Compliance with legal features of various nations does not divorce companies from the responsibility for the results if they choose to comply.

Actively participating in oppressive behavior makes companies complicit. This is why companies today rightly face criticism for use of slave labor, abusive labor, resource exploitation, helping governments restrict speech, helping governments breach privacy (which results in people actually dying in places like Russia). Just because these things are legal to not make them right or acceptable to Western exployees, shareholders or governments. If Russia demanded that I must take actions that would potentially result in deaths from their authoritarian regime, like by giving them access to our customer's communications, I'd tell them to get bent.

That was my reaction as well, though I still don't like it.

That is, I don't like that GDPR-like laws can extend to actually blocking services. But they already do. I'd prefer that they just force "disclosure", like "Yes, I understand my email won't be stored in my home country".

Except there was much MORE to it than just that statement.

Actually, GDPR went way beyond that, demanding that every website in the world comply with their laws, regardless of whether or not you had customers in the EU, unless you count somebody reading your personal blog as a “customer.”

Wrong. GDPR asks that every website comply with their laws for anything that relates to EU. An italian citizen has to agree about it even if they live in Nepal. But a nepalese website doesn't have to care about GDPR as long as they don't have a presence in the EU.

The fact that websites put a cookie wall for everyone is the strategy of said websites to make everyone think they are victims of GDPR, but that is not true. If you don't want to put a cookie wall, the easiest option for everyone is to not gather personal data.

> But a nepalese website doesn't have to care about GDPR as long as they don't have a presence in the EU.

Not really 'presence' but customers in the EU, or simply targeting people in the EU.

EU TERREG changes the scope so that the location no longer matters and it applies to services with "significant" user base of EU citizens. It essentially mean to opt our from having to support 1hr SLA for content removal, services will have to check papers of all users to ensure they are not EU citizens.

> ...A nepalese website doesn't have to care about GDPR as long as they don't have a presence in the EU.

Sure. You don't have to care. But this is blatantly wrong according to GDPR.

No, because you're not targeting EU citizens and are also not operating in the EU.

Nearly everyone gets GDPR territorial scope wrong and whose data it applies to wrong.

Where GDPR applies is covered in Article 3, "Territorial scope". In what follows I'm going to use the term "processor" to refer to those processing or holding data or controlling those who process or hold data. GDPR makes the distinction but in most places the same rules apply to both.

1. GDPR applies if the processor is "in the Union", regardless of whether or not the processing takes place in the Union.

2. GDPR applies regardless of the location of the processor if they are processing the data of people are are in the Union if the processing is related to:

(a) the offering of goods or services (paid or free) to people in the Union, or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

Some things to note that are often overlooked.

1. It says "in the Union", not "citizen", not just in Article 3 but everywhere in GDPR. An Italian citizen living in Nepal is equivalent to a Nepalese citizen living in Nepal. (And it goes the other way around, too...a Nepalese citizen living in Italy would be equivalent to an Italian citizen living in Italy as far as GDPR goes).

2. If people in the Union come to your website and you either offer them goods and services or you monitor behavior of theirs that takes place in the Union, then the EU considers GDPR to apply.

Whether or not you have to care about that is complicated, because even if the EU does not have the power to directly enforce it against you, they may have indirect power. For example, a place I worked collected tax on online sales of digital goods in Europe, even though there was no way the EU could make us do so, because our payment processor required us to collect taxes of the jurisdiction the customer was in.

One of the recitals says that when it comes to offering goods and services, what matters is whether you envisage offering them. The fact that people in the EU can reach a Nepalese website would not be sufficient on its own--what the EU would look at is whether the site did things like localize to EU languages (that aren't common in Nepal), accepted EU currencies, advertised in the EU, and things like that.

If you aren't intending to offer goods and services in the EU, and aren't doing things EU specific to make it easier and more likely that people in the EU will use your goods and services, then you probably don't have to worry about the 2(a) "offering goods and services" basis for GDPR territorial scope.

It's the 2(b) one that is the big worry, monitoring behavior that takes place in the Union. As written that is pretty open ended. It is not at all obvious what kind of behavior is behavior that takes place in the Union. There's nothing in the relevant recital about "envisages" with that one, so it appears that if you are doing something that counts as tracking behavior that takes place wherever the visitor is from, then GDPR is something you have to worry about if people in the EU can visit your site.