Every major consumer tech company that comes to mind is operating in EU. Facebook, Google, Twitter, Apple, Microsoft, Amazon, etc all are under EU authority in this regard despite being headquartered in USA; they have a sizeable business, thousands of employees and billions of assets in EU.

Also, if your SaaS company is selling globally (which is true for most large SaaS) then if your B2B customers are in EU, they'll require GDPR compliance if they're going to use your service for any customer data. So companies like Dropbox, Stripe, Mailchimp, Salesforce, etc are also affected and have already stated the steps they'll take to be GDPR compliant.

Because we live in a global world. Why would you build a startup to only be capable to NOT work in EU. When building a company and you want to have any dealing with EU companies. And there are a lot of those it just makes sense to adopt the most strict framework and deal with it.

For the same reason you typically don't optimize for the Chinese market even though it's also huge.

There is a significant cost to compliance, even if you do it right from the very beginning (assuming it's even possible for GDPR right now), and for a lot of startups it's not worth it to spend time on that because they'll most likely be dead for unrelated reasons before they get any significant amount of GDPR clients.

It makes more sense to spend the effort on not dying instead of chasing incremental gains in markets with complicated regulatory requirements, unless dealing with those is explicitly your business proposition.

>Why would you build a startup to only be capable to NOT work in EU.

Because adopting the lowest common denominator (GDPR etc.) won't let you grow as quickly, and you might not need the EU market to reach your personal and business goals, or your point of exit.

It might make more sense to split into a EU division once you can really afford it and are established in your main market. I think that this will happen, many will see the EU market just as feature and option to scale an already established business, even companies within the EU. They might start in the US first, and block EU access.

Is it really that hard to implement the policies of the GDPR? The way I see it it is basically breach notification and right to access/delete data, which does not seem that difficult and probably not a burden for a startup to "not grow as quickly".

Oh, because of the internet I can serve a EU customer from the US without EU regulation. Why would a startup setup a nexus in the EU?

GDPR has its own, vague criteria for when it applies, and it's much more inclusive than the typical criteria for a nexus.

For example, things like the company actively seeking out clients in EU countries, or offering the service in EU countries' languages, make it more likely that EU will consider the company to be subject to GDPR even if it has no presence in the EU.

It seems to me that EU is overstepping their jurisdiction here, but I really don't know how international law works.

Yes the language clause makes no sense to me. If we add French to support Quebec or Spanish for S. America, we can now be roped into an EU regulation?

It's a balancing act. If you're a Canadian company (or have a Canadian subsidiary, I assume), adding French to support Quebec is not enough to show that you're targeting EU customers[1], but if you add French and payments in Euro, that might me.

[1] https://gdpr-info.eu/recitals/no-23/

If you make steps to ensure that you're not servicing EU citizens, then I guess not. A little more clarification on that would be welcome.

What if you are servicing non-EU citizens in EU countries? Or EU citizens in non-EU countries?

An EU citizen buying a product in the US, while in the US, doesn’t pay EU VAT on that product. So it follows that they also wouldn’t be “protected” by European law, despite the color of their passport. US citizens aren’t protected by HIPAA when getting medical care in Britain or France.

Further irony is that many Europeans complain about US “imperialism” in areas such as foreign policy and intellectual property, yet get positively ecstatic over the idea of the EU claiming jurisdiction over companies or users that aren’t in the EU.

Being an EU citizen in the United States using an American product doesn’t make that American product subject to EU law — it doesn’t matter how bad people want to believe that is so.

When in a country, you are subject to that countries laws; you don’t get to bring your home country’s laws with you — except under treaty agreements.

The GDPR doesn't apply to EU citizens outside the EU. It applies to people that are in the EU (be they EU citizens or not).

It does affect US companies where either they, their staff, or their customers have sufficient ties to the EU for the EU to exert their authority, and where the GDPR applies by its own terms. Which is more US companies than many think.

Whether "not operating in the EU" is a different threshold than the above is a semantic argument that's less interesting to me than the substantive ones.

I agree. The US is an independent country. The way international law works is only if we have similar law here. Like trademark agreemwnts. Or like China can sue you to post pro-gay things online in Cantonese. That makes no sense.

If you do business with people in the EU, the EU has jurisdiction. That doesn't mean they can enter the US to arrest someone, but they can (for example) tell payment processors in the EU to stop accepting any payments to the company.

An argument has been made that while you may be US only, your bank probably wishes to maintain good relations with the EU and might hand over your money on its behalf.