No Privacy Policy in D tools (dmd, dub, phobos, etc)

[Adam Wilson]

On Thursday, 25 January 2024 at 15:21:25 UTC, Danny Arends wrote:
> On Thursday, 25 January 2024 at 00:15:57 UTC, Adam Wilson wrote:
>> IANAL either, but I did the GDPR compliance engineering for my 
>> teams product at MSFT. The basic principle is that, unless the 
>> service is physically hosted in the EU, GDPR has no legal 
>> force. If a European connects to a US hosted service, they can 
>> have no legal expectation that GDPR regulations will be 
>> followed and if they do it is as a courtesy and no action may 
>> be brought under the GDPR.
>>
> Erm, IANAL either, but the GDPR does apply to US companies that 
> want to operate inside he EU, since the regulation is 
> extra-territorial in scope[1]. Basically any 
> company/organisation outside of the EU storing/processing 
> information about EU nationals (or non-EU national living in 
> the EU) should be aware that they do run the risk of being 
> fined for non-compliance with the GDPR.

If you read the first paragraph again, that's what I said.

The confusion stems from people in the EU incorrectly believing 
that "operating in" is the same as "accessible in". The fact that 
a website/service is accessible in the EU does not mean that the 
service is "operating in" the EU.

At a more fine-grained level, if Product A complies with GDPR but 
Product B does not, then so long as the non-compliant Product B 
is not made available in the EU, then there is no GDPR violation. 
GDPR only applies to services that are *offered* to EU citizens. 
The EU cannot mandate that products not offered in the EU comply 
with EU regulations simply because that business has operations 
in the EU.

By way of similar example, Windows N is the version of Windows 
offered in the EU to comply with the outcomes of some media 
lawsuits in the EU. In the US, we don't have the crippled "N" 
versions, you can only get them from MSDN for testing purposes. 
The EU can only mandate compliance on software that was sold to 
Europeans, they could not force their regulations on versions 
sold in the US. The same principle applies to GDPR.

At MSFT it was easy, MSFT has strict internal deployment controls 
to make sure we didn't deploy non-compliant products into the EU. 
When the GDPR compliance paperwork was complete, we flipped a 
switch and the product went live in the EU.

In the case of DLF, because there are no operations in the EU, as 
the websites are hosted outside the EU, GDPR has no force. Simple 
accessibility is insufficient. There are certainly plenty of 
other reasons to have a Privacy Policy, and to make sure it is 
followed, but GDPR isn't one of them.

And as somebody else pointed out, it looks like the DLF is too 
small (under 250 people) for the GDPR to apply in any case.