcy - Criminal Law / DUI - Business - Consumer - Employment - Family - Immigration - Real Estate - Tax - Traffic - Wills   Please click a topic or scroll down for more.

Status
Not open for further replies.

GDPRdummy

Junior Member
Hello, I am sorry for asking questions on this topic before contributing to the forum first. But I was wondering if the GPDR (General Data Protection Regulation) has any effect on a US-based forum located in California. The forum has member from all around the world (thus incl. members located in the EU). I have read on this topic elsewhere but couldn't find the information that I am looking for. The forum's webserver contains only information that a member has provided himself such as an e-mail address. IP-addresses are registered as well each time a member posts on the forum or registers himself.

I have read that companies can be fined if they do not abide the GPDR that states (among lots of other things) that users have the Right to Erasure compliance. The forum offers no products whatsoever (only accepts donations) and the forum actually costs money to keep it online.

I am asking if the GDPR has any effect on such a forum because I believe that there are several members on the forum that want to take advantage of the GDPR by asking their accounts to be physically removed from the forum, leaving no data behind. This will create big holes in threads which will pose a problem.

Please, if you be so kind to help me. If you would like to know more about the situation, I can answer your questions.

Ps. I hope this thread is posted in the right section. Sorry if it's not.
 


quincy

Senior Member
Hello, I am sorry for asking questions on this topic before contributing to the forum first. But I was wondering if the GPDR (General Data Protection Regulation) has any effect on a US-based forum located in California. The forum has member from all around the world (thus incl. members located in the EU). I have read on this topic elsewhere but couldn't find the information that I am looking for. The forum's webserver contains only information that a member has provided himself such as an e-mail address. IP-addresses are registered as well each time a member posts on the forum or registers himself.

I have read that companies can be fined if they do not abide the GPDR that states (among lots of other things) that users have the Right to Erasure compliance. The forum offers no products whatsoever (only accepts donations) and the forum actually costs money to keep it online.

I am asking if the GDPR has any effect on such a forum because I believe that there are several members on the forum that want to take advantage of the GDPR by asking their accounts to be physically removed from the forum, leaving no data behind. This will create big holes in threads which will pose a problem.

Please, if you be so kind to help me. If you would like to know more about the situation, I can answer your questions.

Ps. I hope this thread is posted in the right section. Sorry if it's not.
Where are you located (state, country)?

When the GDPR goes into effect in May, it will affect those in the EU. The US and US based sites do not have to comply with the GDPR.
 
Last edited:

GDPRdummy

Junior Member
Where are you located (state, country)?

When the GDPR goes into effect in May, it will affect those in the EU.
I don't live in the United States but I am talking about a US-based server located in California. (see OP)

So those who live in EU-member countries will get the right to require the forum to delete all the information that they have of that user even when the user has provided all the information himself? Won't all forums be effected by this major problem: creating big holes in threads so the information a thread contains won't be understandable anymore because posts are missing?
 

quincy

Senior Member
I don't live in the United States but I am talking about a US-based server located in California. (see OP)

So those who live in EU-member countries will get the right to require the forum to delete all the information that they have of that user even when the user has provided all the information himself? Won't all forums be effected by this major problem: creating big holes in threads so the information a thread contains won't be understandable anymore because posts are missing?
The EU does not have control over the US or US sites. The GDPR affects only those in the EU. The US is governed by US laws.

Here is a link to information on the EU's data protection regulation: https://www.eugdpr.org
 
Last edited:

GDPRdummy

Junior Member
The EU does not have control over the US or US sites. The GDPR affects only those in the EU. The US is governed by US laws.
Sorry to question your answer but does article 3.2a say that the forum in question falls under the GDPR? A forum offers the service of information, letting people post on their forum and such.

Art. 3 GDPR: Territorial scope said:
(1) Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b) the monitoring of their behaviour as far as their behaviour takes place within the Union.​

(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
 

PayrollHRGuy

Senior Member
I don't live in the United States but I am talking about a US-based server located in California. (see OP)

So those who live in EU-member countries will get the right to require the forum to delete all the information that they have of that user even when the user has provided all the information himself? Won't all forums be effected by this major problem: creating big holes in threads so the information a thread contains won't be understandable anymore because posts are missing?
Do you live in the EU? Do you own or operate the forum? If so the EU could take action against you no matter where your server happens to be. You fall under their jurisdiction even if the server doesn't.
 

GDPRdummy

Junior Member
Do you live in the EU? Do you own or operate the forum? If so the EU could take action against you no matter where your server happens to be. You fall under their jurisdiction even if the server doesn't.
Thank you for your response. The owner lives in the USA, I live in the EU as a moderator on the forum. So with everything based in the USA (owner, server, data processor, etc) except for the data subjects, the forum should not be subjected to the regulation? :)
 

quincy

Senior Member
Thank you for your response. The owner lives in the USA, I live in the EU as a moderator on the forum. So with everything based in the USA (owner, server, data processor, etc) except for the data subjects, the forum should not be subjected to the regulation? :)
The GDPR affects only those in the EU. If companies do business in the EU, they must comply with the data protection regulations but only when doing business with countries in the EU.

Essentially, US companies will have to handle EU consumer data differently than US consumer data if they do not want to be fined under the GDPR, but there will be difficulty enforcing sanctions against US-based companies for not complying with the EU regulation.
 

GDPRdummy

Junior Member
The GDPR affects only those in the EU. If companies do business in the EU, they must comply with the data protection regulations but only when doing business with countries in the EU.

Essentially, US companies will have to handle EU consumer data differently than US consumer data if they do not want to be fined under the GDPR, but there will be difficulty enforcing sanctions against US-based companies for not complying with the EU regulation.
Yes, companies who deal with customers will have to deal with these data regulations. But my last question (thank you for helping me far) is whether a forum provides a service or not. Even though it'll be dificult for the EU to enforce sanctions against a forum based entirely in the USA, I will be very relieved if I know for sure that the forum won't be subjected to the GDPR. Put differently, I would be releaved if I know that providing information to the members and letting the members post content on a forum is not considered a service.

Again, thank you with helping me with this concern of mine.
 

quincy

Senior Member
Yes, companies who deal with customers will have to deal with these data regulations. But my last question (thank you for helping me far) is whether a forum provides a service or not. Even though it'll be dificult for the EU to enforce sanctions against a forum based entirely in the USA, I will be very relieved if I know for sure that the forum won't be subjected to the GDPR. Put differently, I would be releaved if I know that providing information to the members and letting the members post content on a forum is not considered a service.

Again, thank you with helping me with this concern of mine.
The GDPR is all about data protection to preserve the privacy rights of EU citizens.

EU citizens who register on a US site cannot expect their personal data to be protected according to EU regulations. Instead, the EU citizen could potentially have data protected under US data privacy laws. But the GDPR offers them no additional protection in the US.

That said, private US-based forums (like FreeAdvice) set their own rules. Someone can either accept these rules (including those on the privacy of data) or not register on the forum.
 
Last edited:

Taxing Matters

Overtaxed Member
The GDPR affects only those in the EU. If companies do business in the EU, they must comply with the data protection regulations but only when doing business with countries in the EU.

Essentially, US companies will have to handle EU consumer data differently than US consumer data if they do not want to be fined under the GDPR, but there will be difficulty enforcing sanctions against US-based companies for not complying with the EU regulation.
The EU takes the position that the law does indeed apply to those firms offering services (even free services) to persons in EU member states whether or not the firm is located in the EU. Specifically, the EU states:

The law applies to:

1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.​

But the EU goes on to say that firms that are not specifically targeting EU members are generally not subject to the law. That is, if a EU member uses a site owned and operated in the U.S. and that only provides services in the U.S. the fact that a person located in the EU happens to choose to use that site will not make it subject to the law.

See the EC page discussing who is subject to the law here:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
 

quincy

Senior Member
The EU takes the position that the law does indeed apply to those firms offering services (even free services) to persons in EU member states whether or not the firm is located in the EU. Specifically, the EU states:

The law applies to:

1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.​

But the EU goes on to say that firms that are not specifically targeting EU members are generally not subject to the law. That is, if a EU member uses a site owned and operated in the U.S. and that only provides services in the U.S. the fact that a person located in the EU happens to choose to use that site will not make it subject to the law.

See the EC page discussing who is subject to the law here:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
Yes. US sites that do not operate in the EU do not have to comply with the EU data protection regulations. If US companies offer goods or services to EU citizens in the EU, the regulations will apply.

There will be enforcement difficulties, as there were with the EU's other version of the law. The EU had difficulty enforcing its regulations on US based companies. The previous struggles with Google illustrate the problem.
 

737simpilot

New member
I don't mean to raise this thread again, but I notice a lot, and I mean A LOT or websites have that annoying popup generally at the bottom of the page asking you to confirm to their use of cookies and such, including this one. I see that this site is hosted in the U.S. and yet there is that pop up.

I have added privacy terms as a global announcement to my forum and a link in the footer to that global announcement with the included ability for a user to delete and/or erase their content. Even though I'm not living in the EU or that the server is in the EU, I'm compling based on that fact so many other websites are and I don't feel like getting sued by the EU and not ever having the ability to step foot there ever again.

Question: I use the reverse proxy CloudFlare on my website. They have edge servers located all over the world including the EU. Since my content can be fetched from an edge server in the EU would that mean I have to be compliant to GDPR?
 
Status
Not open for further replies.

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential
data-ad-format="auto">
Top