• EU laws apply to EU citizens, even on the internet. EU laws therefore tend to have surprisingly global effects, often called the ‘Brussels Effect’.

    A US company harvesting data from EU citizens is subject to EU laws and can be fined for breaking them accordingly, for example.

    • Bernie Ecclestoned@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      The Brussels effect is a book.

      Are you saying the lawyer who specialises in data and privacy is wrong?

      The company was working for a foreign government, not commercially

      You could like, read the article?

      • Please read beyond the first Google result that you find: https://en.m.wikipedia.org/wiki/Brussels_effect

        What a UK court has ruled based on EU law is not necessarily what an EU court would rule. They may well state that Clearview is a commercial partner of foreign law enforcement and therefore not protected (because it’s not the foreign law enforcement itself doing the data harvesting, but a commercial firm intending to make money).

        Besides, the UK court clearly ruled that the law did apply, but that Clearview wasn’t in breach. This wasn’t a jurisdiction issue, as you asserted initially.

        • Bernie Ecclestoned@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Yes, not in breach. The UK laws have not been changed since brexit. Start dealing in facts, not some conceptual Brussels effect which isn’t real other than REACH. The California effect is much larger.

          The EU court can decide whatever the fuck it likes, it still has zero jurisdiction outside the EU.

          Also, read the FUCKING article, the French also brought a case…

          • I’m not talking about who is in breach or not, I argued about the jurisdiction of the court, which they ruled that the law does apply to Clearview (even if it wasn’t breached). It’s literally in the article, maybe you should read it?

            Also, foreign companies saving any data on EU citizens who reside in the EU are subject to the GDPR, see this webpage set up by lawyers who actually know about this stuff:

            “The law is structured in this manner so that it can safeguard the data and privacy rights of all internet users in the EU, regardless of where they browse online or purchase. Therefore, if you conduct business with EU citizens, you must comply with GDPR.” https://reciprocity.com/resource-center/guide-to-gdpr-compliance-for-us-companies/#:~:text=The law is structured in this manner so that it can safeguard the data and privacy rights of all internet users in the EU%2C regardless of where they browse online or purchase. Therefore%2C if you conduct business with EU citizens%2C you must comply with GDPR.

            And the French also brought a case, precisely because the law does apply and they have jurisdiction. So thanks for proving my point I guess?

            • Bernie Ecclestoned@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Therefore, if you conduct business with EU citizens, you must comply with GDPR."

              They weren’t conducting business, as the article says. If they were, the law, in the UK, which hasn’t changed, would apply. But they weren’t.

              • Collecting personal data from EU citizens whilst they are in the EU is doing business in the EU, which is why the court ruled the law did apply. Did you read the article?

                Clearview was not fined specifically because of a provision in that same law that says such data collection is permitted if they were doing this business on behalf of foreign law enforcement. So the UK court ruled the law does apply, but that Clearview wasn’t in breach. The UK court used EU law to determine Clearview was not in breach of EU law. The fine was not removed because Clearview is outside of their jurisdiction, which they’re simply not.

                • Bernie Ecclestoned@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  The judgment, issued by the three-member tribunal at the First-tier Tribunal, agreed with Clearview’s assertion that the ICO lacked jurisdiction in the case because the data processing in question was carried out on behalf of foreign government agencies.

                  Yeah, I’m going to take the judgement as the truth over your opinion of a fictional ECJ judgement, especially as the UK GDPR law is exactly the same as the EU one.

                  Please provide a link that shows otherwise

                  • I think I understand your confusion now.

                    For starters, we’re talking about the exact same ruling. And I think the snippet you posted will help me explain the issue.

                    GDPR is an EU law. It applies to all companies collecting data on EU citizens. If a company does, it falls under the jurisdiction of the GDPR and European (member state) courts (in this case a UK court). The UK court clearly held that it has jurisdiction, and could apply a penalty if Clearview were to be in breach of the law.

                    However, the court is not normally the one to hand out these fines. Instead, that is delegated to each country’s data protection agency, which in the UKs case is the ICO. Now, the exact conditions under which the ICO is allowed to fine a company is defined in the GDPR. It defines the jurisdiction of the data protection agencies.

                    One of those conditions states that the ICO is not to have jurisdiction over data collection done for foreign law enforcement (that’s usually covered by international treaties instead). The ICO for example can’t fine the FBI or NSA or something.

                    In the case of Clearview, the ICO argued that sinced Clearview is a private company, they were not covered by this exclusion. Clearview argues that the sole purpose of the data collection is for foreign law enforcement, so that they are covered by that exclusion. Note that Clearview didn’t argue that they can’t be fined because they’re not an EU company.

                    The court has ruled that yes, the GDPR applies to Clearview, but also that Clearview is covered by the exclusion outlined in the GDPR for foreign law enforcement, and thus that the ICO does not have the jurisdiction to fine them (again, note the difference between the jurisdiction of the law/court and that of the ICO). So GDPR applies, but Clearview is not in breach.

                    Hypothetically, had Clearview sold this data to other private companies instead of law enforcement agencies, then Clearview could not have argued that they were covered by the GDPR exemption, and thus the court would have ruled that the ICO does have the jurisdiction to fine them.

                    So in conclusion:

                    • The EU can and has fined companies that are not in the EU for breaches of the GDPR.
                    • The GDPR does apply to Clearview.
                    • The UK court does have jurisdiction.
                    • The ICO does not have jurisdiction on Clearview specifically, due to the aforementioned provision in the GDPR.
                    • The ICO can not fine Clearview for this activity, for reasons outlined in the GDPR.

                    I hope this makes a bit more sense now.