This is a quote from another forum:
" For what's its worth I'm a Partner at a law firm with offices in the UK and I specialise in Privacy law, there is nothing in the GDPR that would mean they cant offer this to people in Europe. I work with clients in Canada less often, but the overlap is enough to suggest that same would be true, especially since the more recent legal changes there. Unless they are being advised horribly, or are incredibly risk averse, this isn't (or shouldn't be) a privacy law reason.
They are already subject to all relevant European privacy laws on account of their extra territorial scope unless they can argue they do not offer their services for sale at all to people located in the EU and that they do not monitor or profile those people (who still has MDE location tracking set to always...).
If they do use a company structure to avoid that reach (which I have to say would be my recommendation) there is nothing to stop them offering the passes through the same local company entities (which again would already be subject to and having to comply with these laws) and taking advantage of the same structure.
If it is a privacy law reason, (ie they think they need better contracts, policies or procedures first to meet those obligations) it's something they should be able to change in the short to medium term. Heck, I'll do it for them at no cost if it sorts this out (how often do you hear a lawyer say that )
Least fun post I'll ever make, but it's not often I have anything useful work wise to add to the conversations on here! "
" For what's its worth I'm a Partner at a law firm with offices in the UK and I specialise in Privacy law, there is nothing in the GDPR that would mean they cant offer this to people in Europe. I work with clients in Canada less often, but the overlap is enough to suggest that same would be true, especially since the more recent legal changes there. Unless they are being advised horribly, or are incredibly risk averse, this isn't (or shouldn't be) a privacy law reason.
They are already subject to all relevant European privacy laws on account of their extra territorial scope unless they can argue they do not offer their services for sale at all to people located in the EU and that they do not monitor or profile those people (who still has MDE location tracking set to always...).
If they do use a company structure to avoid that reach (which I have to say would be my recommendation) there is nothing to stop them offering the passes through the same local company entities (which again would already be subject to and having to comply with these laws) and taking advantage of the same structure.
If it is a privacy law reason, (ie they think they need better contracts, policies or procedures first to meet those obligations) it's something they should be able to change in the short to medium term. Heck, I'll do it for them at no cost if it sorts this out (how often do you hear a lawyer say that )
Least fun post I'll ever make, but it's not often I have anything useful work wise to add to the conversations on here! "