I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.
Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.
How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.
"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."
So if someone is going out of their way to mask the fact that they are from the EU, and you aren't otherwise seeking out EU users, you're not going to get in trouble for that. One issue I have with it though is that translation may trigger GDPR exposure, and since Spain is part of the EU, many sites aimed at Spanish speakers (but not aimed at the EU) may have this beast of a law apply to them. I operate a few sites that have Spanish content, so that is deeply troubling.
[1] https://www.gtlaw.com/en/insights/2018/2/the-gdpr-deadline-l...
This thread is now too deep for me to respond to your comment.
"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."
This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.
Read more here: https://gdpr-info.eu/?s=occasional
But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.
Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.
FYI you can reply to other posts when the thread is this deep by clicking on the "X minutes ago" thing on the comment your want to reply to.
It probably wasn't depth that blocked you. It was probably time. There is a short interval after a comment is posted during which the reply link is not available in the thread. (You can still reply without waiting, but you have to figure out how to get a reply button instead of a reply link. The reply button doesn't have the delay).
> This statement seems to have misinterpreted article 27
I believe that statement is summarizing recital 23, not attempting to interpret article 27.
