I'm from Europe, I have 2 (B2B) projects on pause because of GDPR concerns. Potential clients were literally harassing me to release one of them, but a 10M euros fine didn't seem worth it...<p>If I wanted to just ignore GDPR could I incorporate a company outside of Europe's jurisdiction? Would that be "legal"? Can a company incorporated outside of Europe actually be fined by Europe and can the fine be enforced?<p>For example I see that Lusha is incorporated in NYC/Israel and they seem to be doing fine even though they definitely aren't GDPR friendly.(I also just noticed they have a German office which seems pretty weird but whatever)<p>Does anyone here have experience with that?
Is there a particular part of the GDPR that you find challenging?<p>I can see a few clear problems with this plan in general:<p>If you do this successfully at scale, and have any EU customers, the EU will eventually make a very good go at fining you - they fine lots of people (<a href="https://www.enforcementtracker.com/" rel="nofollow noreferrer">https://www.enforcementtracker.com/</a>). If you attempt to actively refuse to pay fines from a governmental organization at this scale, there's a good chance you will personally get in legal very hot water. I would not recommend it.<p>Even ignoring this, GDPR is not just an EU thing. The UK, Switzerland, Canada, Brazil, Israel, South Korea, Argentina, Japan, New Zealand, Indonesia, Uraguay all have substantial data protection laws that are at least equivalent to the GDPR's requirements & penalties (i.e. formally recognized as providing GDPR-adequate protection by the EU). There are many other data protection laws elsewhere too that might not match GDPR, but do still include very significant requirements, e.g. in California & China.<p>You mention Lusha - notably they explicitly claim to be GDPR compliant (<a href="https://www.lusha.com/legal/gdpr/" rel="nofollow noreferrer">https://www.lusha.com/legal/gdpr/</a>) and they're formally registered as a data broker in California under the CCPA there. I can't comment on whether they're right, but they certainly aren't trying to ignore GDPR & data protection entirely. Time will tell whether that works.<p>To be honest, I think you're fighting obvious prevailing strong currents. Even if there's technically a way to run a business ignoring data protection now, the direction of travel is clear and consistent globally (albeit at different speeds). Any loopholes are going to be steadily closed up, and blatantly collecting private data to profile & track people is going to be illegal for businesses everywhere in the not too distant future. It's not a good foundation for a business.<p>I would prioritise finding a way to build your business without using other people's data without consent. It's rarely impossible, it mostly just requires a change in mindset, and once you're used to it it's often not even particularly challenging.